It is with much excitement that we announce the publication of “Preparing Your Security Operations for Orchestration and Automation Tools”, our epic SOAR paper.
Select favorite quotes are:
- “Test the SOAR tool integration with the tools to be used on your desired use cases. Tool APIs change and some integration implementations provide only partial functionality, and many security product APIs are limited and incomplete.”
- “The increasing adoption of SOAR solutions today cannot be explained by the drivers described above [well, in the paper – A.C.]. Most of the drivers have existed for as long as enterprise and government SOCs have existed — for decades, not years. However, SOAR tools only appeared in mid-2010s.”
- “Some SOAR solutions leverage machine learning algorithms to help analysts decide which playbooks to use for each incident. These tools will observe past decisions on playbook selection and leverage them to provide suggestions to analysts according to the characteristics of the incident.” [however, ML in SOAR is not magic, but at best an auxiliary feature, in our view. A cool one, but auxiliary nonetheless]
- “Notably, few if any SOAR users report using such out-of-the-box playbooks [shipped with SOAR tools – A.C.] without changes, in stark contrast from other security content such as intrusion defense systems/intrusion prevention systems (IDS/IPS) signatures or SIEM correlation rules.”
- “From a technology infrastructure perspective, SOAR tools are not very complex. Most of the complexity of these tools is related to proper integration with the external systems and services.”
- “Future security operations, incident response and TI teams will use more automation and more consistent processes, and will have to deal with an ever-increasing number of security tools.” … but … “Gartner predicts broader adoption of SOAR tools, but perhaps not at breathtaking speed.”
Blog posts related to our SOAR research:
- SOAR and Ticketing: Friends, Frenemies or the Same thing?
- Threat Detection Is A Multi-Stage Process (by Augusto)
- SOAR and “Curve-jumping” in Security Operations
- SOAR: Magic or Mundane?
- SOAR Research Coming … Brace for Impact!!
- SOAR research is coming! (by Augusto)
- Security: Automate And/Or Die?
- Security Without Security People: A [Sad] Way Forward?
Posts related to paper publication:
- Our Updated MSSP and MDR Guidance Publishes
- Security Monitoring Use Cases, the UPDATE! (our updated security use cases paper publishes)
- Our 2017 SIEM Research Papers Publish
- All My Research Published in 2017
Comments or opinions expressed on this blog are those of the individual contributors only, and do not necessarily represent the views of Gartner, Inc. or its management. Readers may copy and redistribute blog postings on other blogs, or otherwise for private, non-commercial or journalistic purposes, with attribution to Gartner. This content may not be used for any other purposes in any other formats or media. The content on this blog is provided on an "as-is" basis. Gartner shall not be liable for any damages whatsoever arising out of the content or use of this blog.