Alejandro Leal, KuppingerCole Analysts, Alejandro Leal, KuppingerCole, Future of SOAR Alejandro Leal, KuppingerCole Analysts, Alejandro Leal, KuppingerCole, Future of SOAR So, just some motivational quotes. I'm sure some of you are familiar with these movies from 2001 Space Odyssey. It's one of my favorite movies. And we know that HAL 9000 is this AI computer character who's supposed to help the astronauts accomplish a space mission.
But then, at some point, HAL realizes that the humans are threatening the effectiveness and the integrity of the mission. So then, he aims to get rid of the humans.
So, I know this is sci-fi, but the point here is that we need to take into consideration how we're going to use AI, particularly when it comes to the SOC. We need to be aware that the point here is to support human analysts and not to replace them.
So, we know cybersecurity threats have been increasing in sophistication, in scope, in frequency. So, the average cost, more or less, of a security incident or a data breach is between four and nine million US dollars. And the time it takes for an organization to realize that there has been a breach, on average, is around six months.
So, here, time is of the essence. And SOC teams need to be equipped with the right tools in order to protect their organizations and increase their productivity.
So, that's when SOAR solutions come in. SOAR stands for security, orchestration, automation, and response. And they focus on, you could say, on these three categories, orchestration, automation, and response. But before, I think we should take a look at the brief timeline, the history of SOAR.
So, it all began with SIEM solutions. I think there's a slight mistake here, but security information and event management solutions were designed to collect and analyze data. But they lacked some, let's say, actionable steps.
So, high deployment costs, the lack of threat intelligence features, automation and response capabilities. Those were some of the, let's say, common challenges of traditional SIEM solutions.
So, SOAR was designed to integrate directly with SIEMs or to complement them. And over the past few years, we've seen that many SIEMs have just acquired SOAR vendors, or they have also added those SOAR functionalities into their platform.
So, we know that SOC teams are facing immense pressure, as we've all heard during these past few days, of the need to have the right tools. Because if we think about the human analyst, we often hear this thing that a human is the weakest link in cybersecurity. But if we equip the human with the right tool, we can for sure reduce that, let's say, danger.
So, for the SOC, these days, we also see, let's say, the democratization of AI tools. So, now cybercriminals can launch extremely sophisticated phishing campaigns that, a few years ago, only state actors could do.
So, that creates even more problems if we take into consideration the skills gap that we see in the industry. So, yeah, a new approach is needed.
So, by combining, you could say, the human insights and machine precision, we can detect real threats in real time. We can reduce routine incident response mechanisms. And we can also analyze and correlate information in real time to make decisions much faster.
Because, again, time is of the essence. So, here are just a few things to take in mind in order to, I guess, achieve this balance between the human and the machine. And if I compare the, as I said, I published a report this year on SOAR. And I published a similar report two years ago in 2022. And this year, when I was talking to the vendors, you will see them in a few minutes. The first thing they would show me would be generative AI. That was like the thing they always wanted to talk about. It was like 70% of the time spent on the demo.
So, they were all very excited. But as we know, there has been some, you could say, disillusionment. Some people haven't been completely convinced of the true leverage of gen AI. But I'd say for SOAR, we could see some benefits, particularly for reporting. Or when an analyst is doing an investigation, gen AI can be extremely helpful in summarizing the event and investigation. There are other areas that I think gen AI can be helpful in SOAR use cases.
So, for content creation, as I mentioned. Also, chatbot capabilities.
So, many of these vendors will tell me that if they have a junior analyst that has no experience in this platform, that this chatbot could be helpful to get familiar with the platform. And the other area would be behavioral prediction. Although I haven't seen this much, but I think it's an exciting area that we also need to take into consideration.
So, here are some trends that I saw by dealing with these vendors. There were just some of them, maybe like a quarter of them, that didn't really want to show me their features on gen AI. They told me that they were more careful, more cautious. They wanted to see how the market evolves, and they wanted to understand their customers.
So, instead of just pushing the marketing and the hype, they really wanted to understand how the human analysts that work in these organizations, what do they need? What do they prefer? And I think more importantly, what do they expect?
So, yeah, there are also other things to consider, like the vendor needs to ensure that the information provided is going to be useful and it's not going to lead to some biases. We know these things. We probably heard this in several of the conversations these past few days.
But yeah, as I said, there are some positives, there are some negatives, and it remains to be seen what will happen in the future. I know that some of these vendors are investing a lot in this area, but I think we need to always be a bit skeptical and take a step back and then understand what that particular SOC team that you're targeting really needs. Because it depends on the industry, it depends on the size, it really depends on the experience of the individual.
So, just a little bit on how we do reports here at Coupang. So, the process takes a few months.
First, we find a topic, let's say, and then we invite vendors that compete in this space. We reach out to them, we send them a questionnaire with hundreds of questions, very technically oriented, and then they get back to us with a questionnaire. We have a briefing, they show us a demo, and then based on this, we then evaluate all the information and we come up with some ratings.
And then the vendors, they have the option to take a look at the chapter, the dedicated chapter of the product, and the ratings, and then they can always have a second call with us in case there was some information missing or anything. And then we publish the report.
So, it really depends how long the report is, how many vendors participate. So, yeah. And in the report, we have four categories that we use to evaluate all of these vendors.
So, there's the product, the market, the innovation, and the overall. And as you can see here, for product, we mainly focus on the functionality of the capabilities. For innovation, we try to look at what are some things that we see in the market that we sort of expect to be already mature, or if there's anything new that we should probably see, that's something that we consider. And then market is just based on number of customers, geographic distribution, etc. And then combined, we have the overall leadership.
So, for this year, for the 2024 SOAR reports, we use these evaluation criteria to assess each product. So, we also looked at these eight areas to determine how strong a product was. And this was mostly based on the briefing and the questionnaire that we got from the vendor.
So, these are the results for this year. Here we see that Palo Alto takes the lead. It's one of the dominant players in the market. I'd say that Palo Alto is known for its agile and scalable solution. It's a good fit for mid-market and large enterprises. And we have, following Palo Alto closely, Fortinet. Let's say they have strong orchestration and response features. They're investing a lot not only in GNI, but on the automation part.
So, they have a very interesting vision moving forward. And then we have other known vendors like ServiceNow, Splunk, and Swimlane. And then we have the other vendors that are close to the leaders. They all have good features, but maybe they lack certain, let's say, innovation capabilities that we see in the leaders. And also something that plays a role here is the market presence of some of these much smaller vendors. They don't have this, I guess, slice of the cake as some of these big names that we see on the right side.
So, yeah, that's pretty much it. I could have shown you the product innovation market leadership results, but most people just want to see this overall.
So, here it is. So, yeah, market analysis. Although the SOAR market is already well-established, we still see some features that are being integrated by vendors. And they're all innovating in their respective ways. I see that SOAR is gaining a foothold in the Middle East and the APAC region. Some countries are investing a lot in their digital transformation for public agencies, federal agencies, etc.
So, that's a big place now that I see some of these SOAR vendors focusing on. We also see the role of MSPPs. They're taking also some responsibility. Some of these vendors are just targeting them.
So, yeah, the market is everywhere, of course, but we see a bigger presence in Europe and North America. But I expect that to change in the coming years as the APAC and other regions of the world are catching up with their digital transformation.
So, yeah, that's all from my side. Just some reminding that we'll be having the EIC conference in Berlin next year. We'll be having multiple topics. You can get more information on the website and our membership program as well. That's all. Thank you. Thank you. Perfect. Thank you very much, Alejandro, for this great insight into the methodology and the most important stuff of this LC. And I think that's a really tough market.
I'm really happy that you also explained the differences between different artificial intelligence approaches, whether it's generative conversational AI, as there's a lot of confusion outside, even if the phrase artificial intelligence is mainly covered by media for machine learning, more or less, which is just a subset of it. But that's more an ethical, hypothetical discussion. Any questions from the audience here in the room? We are a bit too fast right now, which is very uncommon. But happy in the afternoon. No questions.
Ben, again, thank you very much. Thank you. Having that said, I'm really happy to invite another colleague of Kupinger Coal, Osman Selic. He's already on stage and he will talk about NDR versus legacy tools and how to take control of your network traffic. And I would say the stage is yours.
Thank you, Christoph. And thank you, Alejandro.
Well, recently, we've been working on many reports. And in the last couple of months, we had focused on the detection and response tools in general.
Myself, I was working on NDR, which I'm going to cover in a couple of minutes. And then my other colleagues were working on ePDR solutions and also HDR. And another colleague of mine was also working on MDR. So we were trying to take a grasp of the holistic view of the whole detection and response tools and see which solutions stand where. And in my work, it's recently published, by the way, a couple of months ago. It was a leadership compass and covered 14 vendors. And I wanted to realize where NDR is standing in the detection and response market.
And also, do we really need NDR? And if we need, why we need? That's always the question. All right. Briefly giving the agenda of the presentation today. So I'm going to go over the NDR technology and the market. And then I'm going to share with you guys my key findings. I would suggest you at least pay attention to the key findings because it's kind of like a summary of my presentation. And then later on, as Alejandro did, I'm going to give some information on how we conduct research here. But I'm not going to bore you with the stuff that Alejandro mentioned.
But I'm going to go and explain to you how I did the NDR research that might be interesting for you. All right. So I chose my title saying NDR versus legacy solutions. And you'll see also EPDR standing there. And we have been also recently working on it. Some organizations need EPDR still because they don't have complex networks. And they are fine with just protecting the endpoints they have. And it really depends on the use case you are using. But if you're thinking of a large enterprise, for example, you might have a SIEM, but it might not be that intelligent.
So your log data from your network activities can be manipulated or you can lose it later. In my research, I've seen that most of the IDS and IPS solutions are more suitable for the legacy IT systems. So still we have some problems with those.
Firewalls, again, they are lacking capabilities when it comes to detecting more advanced threats, especially with the rise of AI. We have more advanced techniques used by the attackers. And for the EPDR, as I said, it is sometimes maybe useful for some organizations, maybe enough.
But again, it depends on the agents. It relies on the agents. And it requires the implementation of agents on each endpoint you need in most cases. And it's not only the solutions that are having the challenges, but there are also some other common challenges that we need in our solution. So we might have some network performance issues because your solution does not do network traffic analysis. And some of the malicious activities and misconfigurations in your system may go unnoticed.
And on top of that, some legacy solutions are not able to identify the threats in the encrypted network traffic. And this always creates an issue for especially large organizations. And this was one of the feedbacks that I've seen when I was doing my research. That encrypted traffic analysis is something that most large organizations require. And those legacy solutions I've listed before often fail to answer those needs. Modern networks require more of a network-centric approach.
So NDR and XDR, which I'm going to talk about later on, are the solutions around nowadays that kind of answer to those needs. We have lots of emerging network threats. Alejandro covered some of them. But if you don't think about the future, but go a couple of years back, SolarWinds was a big breach and everyone was affected by it. And it was caused because of a compromised network software.
And yeah, this is the challenges why we need NDR. But how does NDR work and why do you need it? What does it offer, basically?
We, first of all, can categorize the process of NDR into three sections. The network data collection, detection, and response. So when it comes to the data collection from the network traffic, as I said, NDR solutions and XDR solutions are the two prominent solutions you have available in the market. Why? Because you can just use network sensors, which can be deployed on on-premise, on virtual machines, or as a software agent. Because then you have flexibility. And you can make use of the network metadata. You can just monitor and understand your network activity easier and more meaningful.
You can just inspect every single packet payload. Instead of inspecting every packet payload, you can just go and analyze your IP addresses and ports and protocols and timestamps. And then you can be more precise when it comes to understanding the metadata. In terms of detection, some vendors offer customized IOCs.
With IOCs, you are kind of ahead of what is awaiting you in a couple of years or in a couple of months. Because then you know the relevant threats to your organization. But as I said, some vendors are doing a pretty good job on this. And then they actually create customized IOCs for your needs.
Again, for the playbooks, this is not something new. But NDR uses playbooks. And some vendors, again, allow you to use the tools that you can actually customize those playbooks. And some vendors, I've analyzed, are offering 600 plus playbooks. So I think it's always useful to have something customized for yourself. Last but not least, machine learning and artificial intelligence is always a key player. I think we have covered it all the time here in our sessions. But in terms of the NDR case, it helps you minimize the false positives. I think that this is one of our biggest concerns nowadays.
That we don't have enough budget or human resource to overcome the threats we are receiving. But if you think 97% of them are actually false, then you are actually wasting your time. NDR tools really are able to utilize machine learning and AI technologies. Which is something you can't do with the legacy tools. And to answer why, it's pretty simple. You need threat detection, but you want it real time. And you want some response activities. Most vendors, I would say, in the NDR market are not combining incident response activities. They are mostly sold separately.
This is something that I would like to mention. And if you want to have some forensic activities to understand what is going on. And also to minimize your false positives, it helps you with that. Greater network visibility, IoT and OT coverage. Which is something you can't do with ePDR, for example. And one of the most important things is that it's not the only tool that is utilizing threat intelligence. But you can connect your threat intelligence or the third-party intelligence you are receiving to your NDR solutions. To see what is relevant to you.
And this is something that vendors are doing great and bad. What they do great is they help you find the threats that might affect you. But most of the time, I've realized that they fail to find the relevancy score, which I call. Because then you have the risk score of a threat, which is very normal. Let's say that you use the scoring system and then it's a very high-risk category. But this doesn't mean that this is relevant to you.
Again, I would say that vendors should be even better utilizing threat intelligence. I'm not going to bore you with the required capabilities. But you see some deployment options.
Of course, some flexible options. Support for CDI standards. This is something that also vendors need to work on still. Supporting network traffic analysis and encrypted traffic analysis use cases. Answering to different types of attacks and also allowing automated response to it. Threat hunting, forensic investigations. I've already covered those. MFA and aligning with MITRE ATT&CK framework. This is also something that some vendors are lacking. But this is, I think, very important to categorize and see the types of attacks that you are dealing with.
In addition to this, I wanted to share with a couple of innovative capabilities that I personally think that some vendors are offering. I did not include them here because my research was based on the observation of the NDR vendors. What I've noticed is that some vendors offer deployment options for OT environments. This is something I consider innovative. And some vendors provide greater extent for protocol understanding. Let it be IoT protocols or ICS protocols or IIoT protocols, let's say. And the other thing is the sandboxing capabilities.
This is something we don't really expect to be offered out of the box or supported natively. This can also be done by providing connectors to third parties. But not least, some vendors are offering NDR as a service.
This is, again, something innovative in my opinion. Here, I would like to cover some of my observations when it comes to the market. Let's talk about some drivers why organizations are going toward NDR. It's because we have now more sophisticated and targeted attacks to our networks. And this can be, again, only addressed by NDR and XDR solutions.
Again, the digitalization and the adoption of cloud is another factor, as it is in most of the cases. Some regulatory compliances and standards mandate you to secure your network and also do network traffic analysis and monitoring of your high-volume network data.
And again, NDR comes in handy. And the 5G networks and IoT devices, again, you are just left alone with NDR and XDR when it comes to IoT, for example. Some highlights. There are some solutions that are being offered standalone. And in my research, I mostly covered them, I would say. They were mostly offering their solution as an only NDR platform. But the market is not limited to that, because I think this is one of the things that is demanded by end-users. So you have an XDR solution, but you have the option not to buy the full XDR, but the NDR as a component.
Again, from the same vendor, but you can just opt for what you need and then just go and get the NDR. That might still be called XDR, by the way, not to be confused. Geographic-wise, North America holds the largest market share, followed by Europe, not EMEA, but Europe, and Asia-Pacific. Acquisitions are a common practice still. I went and analyzed at least three years of activity, and out of 14 vendors I have analyzed in the paper, I'm going to show you them all in a couple of minutes. Three of them made acquisitions in the last two years. And we still have some startups in the market.
I've covered one of them in my report again, and a couple of them were left out, but I'm going to also mention about them if I remember. But there are some good players when it comes to NDR startups. So they still have a chance to enter the market. And the challenges with the market is that deployment issues and the complexity and high cost, because I would say NDR is something for large organizations still. And SMBs may find it difficult to afford still. Let me go through this a bit fast, but this is something that I wanted to include because this is like the summary of my leadership compass.
So again, the legacy systems are not answering your needs. NDR is there to take care of your network if you have to focus on it separately. If you have a high volume of network traffic, then again, NDR is the solution because then you might utilize advanced techniques of ML. You can utilize threat intelligence to have a better look at it. XDR looks more like a unified EPDR and NDR.
And then, of course, XDR offers more comprehensive solutions. But if you only want to take care of your NDR, then NDR is there.
And again, the widespread use of IoT and now with the 5G recently, it expanded the attack surface and then it also increased the network attack surface. So this is another reason why we need NDR.
Well, I mentioned already about this protocol understanding because this is something that you need if you're working around different environments like IoT devices. And the deployment is very easy again. And the other stuff I recently already talked about. So how do we do this research? I was talking about the 14 vendors and I didn't show you.
I know, but I'm going to show you in a couple of minutes. So what we do is we first identify who are the players in a certain market. In this case, NDR. So we go and search the market. Who is doing the NDR business or where the NDR is part of an XDR platform or who is offering network traffic analysis solution. Sometimes some vendors call it network traffic analysis. So keep it in mind. NTA also stands for sometimes NDR solutions. Then we prepare a questionnaire to have a briefing with them.
Sorry, before we have a briefing with them and with the information we gather from them, from the questionnaire and the briefings, where we also allow them to demo to us. Then we have the necessary stuff for writing our research. And then we analyze, we evaluate the vendors based on the information they provide us. Then we write our reports and then come up with some ratings. And what we do next is give them another chance because we're also humans. We have the human factor here and we let them go and check it, review it.
If they want to object to some of the facts we've presented, then we also want them to also present their own facts or their new patches, their new updates, how they fixed the problem. Then we either correct or we keep it as how it is.
Again, because this is like a three, four months of period. So some problems that we find out may be addressed meanwhile. So this is always useful. And then at the end, once we have the last version, we publish it after having the fact check goals. And for this market, I actually want to show you the next two slides so that you know what I'm going to tell, but I'm going to also come back here. So those nine categories and these eight categories here are kind of mapped to each other. And then this is how we rate the vendors in every LC we are doing.
But in the case of NDR, I have determined eight specific evaluation criteria. Platform support, again, the administration of the console, deployment, etc. Network traffic analysis use cases. Encrypted traffic analysis use cases. Trend hunting functionalities. Detection capabilities. Playbooks responses in another way. Capabilities. The integration options out of box or with the API protocols they support.
And last but not least, because this is something we came up with new compared to the previous report, I realized that network insight and reporting is something that most vendors are offering separately, especially when it comes to insights. Because, as I said, with the use of machine learning and with the utilization of metadata, you now know better what is more risky and more relevant to you. So I've seen some cool products offering really cool insights and then try to minimize the false positives and also alert you before the damage is already done there.
And these are the nine generic criterias that we use in our research. Security, functionality, deployment, interoperability, usability. We map these again to these eight criteria here. And then this is the final product we have. This is actually, I took it from a vendor. I'm not going to share which one it is. This is a real spider chart, let's say. So one of the vendors, you see that they are pretty good in network insights and reporting, but they lack capabilities in threat hunting and responses, as you see. These are the vendors who participated in the report.
Yeah, these are the vendors who participated in the report. I'm sure maybe some of you will say that, oh, this one is missing. But then we have the other vendors that I've also included as vendors to watch in my report. And for some reasons, we could not include them in our report. Sometimes we didn't get feedback or something. But out of these vendors here that I've listed here, I would say that Trend Micro, Roadcom, Checkpoint, and Group IB have interesting solutions. Just keep in mind. And Coralight is a startup, and they also have a very interesting solution.
This part, my colleague just recently covered, so I'm not going to bore you with this. And I'm going to share the overall leadership chart we have prepared for this market, which is the combination of number one, two, and three. So this is the overall leadership, how it looks for the NDR market. Cisco and Arista look like the first two leading the market, followed by Fortinet, Dark Trace, Extra Hope, Grukel, IBM, and Stellar Cyber, which are our leaders. And the rest of the vendors are following each other as a challenger.
One thing I forgot to tell you, by the way, is that those vendors who did the recent acquisitions are Arista Networks, Sophos, and Opentex. So these three vendors completed their acquisitions in the last two years. So this is an interesting market, an emerging market. This can be complemented with XTR again, but this can be used as a standalone solution. Thank you so much. And if you have any questions, I share my email, and you may find me outside. Perfect. Thank you very much, Osman, for this insight into the LC and the methodology and the future of NDR.
Are there any questions from the audience here? Just raise your hand. This is like one of the last sessions.
Yeah, probably people are a bit tired. Sometimes it works if I don't take the microphone and walk around. I will be outside until the end of the event, so if you have any questions, please feel free to contact me. Perfect. Thank you.
Thank you, Christopher.
