Hello, and welcome to the webinar, Transforming SOCs, The Power of SOAR Solutions. My name is Alejandro Leal, and today I will be talking about SOAR. I recently published a Leadership Compass Report a few weeks ago on this topic.
And, well, I've been covering the market over the past three years. So this webinar, we'll be examining some of the latest trends, as well as the results of the Leadership Compass. But before we begin, I'd like to remind you just a few things.
As always, there's really no need for you to mute or unmute yourself. We control these features. We'll be conducting three poll questions, so I encourage you all to participate on those. It's helpful for me, for my research, to know the audience and to know more about the things that we're asking. At the end of the webinar, we'll be having a few minutes for Q&A, so feel free to enter questions at any time using the CEvent control panel. And you will be able to see the recording, as well as the slides, in the next coming days. So here's the agenda for today.
I'll just have a brief introduction of SOAR. Then we'll explore some of the evaluation criteria that I used to assess all these different vendors. And we will also be showing the results of the Leadership Compass. I will explain more or less how we do these reports, and then I'll show the rankings. And then at the end, we'll be talking about the market, as well as the trends that I see in the SOAR market. Now we have the first poll question, so please select any of these options if it applies to you. And the question is, how many of you currently use automation in your security operations?
What are some challenges you've encountered with these tools? Some quote from the report, SOAR platforms, SOAR stands for Security Orchestration, Automation, and Response. SOAR platforms stand at the forefront of security operations. They deliver advanced automation and orchestration capabilities that improve the efficiency and effectiveness of SOC teams in addressing and mitigating cyber threats.
Of course, it's a generic definition, but here we have a nice slide that addresses the things that I mentioned. So as we know, the threat landscape is evolving. Threat actors, cyber criminals, they are launching more sophisticated threats with the use of new tools, which pushes companies toward financial risks, especially if one of these organizations is breached or suffers from a cyber attack. So these incidents can cost organizations anywhere between $4 to $9 million or even more.
And on average, if we look at the data and many of the cases that you can read online, it usually takes around six months, more or less, to detect a security incident. And this delay, it's known as mean time to detect, or MTTD in short. And this is critical because the longer an intrusion goes unnoticed, the more damage it can produce to the organization. So once an incident is detected, resolving this, on average, could take approximately two months. And this is known as mean time to resolve, MTTR.
So this duration emphasizes the challenges that organizations face in managing and mitigating cyber threats. So here's where SOAR comes in because SOAR solutions address these challenges through three main functions. Let's say orchestration, automation, and respond. SOAR platforms orchestrate by integrating various tools and processes. And they create streamlined workflows that enhance the effectiveness of security operations.
They also automate repetitive tasks, which allows the human analyst to focus on more abstract and more important tasks, such as identifying new threats or developing new strategies. And they also enable rapid response to incidents. So as we can see, SOAR solutions make an indispensable tool in the arsenal of an organization looking to improve security operations and manage cybersecurity threats. So I mentioned some of the challenges other than more sophisticated threats. We also see that sub-analysts, they often struggle with the high volume of alerts and the presence of false positives.
So they spend a lot of time addressing all of these different alerts. And what SOAR solutions do is they prioritize and they help the analyst in these scenarios. Another challenge, as I mentioned, is the complexity of threats. So if we look at recent innovations and trends, we see, for example, the use of generative AI. But we often forget that cyber criminals and threat actors, they can also use the same tools that we use for our defense purposes. So things can get a bit more complex in the future.
Also, there's a problem of speed of responses. So the longer it takes to detect and analyze and respond to incidents, the more damage this can do to the organization. Another issue is the integration of tools. So as we know, cybersecurity environments can be quite complex. And they have different set of tools that do not necessarily integrate with each other. So one of the things that SOAR solutions aim to address is this particular problem.
Of course, there's also the problem of compliance. As we see, legal requirements take a while to catch up with technological developments. But once regulations are in place, organizations need to take into consideration all of these things and remain compliant to stay secure, as well as preventing any breach that could harm them, not only financially, but also in terms of reputation. So what are the origins of SOAR? So at the beginning, SEIMS, Security Information and Event Management products, they were sort of like hailed as the ultimate solution for managing security operations.
And in many organizations, they still form the foundation of SOCS. But the problem is some of these have high deployment and operational costs. There's often lack of intelligence to react to modern threats. Limited automation and response capabilities and the growing skills gap, they all present problems of legacy SEIMS.
Of course, SEIMS did, and they still do provide value. But many of the SEIM users, they report a high amount of false positives, which causes problems in their productivity, as well as the focus that they have. So parallel to SEIMS, we see the emergence of SOAR platforms, which were designed to complement or directly integrate with them. And the SOAR platforms are becoming the foundation of modern SOCS.
Initially, large organizations in highly regulated industries and in critical infrastructure, they were often the ones that adopted SOAR solutions. But the utility of SOAR extends beyond these large organizations. So regardless of the maturity of the organization or the size of the organization, SOAR capability significantly enhanced security operations. And here we see some analysis of the strengths, some of the challenges that SOAR solutions introduce, opportunities and threats.
So of course, as I have mentioned already, some of the strengths include automation, the consolidation of workflows, orchestration, decreased MTTD and MTTDR. However, some of the challenges include the complexity to implement, integration as well, and the high initial setup of the solution. But it always depends on the context, right? It depends on the organization and what are the requirements that an organization needs. So here we have the second poll question, which is, what are your primary goals when considering the implementation of a SOAR solution?
Of course, these four apply, right? But I'm interested to know in your own particular situation, what's the primary goal? So now as we sort of set the stage for what SOAR is and what it means, we can now take a look at the report. So in the report, we wrote down that there are some required capabilities that SOAR solutions should possess.
And this includes the integration with SIEMS and EPDRs, cloud integration, identity and access management integration, telemetry collection, correlation of security event information, enrichment, automated analysis and threat hunting, comprehensive forensic tools, workflow orchestration, incident response, the creation of playbooks, case management, now generative AI, and we can talk about that later, et cetera. So now for the leadership compass that we published this year, we looked at these eight categories to assess each product. So we were looking at responses.
So this category measures the types of manual and automated responses available in a given platform. So response capabilities, they often depend on the presence of integrations with third party tools. And they are usually packed in playbooks, which can be customized. We also looked at enrichment. So enrichment is the process of adding intelligence and context to security events and incidents. So SOAR platforms have the ability to pull information from different sources. We also looked at case management.
So this category evaluates how well the SOAR solution automatically processes enrichment information and presents it to the analyst for action. So case management includes also automation of preliminary analysis or the facilitation of collaboration between different analysts. Then we also looked at API support, which evaluates the robustness and versatility of SOAR platforms. So whether they support REST, GraphQL, webhooks, et cetera.
Of course, then we looked at the analyst interface, which I guess it's more about how easy it is for the analyst to look at the entire workflow and if it's easier for them to have this unified presentation of information. Then we looked at investigations. So this means features that enable analysts to conduct investigations, like building queries or IOC updates, behavioral analysis, et cetera.
Then, of course, automation. So as I mentioned at the very beginning, many analysts have repetitive tasks, which can be annoying and they can decrease productivity. So automation facilitates the job for the analyst, by reducing not only the number of false positives, but also the work that the analyst does. And generative AI here plays an important role, because if I compare the SOAR report that I did two years ago in 2022, well, I'm sure it's not a surprise for any of you that generative AI was a very popular topic of conversation that all of the vendors tried to show me.
I will have a separate slide on that towards the end. But yes, generative AI plays an important role. And of course, compliance and reporting. So this category looks at SOAR solutions' ability to provide detailed reports and compliance tools.
So here, you can see the categories that I just listed and I just described. And the way we do the assessment is that in the report, each vendor has a dedicated chapter, a written chapter. And towards the end of the chapter, there is a spider graph that measures all of these categories that I described. And I will explain to you how we do that in a second.
But first, the last poll question, which is what metrics or APIs do you consider most critical to measure the effectiveness of your security operations? OK.
Now, we'll be moving on to the report and how we do it. So here is a nice slide that tries to summarize all the process that we undertake to create these reports.
So first, as analysts, we identify vendors in the market. We then send them an invitation to participate. And that involves a questionnaire. So we send them a questionnaire with hundreds of questions, very technical questions. And then they also schedule a briefing with us so they can show us a demo of their product and they can talk to us about what they're doing. So what are their main capabilities? What sets them apart? What's on the roadmap, et cetera? And based on the questionnaire and the briefing, then we evaluate all this information and we come up with some rankings.
And then we send all of these chapters with the rankings and the results to the vendors. And they have the opportunity to have a fact check call with us, so a second call, in case there's anything missing or anything they like to discuss. And then we publish the report. So it takes a few months to do all of that from the very beginning to the publication of the LC. So we have in the report four categories of leadership, product leadership, market, innovation, and overall leadership. And the overall leadership is a combination of these three other categories.
So these are the vendors that we rated in the report. There were 11 that participated. And we had three in the vendors to watch section, which is a small section where we just describe a little bit about their product, but they are not in the rankings. So here we have the overall leaders in the LC SOAR. So we have Palo Alto leading, followed by Fortinet, very close behind. And we have vendors like ServiceNow, Splunk, and Swimlane marked as leaders in this report.
And we have here a combination of established companies that have a long presence in the market, but we also have smaller vendors that are highly innovative and are expanding to other regions or are incorporating different use cases that makes them stand out. Here we have the product leaders. So product leadership is based on the analysis of features and capabilities and the completeness of the service. And it's often reflected by the spider graph and these eight categories that I talked about earlier. So responses, enrichment, case management, et cetera. Then we have the innovation leaders.
So both established and specialized vendors continue to innovate in the SOAR market. Innovation is driven by capabilities such as generative AI, playbook customization, user interface, case management, reporting and analytics, and more. And then here we have the market leaders. So Microsoft is leading the market, being a dominant player in the SOAR space, followed by other large IT vendors, which includes Splunk, Palo Alto, Fortinet, and ServiceNow. So we're now in the last section. And we'll just briefly talk about market analysis and some of the trends. So here's the market analysis.
So customers in SOAR, they tend to be somewhat mid-sized businesses, large enterprises, and government agencies. And these organizations, they often have established IT security departments, especially those with SOCs. And they are the ones most likely to adopt a SOAR solution. But SMBs and some enterprises that are outsourcing IT functions or adding security capabilities but not adding staff, they are turning to MSSPs. So that's something that we see clearly in the market and the role of MSSPs.
We know that the market is somewhat established, but it continues to experience growth and driven by innovation and by the increasingly complexity of cybersecurity threats. The SOAR market, of course, is a global market. But the greatest uptake is in North America, with almost 49% of SOAR presence, let's say, compared to Europe and the Middle East, although we see some growth in these regions as well, particularly in the Middle East, countries like Saudi Arabia.
So if you've been paying attention to the policies that Mohammed bin Salman is doing in the country, he's trying to do digital transformation across different departments and businesses, not only in the private sector but also in the public space. So we see some growth in that area, also in the APAC as well. And perhaps the region with least growth is Latin America. I'm from Latin America, but I can see that there is potential for growth. We see more adoption compared to the research that I did two years ago. So now let's look at the emerging trends.
So as I mentioned, for SOAR analysts, generative AI can help a lot, not only with the presence of chatbots, but many of the vendors that I spoke to, they told me that they really see a potential for generative AI in taking over a lot of the tasks that SOAR analysts do. SOAR analysts can use generative AI to create alerts and perform tasks like threat detection, incident analysis, summarizing reports, suggest playbook templates, and enhance decision making. So the integration offers substantial benefits, but there are some challenges that need to be addressed.
Many vendors, if not most of them, have integration with third parties, but lots of these vendors are coming up with their own large language models because they want to, in a way, increase trust with their customers that these capabilities are native. And one of the challenges as well is that vendors, they need to have quality control to ensure that the information that is presented can be useful and accurate. And we all know the challenges of generative AI, right? It can develop biases, it can hallucinate, et cetera.
So it's important that vendors have a close relationship with their customers in this area, that they talk through all their concerns and expectations. And as I said earlier, many of the vendors this year, they wanted really to show me their generative AI features. It was one of the main things they wanted to demonstrate. But there were also a few vendors that took a more cautious approach and they wanted to see how the market develops because they want to understand the expectations of their customers and they want to align their generative AI strategy with their expectations.
So some of them are taking a more cautious approach, but we, of course, see some growth in this area. And if you've been paying attention, we'll be having some events next month in a few weeks in Frankfurt, the Cyber Revolution Conference organized by Kuping et al. And I will be doing a session on the use of generative AI in source. So I will be going more into detail into that during the session. You can go in person or you can access it and watch it online. Here is just some information on KC OpenSelect.
You can check our website and we can help you find and select the solution that best meets your requirements. You can also take a look at our new membership program. And here's just some additional services that we do. So thank you. I believe I have just a few minutes for questions. So here's one question. So what surprised you the most in the 2024 LC SOAR compared to the previous report? As I mentioned, I think that one of the things was the generative AI aspect. Many vendors were very excited to show me their features and how they do it.
And they are sort of trying to compete within themselves, telling me, oh, you know, this other vendor is doing this and we can do it better, et cetera. So that was something interesting. But I also like the approach that some other vendors took, that they were more cautious because they want to be more aligned with their customers.
So yeah, I guess that was one of the things that surprised me the most. One of the other questions is, what are the key factors you consider when selecting a SOAR solution for your organization? So ultimately, it depends to the organization which vendor suits them. It's depending on the particular needs and requirements, which things their SOC teams would like to have. So there needs to be this communication between the actual analysts and the people making the decisions to make sure that the SOAR solution that they will choose will be aligned with the goals of the organization.
So ultimately, it depends. Yes. And I believe there's time for maybe one more question, one minute left. So in your view, what is the future of SOAR technology in the evolving cybersecurity landscape?
Well, I think that just like we hear in other cybersecurity topics, the role of automation is going to be more loud. We're going to see more of that moving forward. But I think that we also need to pay attention at the threats that evolve at the same time because let's not forget that the cyber criminals, they understand our tools. They know how they work in many cases. So they are constantly trying to innovate and come up with new ways to commit data breaches or cyber attacks.
In particular, due to the geopolitical climate that we are experiencing now, we see more state actor involvement in these cyber threats. So it's important to also look at those developments because we are no longer living in the late 1990s when everything seemed to be going in one direction. Now we see competing powers, more threats, and more, let's say, confusion, I guess.
Okay, I believe that's the last question. So I would like to thank you all for participating with me and for answering the poll questions. And if you have any other questions or you would like to reach out to me, feel free to go to our website or find me on LinkedIn and I'll be happy to talk to you. Thank you.
