It is with much excitement that we announce the publication of “Preparing Your Security Operations for Orchestration and Automation Tools”, our epic SOAR paper.
Select favorite quotes are:
- “Test the SOAR tool integration with the tools to be used on your desired use cases. Tool APIs change and some integration implementations provide only partial functionality, and many security product APIs are limited and incomplete.”
- “The increasing adoption of SOAR solutions today cannot be explained by the drivers described above [well, in the paper – A.C.]. Most of the drivers have existed for as long as enterprise and government SOCs have existed — for decades, not years. However, SOAR tools only appeared in mid-2010s.”
- “Some SOAR solutions leverage machine learning algorithms to help analysts decide which playbooks to use for each incident. These tools will observe past decisions on playbook selection and leverage them to provide suggestions to analysts according to the characteristics of the incident.” [however, ML in SOAR is not magic, but at best an auxiliary feature, in our view. A cool one, but auxiliary nonetheless]
- “Notably, few if any SOAR users report using such out-of-the-box playbooks [shipped with SOAR tools – A.C.] without changes, in stark contrast from other security content such as intrusion defense systems/intrusion prevention systems (IDS/IPS) signatures or SIEM correlation rules.”
- “From a technology infrastructure perspective, SOAR tools are not very complex. Most of the complexity of these tools is related to proper integration with the external systems and services.”
- “Future security operations, incident response and TI teams will use more automation and more consistent processes, and will have to deal with an ever-increasing number of security tools.” … but … “Gartner predicts broader adoption of SOAR tools, but perhaps not at breathtaking speed.”
Enjoy the paper! [Gartner GTP acces required]
As always, PLEASE PROVIDE YOUR FEEDBACK to the paper via http://surveys.gartner.com/s/gtppaperfeedback
Blog posts related to our SOAR research:
- SOAR and Ticketing: Friends, Frenemies or the Same thing?
- Threat Detection Is A Multi-Stage Process (by Augusto)
- SOAR and “Curve-jumping” in Security Operations
- SOAR: Magic or Mundane?
- SOAR Research Coming … Brace for Impact!!
- SOAR research is coming! (by Augusto)
- Security: Automate And/Or Die?
- Security Without Security People: A [Sad] Way Forward?
Posts related to paper publication:
- Our Updated MSSP and MDR Guidance Publishes
- Security Monitoring Use Cases, the UPDATE! (our updated security use cases paper publishes)
- Our 2017 SIEM Research Papers Publish
- All My Research Published in 2017
The Gartner Blog Network provides an opportunity for Gartner analysts to test ideas and move research forward. Because the content posted by Gartner analysts on this site does not undergo our standard editorial review, all comments or opinions expressed hereunder are those of the individual contributors and do not represent the views of Gartner, Inc. or its management.
Comments are closed