KuppingerCole's Advisory stands out due to our regular communication with vendors and key clients, providing us with in-depth insight into the issues and knowledge required to address real-world challenges.
Unlock the power of industry-leading insights and expertise. Gain access to our extensive knowledge base, vibrant community, and tailored analyst sessions—all designed to keep you at the forefront of identity security.
Get instant access to our complete research library.
Access essential knowledge at your fingertips with KuppingerCole's extensive resources. From in-depth reports to concise one-pagers, leverage our complete security library to inform strategy and drive innovation.
Get instant access to our complete research library.
Gain access to comprehensive resources, personalized analyst consultations, and exclusive events – all designed to enhance your decision-making capabilities and industry connections.
Get instant access to our complete research library.
Gain a true partner to drive transformative initiatives. Access comprehensive resources, tailored expert guidance, and networking opportunities.
Get instant access to our complete research library.
Optimize your decision-making process with the most comprehensive and up-to-date market data available.
Compare solution offerings and follow predefined best practices or adapt them to the individual requirements of your company.
Configure your individual requirements to discover the ideal solution for your business.
Meet our team of analysts and advisors who are highly skilled and experienced professionals dedicated to helping you make informed decisions and achieve your goals.
Meet our business team committed to helping you achieve success. We understand that running a business can be challenging, but with the right team in your corner, anything is possible.
Cyberattacks have been intensifying over the past few years as cybercriminals continue to devise new strategies to launch sophisticated attacks and gain unauthorized access. Global supply chains and private organizations are facing an increased risk of cyberattacks as a result of economic and geopolitical instability. The tactics, techniques, and procedures (TTPs) that were once only used by state actors are being commoditized by cybercriminals. As a result, some vendors have realized that traditional cybersecurity approaches and tools have proven inadequate in keeping up with the rapid changes in the threat landscape.
To stay secure and compliant, organizations need to actively seek out new ways to assess and respond to cyber threats while providing Security Operations Center (SOC) analysts with the right tools. Cyber threats are a constant challenge, and unfortunately, they do not remain static but instead continually evolve. The dynamic nature of cyber threats demands continuous adaptation and innovation in cybersecurity strategies to effectively mitigate the ever-changing risks.
Large organizations, whether they are part of critical infrastructure or not, need to be able to detect and respond to incidents by monitoring security and analyzing real-time events. Security Information and Event Management (SIEM) products were once hailed as the ultimate solution for managing security operations. In many organizations, they still form the foundation of modern SOCs. However, visibility of potential security events alone does not help analysts to assess each discovered threat, nor does it reduce the amount of time spent on repetitive manual tasks in incident response processes.
High deployment and operational costs, lack of intelligence to react to modern cyber threats, limited automation and response capabilities, and the growing skills gap to staff the security teams needed for efficient security operations were the most common problems of legacy SIEM tools. SIEMs did and still do provide value, but some SIEM users report that the volume of false positives causes problems in trying to sift out what is worthy of attention and follow-up and what is not.
Parallel to SIEM solutions, a class of incident investigation and response platforms emerged focusing on creating more streamlined and automated workflows for dealing with security incidents. Security Orchestration, Automation, and Response (SOAR) solutions are advanced software platforms designed to improve the efficiency and effectiveness of SOCs. These solutions enable organizations to automatically collect and consolidate security threat intelligence from various sources, streamline the management of incident response processes, and orchestrate workflows across different security tools.
SOAR platforms, designed to complement or directly integrate with SIEMs, are increasingly becoming the foundation of modern SOCs. Initially, large organizations, which are often more vulnerable to sophisticated cyberattacks due to their size and complexity, were the early adopters of SOAR solutions. However, the utility of SOAR extends beyond these large organizations. Regardless of the maturity or scale of an organization's SOC, SOAR capabilities significantly enhance SIEM/SOC deployments.
For example, SOAR systems can be fed by all kinds of security solutions, albeit indirectly through the aforementioned SIEMs. SOARs that are tightly integrated with SIEMs can take in telemetry via APIs or in CEF and syslog format. SOAR systems generally have OOTB connectors (software configurations and code in the form of packaged API calls) to facilitate data collection from upstream sources. By utilizing these connectors, SOAR systems can easily integrate with a diverse array of security products, such as threat intelligence platforms, firewall solutions, and detection systems, without the need for extensive custom coding.
The orchestration aspect of SOAR involves not only the collection of telemetry from these different sources, but also initiating a workflow, opening cases and tickets where appropriate, and correlation and enrichment of event information. Many large organizations, especially the type looking for SOAR systems, have IT Service Management (ITSM) suites that dispatch and track activities in the form of tickets. SOAR solutions have case management capabilities by design, but they must also interoperate with existing ITSM solutions.
Enrichment of event data can be facilitated by SOAR systems by the automatic collection of additional forensic evidence on-site, such as outputs of Endpoint Protection Detection and Response (EPDR) scans, obtaining non-standard log files, memory dumps, etc. Some vendor solutions can kick off somewhat automated threat hunts (looking for IOCs across multiple nodes in an environment) and add the results to preliminary investigation. SOAR solutions should also be able to generate queries to threat intelligence sources based on suspicious items and patterns observed from upstream telemetry.
Some vendors have extensive threat intelligence capabilities which are utilized by their SOAR solutions. External threat intelligence sources may and ideally should be used to supplement internal threat intel sources. Examples of threat intelligence content include IOCs (files, hashes, IPs, URLs, and so forth), compromised credential intelligence, device intelligence (often from Mobile Network Operators [MNOs]), and domain/file/IP/URL reputation information. Ideally SOAR solutions will accomplish all the foregoing actions automatically prior to or while alerting a human analyst.
When an analyst is alerted and assigned a case, all pertinent information related to the event should be constructed and presented by the SOAR platform to the analysts for their investigation. The SOAR platform should package information coherently, with descriptions and recommendations for actions. More recently, the use of Large Language Models (LLM) has been the focus of customer interest. Trained on enormous datasets from various sources, LLMs can generate new content and texts in multiple languages. They enable the creation of chatbots that are potentially indistinguishable from humans when combined with natural language processing (NLP) technology.
For SOC analysts, generative AI potentially offers a remarkable leap forward in the efficiency and effectiveness of their work. It means being able to automate the most repetitive parts of their job, focusing on the more creative and strategic dimensions of their role, such as planning new defense strategies, identifying emerging threats, and formulating proactive mitigation plans. However, the potential use of generative AI extends beyond mere task automation. Security analysts can use generative AI to create alerts and perform tasks like threat detection, incident analysis, generate or suggest playbook templates, summarize events, enhance decision-making, and more.
While the integration of generative AI into SOAR platforms offers substantial benefits, there are several challenges that need to be addressed. Generative AI requires access to vast amounts of data to learn and make decisions. Ensuring that this data is handled securely and in compliance with privacy regulations is a significant challenge. In addition, there is a risk that AI models may develop biases based on the data they are trained on, which can lead to inaccurate or unfair outcomes. Therefore, the use of LLMs must be accompanied by thorough quality control on the part of the vendor, to ensure that the information provided is indeed useful and accurate.
Although some vendors are highly enthusiastic about the potential of generative AI in SOAR solutions, emphasizing its ability to revolutionize security operations, others adopt a more cautious stance. These vendors are waiting to see how the industry evolves and are focused on how to best meet their customers' expectations as they assess the practical benefits and challenges of adopting generative AI. This balanced approach reflects a careful consideration of both the opportunities and the complexities involved with integrating new technologies into security operations.
Moreover, most SOAR vendors adhere to the paradigm of a playbook. Playbooks typically address common security scenarios and can be triggered either by manual analyst action or automatically if allowed by policy and supported by the vendor. Examples of security events that may trigger playbooks are phishing, malware, ransomware, failed login attempts, excessive or abnormal use of privileged credentials, prohibited communication attempts, attempts to access unauthorized resources, file copying or moving, attempts to transfer data using unauthorized webmail providers, attempts to transfer data to blocked IPs or URLs, unusual process launches, unusual application to network port activities, unusual network communication patterns, and so on. The end goal of SOAR is to be able to automate incident responses among the various security systems. To this end, SOAR platforms often support dozens to hundreds of playbook scenarios and offer hundreds to thousands of possible incident response actions.
SOAR platforms stand at the forefront of security operations, offering sophisticated automation and orchestration capabilities that enhance the efficiency and effectiveness of SOC teams in responding to and mitigating cybersecurity threats. Given the current threat landscape, every organization must act with extreme urgency to secure its information technology infrastructure. As rogue nations continue to foster an environment for cybercriminals and ransomware attackers to thrive, organizations need to be prepared and build a strong security foundation while providing SOC analysts with the right tools.
Ultimately, the selection of any SOAR solution will depend on the organization’s particular requirements, which depend strongly on the currently deployed and planned IT security and Identity and Access Management (IAM) infrastructure. Careful consideration must be given to evaluating which SOAR solutions have integrations for the tools in use and on the roadmap. The maximum utility is achieved by selecting a SOAR that has pre-packaged connectors for all the security and identity elements in your portfolio.
For more information on our research approach, see KuppingerCole Leadership Compass Methodology.
