Welcome to the KuppingerCole Analyst Chat. I'm your host. My name is Matthias Reinwarth, I'm the Director of the Practice Identity and Access Management here at KuppingerCole Analysts. My guest today is once again - and I'm really looking forward to what we are talking about today because it's for me something new - My guest is Alejandro Leal. He's a Research Analyst with KuppingerCole. Hi Alejandro.
Hi Matthias, great to be back.
Great to have you back. We're talking with each other on the occasion of the publication of a new Leadership Compass that you have produced, and it's the Leadership Compass called SOAR. So it's Security Orchestration, Automation and Response. That's quite a bit to digest. So to start with this Leadership Compass and the market segment. What is SOAR?
Yes, you're right, Matthias, It's a long name. So what is SOAR? You yourself, you said it. It stands for Security Orchestration, Automation and Response. And it is essentially an add-on to Security Information Event Management platforms, SIEMs. Traditional SIEMs were first introduced over 15 years ago as unified platforms for gathering, analyzing and correlating security related information from multiple sources to provide a centralized overview of all security related events happening in an organization. In recent years, SOAR solutions began to appear to complement or directly integrate with SIEM solutions. As we both know, cybersecurity attacks have been intensifying over the past few years. Global supply chains and large organizations are increasingly facing cybersecurity threats as a result of geopolitical instability. So to stay secure and compliant, organizations must seek out new ways to assess and respond to cybersecurity threats while providing their security operations centers, their SOCs, with the right tools. So SOAR solutions have multiple capabilities. For example, enrichment and correlation, orchestration and automation and incident response and mitigation. If we take a look at the first pair, correlation and enrichment, it is important to note that SOAR platforms should be able to collect historical and real time data, either on its own or ingest security events from the SIEM. The data should then be enriched with additional business context and external threat intelligence information. When it comes to automation and the registration, SOAR platforms should be able to implement comprehensive workflow management capabilities to ensure that the task across multiple environments and security tools are efficiently coordinated. And whenever possible, repetitive tasks should be automated to facilitate the job of the analyst and provide the analysts with more time to focus on more important endeavours. And last but not least, incident response and mitigation are essential features of SOAR solutions. So platforms should be able to create simple tasks. For example, creating a ticket for manual processing or support dozens to hundreds of playbooks and incident response actions. Of course, these are some of the capabilities of SOAR solutions. There are many flavours of SOAR solutions, but we believe these are the main features that SOAR solutions should have in the market.
Okay. So it's really collecting this information, security related information, just like a SIEM does, correlating that, boiling them down to what is important based on rules by identifying what is really going on. This is still something that can be also expected from SIEM solutions as well. But I think the additional factor of getting actionable results to support the analyst in actually mitigating existing threats even automatically. I think this is the added aspect that really is the magic, the promised magic of such SOAR solutions. Am I right? So it's really helping the analysts to solve some of the issues and make him concentrate or her concentrate on what is really important and requires human intervention?
Yes, that's correct. I think over the years, many vendors realized that traditional SIEM solutions could not keep up with the widespread and sophisticated cyber attacks that continue to evolve to this day. So SOAR solutions present these new sort of capabilities to deal with new threats. For example, let's say that you are a large organization and you are now facing a ransomware attack. The attack will then, if you have a SOAR solution in place, the attack will trigger and generate alerts from one or more endpoints or even possibly from the network monitoring systems. The job of SOAR would be to distinguish between unrelated and related events across all connected systems, assemble the information coherently, enrich the event Information with additional information from other sources and at the same time create or coordinate with a human analyst to in the end age, reprogram playbooks and responses to deal with the attack. And of course, this is just one example. There are many different ways this could be unfold. So, it all depends on the solution that your organization has and the industry that your organization is focusing on.
Right. Got the part. So you've mentioned integration several times. And we as analysts and also as advisors, we are doing portfolio management. No one can expect when you're adding a SOAR solution to your cybersecurity response team that there is not an existing cybersecurity environment already there that is run. So how well are these tools now integrating with what is already there, is it an added component, or do they want to take a major role? How is integration made here?
Well, I think most of the vendors, they like to focus on how many connectors they have because that would make easier the job of the analyst to perform and analyze security related events in the organization. So that's something I learned during the writing of the Leadership Compass and through the briefings that I have with the vendors. It's a very important element to consider how many connectors your solution has. And we know if we take a look at the market, it's already reaching maturity. We have some vendors that are specialized on SOAR, these sometimes have unique innovative features and they specialize on particular use cases. But on the other hand, there are other vendors that already have a SIEM and they are looking to add new functionalities by building or even acquiring a SOAR specialist. Many of the SOAR customers in the market are..., they tend to be somewhat mid-sized businesses, large organizations and enterprises, and especially from the defense and government industries and also organizations that already have a SOC team in place. Those are the organizations that will benefit from adopting a SOAR solution. Something that we also learned during the writing of the LC is that whereas in previous years, the market was largely concentrated in North America and secondly in Europe, now we see many vendors going to the APAC region because we know that countries like China, India, Japan, Singapore, Australia, these are big countries with big economies and with a lot of organizations. So we expect to see further momentum in this region. And ultimately the SOAR solution that your organization will decide to adopt depends on your deployment model, what you're looking for and your unique requirements and needs.
Right. You've mentioned deployment model. So we are not necessarily only talking about the traditional implement on-premises solution. How are these delivered? Are there cloud based services? Are there hybrid services? How do they unfold? How do they look like when you really want to implement them? And do they cover cloud as well when it comes to monitoring and securing these platforms?
Yes, I think in the early days, SOAR solutions were offering very complex deployment models on-premises. But most of the vendors today offer hosted cloud environments as well. And this is a trend, it’s gaining more momentum. And indeed, most of the vendors today offer cloud deployments and that's something that customers seem to prefer these days. But also it's worth considering that many organizations still have legacy systems and on-premises infrastructure. So it's important to consider how easy is going to be the transition from on-prem to the cloud. And that's something that vendors should also consider.
Okay. Fascinating. Well, before we close down, is there some specific trend, some new technologies, some, I don't know, some type of implementation or just an interesting set of vendors that you would like to mention, that struck you when you did this this analysis, this research?
Well, something I learned at the cybersecurity conference we had in November, organized by KuppingerCole, is that many vendors are talking about XDR solutions, which are a bit of SOAR like solutions. So I always wonder if how SOAR solutions perceive these XDR solutions in the market, if they are concerned at all, or are they, what do they feel about it? And I think the SOAR will continue to be in demand because organizations will probably like to adopt the best of breed solutions in the market. And that's something that SOAR specialists provide.
Okay, great. Thank you very much. The Leadership Compass has just been published, at the time of the recording of this episode. It's really fresh on the website. So everybody who's interested in having a bigger picture of this market of SOAR and trying to identify what really suits your needs, I highly recommend to head over to kuppingercole.com and have a look at this Leadership Compass. Again, as always, yes, we do a rating, but no, this is not a one size fits all, so really use the expertise that Alejandro, that you created and map that to what you really need for your organization, what you already have in place where you want to integrate and what you want to protect. I think that is really an important aspect to have a look at. So it's already there. It's already published, right?
Yes, that's right. It was published this week. And just like in our previous episodes, it's for mentioning that if anyone asked questions they should reach out to our website, find any of the analysts, and we'll be happy to answer their questions.
Yes. And when you really want to be quick with the questions, if you're looking at this video on YouTube, just drop your question in the comments section here on YouTube. If you're listening to that on your favorite podcatcher, just reach out to us. Our addresses are on the website and they should be in the show notes as well. So we are looking forward to having discussion with you contradictions, questions, additional requests. We are happy to support you. I don't want to close down without mentioning the new service that KuppingerCole Analysts is currently creating and promoting. This is KC Open Select, which is a digital service, which makes tool selection and research about specific market segments even more interactive, and that is on our website. And we are talking about Passwordless Authentication. And I think this is something that is of course also very close to your heart, Alejandro, right?
Yeah, that's right. And I think KC Open Select is a very unique product that will help you shortlist the list of vendors that you think are going to feed your organization and the particular needs that you need.
Perfect. So then thank you very much, Alejandro, for joining me today, for giving me insight into the market of SOAR. And I understand that there's a beauty to these solutions for organizations which have to maintain large scale environments for cybersecurity, and I can highly recommend to reach out to our website and to look for the documents. It should be easily found, which just by adding SOAR to our search engine on the website. Thanks again, Alejandro, for being my guest today and looking forward to having you soon here again.
Thank you, Matthias.
Thank you and bye bye.
