Hi, welcome to the webinar Optimize Security With Security Orchestration, Automation, & Response. My name is Alejandro Leal, I'm a Researcher Analyst at KuppingerCole and today I will be joined by Oren. Hi Oren. Hi Alejandro, nice to be here with you today. Thank you. So before we begin, we will introduce some important information regarding audio control. You're all muted, so there's no need to mute or unmute yourself. We will be conducting a few poll questions, so I encourage you all to participate.
We will also have a Q&A session at the end of the webinar in the last 20 minutes, so you can enter questions at any time and we will answer them at the end. And we will be recording the webinar, so the recording together with the slides, they will be available in the coming days. So here's the agenda. I will introduce the concept of SOAR, and then I will also talk about the Leadership Compass that we published at the beginning of this year on SOAR. And then Oren will talk about how not all SOAR solutions are created equal, and then he will talk about Q-Rater SOAR.
And like I said before, at the end we will have time for some Q&A. So here's the first poll question, and the question is, what are the key drivers for your decision to invest in SOAR solutions? The growing number of threats, the need for centralized management, to reduce incident response time, or to increase existing SOC efficiency? I will give you 20 more seconds and then we will proceed.
Okay, we can move on. Okay, so the first question is, what are the key drivers for your decision to invest in SOAR? The growing number of threats, the need for centralized management, to reduce incident response time, to reduce existing SOC efficiency? The growing number of threats, the need for centralized management, to reduce existing SOC efficiency? And then we will move on. So let's talk about the origins of SOAR and let's try to understand where it came from. Back in the days, security information and event management solutions, CMs, as the solution for managing security operations.
In many organizations, CMs are the foundation of security operation centers. However, the visibility of threats and events alone is not enough to tackle the modern cybersecurity threats that the current landscape is facing. Some of the major problems of legacy CMs included the high deployment and operational costs, the skills gap, and the lack of intelligence to tackle some of the more modern cybersecurity threats. And that's when SOAR solutions comes in. They were introduced a few years ago.
And essentially, SOAR solutions are trying to provide a centralized way to coordinate, collaborate, and manage forensic data and incident responses. SOAR platforms try to facilitate workflows and streamline processes. Some vendors approach SOAR from a threat intelligence perspective. And during our research that we have done here at Copenhagen Coal, we have observed that many CMs have proactively added SOAR features, or they simply acquire SOAR vendors. So what exactly are SOAR solutions? SOAR stands for security, orchestration, automation, and response.
SOAR's job is to distinguish between related and unrelated events across all connected systems. It's to assemble it coherently, to enrich the event information by acquiring additional intelligence about observed entities, to create and coordinate tickets with ITSMs, and to assist human analysts by taking pre-programmed responses in playbooks. SOAR solutions can make the job of the analyst way better. They can reduce time, and they can also provide them with more information so they can make better choices.
Of course, there are many capabilities, but the ones that we describe in this slide are the ones that we rated and assessed during our research on SOAR. This includes telemetry collection, correlation, enrichment, workflow orchestration, incident response, playbooks, which I thought it was something very interesting how many of the vendors that we did research on, they all had a different approach on playbooks, and it was very cool to see how they all do it.
Automated analysis, case management, SIEM integration, EDPTR integration, email-web-gateway integration, cloud integration, IAM integration, threat hunting, support for standards such as STIGs, TAXI, and SABOX, well-documented APIs, SOAR functionality across multi-cloud environments, MFA, Comprehensive Forensic Tools. So, like I said, these are the main capabilities that we observed during our research, and something that stood out to me was how some vendors who tried to provide the best-of-breed approach, these vendors are mainly the ones who offer just SOAR.
And then we also observed some vendors that have a SIEM in place, and they also provide SOAR or some SOAR features. And I'd say that most of them have these capabilities listed here on this slide. So now moving on, these are the top five use cases categories for SOAR, and this includes threat hunting, CTI management, investigations, automation and responses, and management.
Many vendors target large organizations, but due to the current threat landscape that we're facing, also small and medium organizations can deploy a SOAR solution to protect themselves from the current threats that we're facing. And due to the geopolitical situation that the world is facing, many of these organizations, especially those that are in critical infrastructure industries, they can benefit by having a SOAR in place. SOAR deployment.
So many of the vendors that we did research on during the LC, they all understand that many organizations are going through a process of digital transformation, and many of them require the migration from on-prem to the cloud. And that's a very important aspect that many of the vendors know, and that's something they're trying to tell their customers. Because like I said, one of the main challenges of legacy solutions was the high deployment costs. So SOAR solutions are trying to ameliorate that particular problem. So why SOAR?
Like I said, attacks are happening across the supply chain, and we're going through a turbulent geopolitical period where organizations need to protect themselves from either cybercriminals or rogue nations that foster cybercriminals. Here we can see that SOAR is becoming an essential security architecture component. It's not just for global and large organizations, but it's also appropriate for many small and medium organizations. From our current research, here are some market observations.
The first one, which is something that Orin will talk about more, is that not all SOAR solutions are created equal. SOAR is still relevant and appropriate for organizations that have security operation centers, and especially for those that have an approach to a best-of-breed best-of-breed. The SOAR market is mature, and as such, has well-defined capabilities. But many small and innovative companies are trying to do things, let's say, a bit differently, and trying to come with new ways of doing playbooks, for example.
The SOAR market is valid globally, but we see the biggest adoption in the United States, in North America, followed by Europe, but with growing presence in the APAC region. And we do expect to see more organizations across the world adding SOAR to their portfolios. So now I'm going to talk about how we did the leadership compass process.
Basically, we have nine categories that we use to measure the different solutions. This includes security. So what are the security requirements that we're looking for? Also functionality. We take a look at all the features and capabilities that we expect to see. Integration. Is it delivered as an integrated offering? Interoperability.
Usability, which is something important. How easy is it for users and analysts to leverage?
Also, we take a look at innovation at the market. How many customers have deployed the product? In how many geographical regions does the vendor have presence in? We also look at the ecosystem and the financial strength. After performing those assessments, then we come up with four categories of leadership. First one is product leadership. So we looked at the functionality and completeness of the product. Then we look at the market. Then at innovation leadership. And then we rate and present the overall leadership. So this is essentially the process that we do. We do research on the market.
We identify the vendors. We then send them a questionnaire. And I think that many of you who have done briefings with us know that sometimes we can send a lot, lots of questions. And we always appreciate that. And then we have briefings. Then we analyze based on the information provided from all the vendors. We can always do a fact check. So some vendors who have questions or they would like to have a second call, we can also provide that. And then we publish the report. And like I said, the report on SOAR was published in January this year. So these are the vendors rated in DLC.
There were 14 rated and nine vendors in the section vendors to watch. We see here the biggest players as well as some small but innovative companies. This is the overall leaders in LCSOAR. The overall leadership is a combined view of product, innovation, and market. And the leaders are primarily composed of well-established vendors, but we can also see some small and innovative companies. Then we look at the product leaders. And here we take a look at some capabilities that we believe are essential for SOAR.
For example, in this case, responses, enrichment, case management, API support, analyst interface, investigations, automation, and threat hunting. So we use the questions from the questionnaire and the demos and the conversations we had during the briefing to assess this. Then we take a look at the innovation leaders. And there's a strong correlation between the overall product and innovation leaders. And then last but not least, we have the market leadership. And this is based on financial strength, on partner ecosystem, number of customers, and geographical distribution.
And like I said, on the product leadership slide, here's an example of the spider chart that we present to the vendors. And the spider chart is composed of the categories that I discussed earlier. Here we can see, in the case of IBM, they scored pretty well in all of the areas that we were looking for, such as responses, enrichment, case management, investigations, et cetera. So now we will proceed with the second poll question. And then I will give the floor to Oren. So the question is, what ROI impact do you consider most important to justify investment in SOAR solutions?
Reduce incident resolution time, maximize staff productivity, cost savings, or other? Okay. Thank you for your participation.
Oren, the floor is yours. Thank you, everyone, for joining us today. As mentioned, I am Oren. I lead the product management team at IBM, curate our SOAR. Very happy to be here. And can I give you a bit of a view of our solution? And we've been working with the Coupanger call team, very happy with our position in this report. And very excited to show the participants here and everyone watching this webinar, what exactly is Curate our SOAR?
So I know there was a poll question about some problems, but things that, from an IBM perspective, we've noticed, and I'm going to really breeze through this slide here. But just to set up the stage, we all know the security operations problem statement these days. A lot's going on in a SOC. We see organizations adopt cloud, move into hybrid models. We keep talking about the skills gap that's coming in. And like we heard before, like if you have a best of breed approach, a lot of the times you would buy a lot of tools that don't really connect to one another.
And you really need the right people and expertise to manage them. It actually results with information overload in the SOC. We've seen it also with our own MSS team here at IBM. We see it when we talk to clients. You can see the same thread appear to you across different tools in a lot of different alerts. So as a SOAR solution, we do have that role of orchestrating and correlating some of this information and presented it very effectively. So as we've noticed, about a half of organizations that we've been talking to have a big struggle with detecting and responding to threats.
And when we do have launched our new offering, and I'm going to talk about it, we really wanted to put the analysts in the center of it all and provide a unique approach on how to do proper incident response. And of course, bringing in concept from SOAR orchestration, automation, and all the things that we have been scored on the KUPPINGER report here. So summarizing some of the points that I made about current security operations and the problem statement, we've wanted to change the paradigm.
We're seeing a very technology-focused SOCs, a lot of different tools, like I mentioned, a lot of distractions in the SOC team. And even with the skills gap and the struggle to keep up, you always need a hero or someone who is a very specific expert on the tool to really get the right value out of it. A lot of these tools that clients have also don't really talk to one another or don't have the right set of integrations to really enable all those workflows.
So when we wanted to modernize our SOAR solution and the threat portfolio here at IBM, we wanted to take the approach of putting the analysts in the center. And I'm going to talk a lot about the analyst experience here through my talk track. We want to make sure that analysts that use our solution gain the best value and outcomes and have a unified workflow. We wanted to bring in the best of breed from IBM, either from our expertise and content, our AI capabilities, and of course, blending in automation and context wherever we can through the experience.
And as we've done that, we've also been looking at open standards. So the ability to have a community behind you that can collaborate with you and provide more content and force multiply, basically, those outcomes. Also leveraging different standards that allow analysts to learn the tool and be able to get the best value out of it as soon as possible. So we have made the announcement more than a week ago about the new Qradar suite. This is basically a reimagining of the threat management portfolio here at IBM.
We have a set of solutions, planning from EDR, a logging solution that we just launched, our SIEM, of course, and SOAR. Qradar, SOAR, also some of the market knows as Resilient, have been completely modernized and brought into a SAS native architecture. Taking this approach, we've really wanted, like I said, put the analyst experience. So a lot of our design efforts were around making sure that the analysts using the tool can have the best decisions in front of them, have a streamlined approach, and give a lot of our automation AI and expertise for that.
Also, of course, with our threat intel from X-Force ability to connect to other threat intel sources, always expand that experience. And also we wanted to maintain open. So as a SOAR solution, specifically, integrations matter. So have the ability to connect to other tools, SIEMs and EDRs the client already have, and give them the right outcome. So the experience and outcomes that they should expect should not change if they have a different SIEM or a different tool connected to this environment.
Also, we have a unique feature called federated search. I'm going to talk about it a little bit further, but it allows us to connect to different data lakes and SIEMs and bring in the right context and support investigations to these analysts as well. So double-clicking on QRed or SOAR, really the value proposition, as you can see on the screen, and how we've modernized our SOAR to be able to support analysts.
You know, we're giving them a modern case management experience. No more, a lot of different incidents to take a look at, but one case that can correlate a lot of those alerts and findings into one unified threat. It's already enriched for the analyst. They already see some automations that we're running on that case. They can see how it's mapped to MITRE. They can see different severities in IOCs and also understand exactly the right threat intel sources that contributed to this decision. A more streamlined manner to manage your tasks and responses, and a net new here, automated investigation.
So a case can be automatically investigated. So building the right narrative and showing the analyst exactly the threat and how it's been progressed. Literally been moving through systems, for example, the different alerts that really construct it and builds the picture. Every step is explainable, mapped to MITRE, and the nice thing here actually, we're showing and giving recommendations of responses. So really an application of our AI work here at IBM, giving the right recommendations to the analyst at the right time. And of course, for automation and playbook.
So for more complex use cases and business logic, and be able to customize your environment and responses to your needs. We have a modernized, award-winning playbook design solution as well. It's all one workflow and one streamline. So talk about the unified analyst experience. This is very unique. It is something that we are providing to every one of our threat portfolio solutions, SOAR included. And so really, with that approach really becomes supercharged.
And I think the visual here speaks for itself, but we have done a lot of research and also seen patterns in how analysts work in the SOC, a lot of pivoting between tools, investigations happen in different tools. Sometimes maybe there is a client that have a seam in the center of the SOC and they need to also pivot to the other SOAR. So we really wanted to streamline that and actually take the approach of how much time would it take us to respond to an incident? We've seen the pattern that it can take an average about eight screens, 19 different steps, hours sometimes to close an incident.
And really our approach here trying to minimize the pivoting and having one screen, of course, as much as we can reduce the number of steps significantly. And of course, reducing the response time from hours or days to merely minutes. How do we do that? So like I said, we've really taken a lot of research and talking to our clients and business partners and testing a lot of those concepts over the last two years. We've reinvented our case experience and provided a common UX that provides better explainability. So the ability for analysts to drop in and understand what happened right away.
I talked about having an enriched, prioritized case that gives them that narrative. I talked about automated investigation and giving them the right recommendations where they need to. And the power of federation is very, very important here as well. This supports bringing the right context, the right data at the right time into that incident. Also helps analysts to buy a store that now supports the threat hunting capabilities across different systems.
And the output of these is one normalized enriched schema that is easy to understand and also easy to contextualize and add to that case and investigation. Some reactions we've seen from users and partners that's already been using our new unified analyst experience really shows the value of that. One of our quotes here talk about that idea of implementing this approach helped our client to basically they see as equal to five additional FTEs and made the people's job faster and better. This is a quote from one of our clients.
As I said, we're taking also some of approaches with AI and automation. So this is a vision side, but some of these are already implemented into the product. Be able to correlate cases effectively, be able to provide the right recommendations and responses to the analysts at the right time. We really try to map some of their journey in the SOC and giving them the helping hand and assistance in all different use cases. This is powered by automation and AI models that we have. And of course we have more plans to extend that. Just double clicking on our playbook design experience.
So this is also another reinvented experience that we have in the last year and a half. And it's already been winning two design awards. So what we've done, we really wanted to streamline that experience of building automations and bringing it downstream to the analyst. So this is a canvas that we've completely modernized and built to help streamline that approach to building that automation, having all the right tasks and widgets and tools in one place. Our playbooks are also dynamic.
So when we're thinking about automation, we're also taking into consideration the changing nature of a case or an incident. So we really wanted to have an automation solution that reacts to it. So our clients build automations that they know that they will be triggered exactly when the change occurs in the incident to be able to have the right automation turned on. We also have ways for clients to adopt automation and build confidence with it. Like you don't have to automate everything.
You can also create playbooks and trigger them manually through your process before you really fully automate. And also we wanted a reusable solution. So an approach to having an ability to build one snippet of a playbook, one process and reuse it in different contexts. Because our clients also want a lot of ability to customize, but also we didn't want them to build the same process over and over again. So also we were able to support that. Another unique feature for Qradar SOAR is our privacy and rich response module.
This is a very interesting concept where we want to bring in more users outside of the SOC to collaborate with our SOC team. So our tool provides more than 180, actually it's about 200 today, global requirements and notifications and response plans to those regulations for privacy. So what happens is if an analyst sees that there might be a data breach as part of his investigation with one click of a button, this will audio populate the case with all the right response actions and documentations that is required by regulation to report on.
That brings in more people working together and collaborating on the case. And of course helps unify that process and have a repeatable auditable process for that. And the last piece about SOAR, we keep talking about being open and integrations. So definitely integrations are very important when we're talking about a SOAR solution today. So we see it as IBM that security is a team sport. We really invested and have a very wide ecosystem of partners that help us enhance and enrich our products, SOAR included. Right now we have hundreds of integrations.
Of course, we keep adding more and more. We're working with our clients to add and prioritize integrations that they want. We also enable clients to build integrations that are custom to them. As we've built and our new offering, Curator SOAR, we also bet on open source and open community solutions. I just want to talk about that. You kind of shown and mentioned MITRE. IBM has also been a founding member of the Open Cyber Security Alliance. And that enabled us to bring in a lot of concepts that have been admitted as an open cyber security solution and baked it into our product.
That means that we have a community of practitioners to support those tools. Federated Search, for example, is a result of an Open Cyber Security Alliance project. It enables our practitioners to have, like I said, a community of practitioners that supports them, kind of like attackers work together. We really think that having an open community and open approach to cyber security allows us to collaborate and also have a better approach to our SOAR team and giving them the right content. So just a few words to summarize here. Just things that I mentioned in this presentation about our SOAR.
Really the approach is to have a streamlined and efficient SOC and really help our clients with our detection and specifically with SOAR with response and investigation. So leveraging the right threat intel sources with X-Force here at IBM and other threat intel sources into one system. Leveraging AI where you can is very important. Helping investigation and automating as much as you can, automating and enriching cases, automating the investigation process, providing explainability on what exactly happened so our analysts can respond quickly to what they see.
And of course, building the right automations, be able to enhance that response capability with the right playbook and the right automation capabilities in our analysts' fingertips. So really giving the people, process, and technology a way to show itself in the incident response process. Some more results that we've seen really implementing those concepts. And this is from some of our case studies with our clients. We've seen 85% reduction in incident response time, also 75% reduction in risk of security incident happening as well.
So summarizing the Novipak, I wanted to show the same view that the Kupinger call team here Alejandra showed about IBM's position. A lot of those concepts we've shown the Kupinger call team.
Of course, there's a lot new stuff here that we will show them in the future. Very excited. We've seen, as you can see, a lot of those concepts also check a lot of the boxes around threat hunting, investigation, enrichment, and all the things that the team here have been looking when they built the report. So that was my briefing for the day. I will hand it over to Alejandro for Q&A here.
Thank you, Oren. Maybe perhaps we jump into the questions. I'll just share some information quickly from Kupinger call. This is KC OpenSelect, and it can help you optimize your decision-making process to select solutions. We recently did passwordless authentication and privileged access management. And I really hope to see SOAR at some point.
Coming up, we have a cyber revolution event taking place in November of this year in Frankfurt. Next week, we will have the European Identity and Cloud Conference in Berlin. So I'm really excited to see people from the SOAR community there and hopefully in November as well.
And yeah, just a slide on Kupinger call, what we do. We do events, research, advisory, and webinars. And here's the related research. You can find the leadership compass on our website and other documents on SOAR. So now we can jump in and check the questions. I believe there's a few for you, Oren, and for me as well. Maybe we can start with one question for you. And this person is asking, does Qradar SOAR integrate with other Thread Intel feeds?
Yes, absolutely. We have several Thread Intel feeds outside of X-Force. What our clients are getting is X-Force when they buy our solution, but definitely an open approach to integrate with other Thread Intel sources. That's part of our integration ecosystem. So definitely yes, the answer is yes here. Got it. The next person is asking, I guess it's asking me, why do I consider IBM Qradar an overall leader? What stood out to me? I'd say something that Oren mentioned.
I think that the fact that you guys are strongly committed to open security by being a founding member of Open Cybersecurity Alliance. The fact that you can promote collaboration among partners and other organizations, it really puts you at the forefront of the conversation. The tight integration with the X-Force Thread Intelligence platform was also something that stood out to me. I thought that brings very good capabilities that perhaps lacks in other vendors and the dynamic and adaptive playbooks. I know that Oren briefly talked about them. That's also something that stood out to me.
Okay, next question I believe is for you. Does Qradar SOAR support MSSPs?
Yes, I think for the sake of time, we haven't mentioned this capability, but definitely we do. We have a lot of successful implementations with MSSP business partners.
Also, the IBM MSS team also uses our SOAR, of course, drinking our own Kool-Aid here. But yes, we do have support for MSSPs. In briefing the idea with MSSPs, they get a very easy way to manage and see those cases across their clients, assign analysts, be able to drill down and have high-level reportability.
So yes, we definitely have those and very successfully deployed. Okay, I believe we have two more questions for you. This person is asking, my organization has a defined process on how we tackle specific incidents. How easy it is to build and customize playbooks in Qradar SOAR?
Yeah, so as I said, it should be very easy given the right, of course, integrations to the tools you're using. We're really focused on having that experience to be as easy as possible. So someone that doesn't know even how to code, sometimes a lot of automations in SOAR is going back to scripting. It should be easy enough, but I think a lot of our clients have their own processes, right? So every process for itself. So you can build very simple playbooks. You can also build very complex playbooks and go beyond and start adopting scripting and customizations on top of that.
So it's really picking and choosing based on your level of expertise in the process you're trying to build. But yes, and just another word that our intention with Playbook Designer is to make it simple. So in every release, in every quarter, it becomes better and better for our clients. And we're working very closely with our users to make it, give them the value that they need.
Thank you, Oren. And the last question is also something you already talked about, and perhaps it's something that also stood out to me when I had the first briefing with you. The question is, how does the product keep up to date with privacy regulations?
Yeah, that's a great question. Very unique value proposition.
Actually, we have a privacy analyst working on my team to help update the content that we're pushing into the product. So we do push it on a monthly basis, actually, ahead of time. A lot of those regulations change. So our products are updated on a monthly cadence. And as they are, they are ready to change and trigger that response at the right time when the new regulation or changing regulation happens. So we do keep up. And that's, like I said, a great unique value proposition. I'm sure that your European customers really value that. I know they are always asking about GDPR. Okay.
Perhaps the last thing that we will do is maybe discuss the results of the poll questions. The first question was, why would you invest in a source solution? And it seems that the answers were all split. 20% for growing number of threats. But the one that had the most votes was the need for centralized management with 40%. Are you surprised to see that, Oren? Not really. I think it makes a lot of sense as a result.
Right, right. Yeah. We also have 20% for reduced incident response time and 20% for intention to increase existing SOC efficiency. This is where I find it a bit interesting, because part of my talk track and how I would position SOAR is about SOC efficiency.
In a way, SOC efficiency is a very broad statement. It has a lot in it, but yeah, it's definitely in the end of the day, this is the outcome that we would expect to see clients using effectively as our solution. Absolutely. Okay. And the last poll question was, what raw impact do you consider most important to justify investment in SOAR solutions? And the number one answer was maximize staff productivity with 50% of the answers. Do you think it makes sense? Yeah. And very much aligned with how we've talked about Unified Analyst Experience.
Just from that approach, we want to make sure that productivity, also going back to my point about efficiency, is growing and having a tool that helps giving analysts all the help that they need, helps them use their time to higher value activities, of course. So definitely maximizing productivity in our market and the skills gap and resource constraint clients that we have, definitely we want a solution that helps them do that to make the ROI here make sense. Great. All right. I believe that's all from us. Any last comments, Oren, before we wrap up? Yeah.
Again, I just wanted to thank everyone that joined and enabling in the CAC listening to, A, CAC, the Cooper & Jorgel view of the SOAR market, the IBM approach. I am available if anyone wants to reach out and CAC learn more, and thank you for the opportunity to present today.
Thank you, Oren. And if anyone would like to take a look at the report, it's available on the website and you can find more about IBM Curator there. And I know you guys are making announcements every now and then and are updating your solution. So looking forward to what you guys are doing. So thank you, Oren. Bye.
