Blog post

Our Security Orchestration and Automation (SOAR) Paper Publishes

By Anton Chuvakin | February 22, 2018 | 0 Comments


It is with much excitement that we announce the publication of “Preparing Your Security Operations for Orchestration and Automation Tools”, our epic SOAR paper.

Select favorite quotes are:

  • “Test the SOAR tool integration with the tools to be used on your desired use cases. Tool APIs change and some integration implementations provide only partial functionality, and many security product APIs are limited and incomplete.”
  • “The increasing adoption of SOAR solutions today cannot be explained by the drivers described above [well, in the paper – A.C.]. Most of the drivers have existed for as long as enterprise and government SOCs have existed — for decades, not years. However, SOAR tools only appeared in mid-2010s.”
  • “Some SOAR solutions leverage machine learning algorithms to help analysts decide which playbooks to use for each incident. These tools will observe past decisions on playbook selection and leverage them to provide suggestions to analysts according to the characteristics of the incident.” [however, ML in SOAR is not magic, but at best an auxiliary feature, in our view. A cool one, but auxiliary nonetheless]
  • “Notably, few if any SOAR users report using such out-of-the-box playbooks [shipped with SOAR tools – A.C.] without changes, in stark contrast from other security content such as intrusion defense systems/intrusion prevention systems (IDS/IPS) signatures or SIEM correlation rules.”
  • “From a technology infrastructure perspective, SOAR tools are not very complex. Most of the complexity of these tools is related to proper integration with the external systems and services.”
  • “Future security operations, incident response and TI teams will use more automation and more consistent processes, and will have to deal with an ever-increasing number of security tools.” … but … “Gartner predicts broader adoption of SOAR tools, but perhaps not at breathtaking speed.”

Enjoy the paper! [Gartner GTP acces required]

As always, PLEASE PROVIDE YOUR FEEDBACK to the paper via

Blog posts related to our SOAR research:

Posts related to paper publication:

The Gartner Blog Network provides an opportunity for Gartner analysts to test ideas and move research forward. Because the content posted by Gartner analysts on this site does not undergo our standard editorial review, all comments or opinions expressed hereunder are those of the individual contributors and do not represent the views of Gartner, Inc. or its management.

Comments are closed