Gartner analysis: Why SOAR is the technology for the future

In 2019, Gartner predicted that by the end of 2020, 30% of security teams with over five team members would be dependent on SOAR or similar automation and response solutions. To put it in perspective, in 2019, only 5% of security teams implemented SOAR in their security operations.

The main reason why such a dramatic increase is expected lies simply in the fact that future cyber threats are expected to become deadlier, more complex, and far more numerous than the ones that are prevalent today.

With SOAR tipped to have a dramatic impact on security operations for the next few years, what can SOCs do to be fully prepared for the complex future, and what role should SOAR be expected to claim? Read on to find out why SOAR is deemed to occupy a central role at the heart of every security platform.

SOAR uncovered: What drives the adoption of SOAR in the real-world?

The SOAR acronym was coined by Gartner back in 2017, and it stands for Security Orchestration, Automation and Response. In short, SOAR refers to the technologies that allow organizations to collect relevant data regarding security operations by applying automation and orchestration.

Gartner predicted that this technology would be a turning point in the cyber world, and in the short time that SOAR has existed, that prophecy has so far proven to be true, as more and more organizations realize the immense value SOAR brings to the table.

Even though the adoption of SOAR is moving at an overall steady pace, the future of SOAR, predicted by Gartner, tips this technology to make a drastic leap forward. The main drivers of SOAR for the future are:

• Drastic skill shortage in the cybersecurity domain

• Evolution of complex cyber threats

• Increase of security alerts, namely false positives

The increasing amount of threats creates an overwhelming task for analysts, as bigger companies may receive tens of thousands of alerts in a single day. The high volume of threats makes it virtually implausible for analysts to assess every alert in a timely manner.

Additionally, since threats become more complex and sophisticated, that makes it even harder to detect which threat is real and which is a false positive.

This all piles up on the mountain of responsibilities security professionals have, and ultimately, the huge number of alerts leads to alert fatigue. This often results in security professionals not being satisfied with their jobs, and thus the skill shortage occurs. And at the current rate of skill shortage drop, it is estimated that the cybersecurity industry faces a 1.8 million workers shortfall by the year 2022, which is a 20% increase compared to estimates from 2015.

All of these prevalent issues underline the importance of incorporating SOAR as a solution that plays a direct role in resolving them.

Gartner Forecast: How will SOAR be positioned in the near future?

The number of security alerts will continue to overwhelm security teams who can’t possibly make sense of the large volumes of threats manually. This is one of the main reasons why Gartner tips SOAR to become even more widely adopted in the next several years. In fact, Gartner claims that the SOAR industry will skyrocket to a whopping $550 million by 2023.

However, Gartner also advises that not all organizations are ready to rely on automation just yet, and this may somewhat temper with SOAR’s growth. This is understandable, given that security teams need to be mature enough in order to be able to bear the benefits of SOAR.

To understand why SOAR is deemed as a worthy adversary against the evolving sophisticated cyber threats, we need to understand the very core around which SOAR is built - machine learning and progressive automation:

• Superior cyber threats: The difference between older cyber threats and contemporary attacks is that they use superior technologies to leave fewer traces, forcing analysts and other security professionals to manually assess each threat. In this case, SOAR replaces analysts by analyzing the threats as they arrive in real-time, providing analysts with valuable inputs and leaving them with a far easier decision-making process.

• Progressive automation: The reason why SOAR is different than other cybersecurity technologies is that SOAR is able to learn from its experience. When placed in a certain security environment, SOAR will start learning the idiosyncrasies of the platform, analyze the characteristics of every alert as it arrives in real-time, and use that knowledge to intercept future cyber threats with similar characteristics.

• Fewer false positives: Thanks to its progressive automation, SOAR is able to solve a crucial problem in the cybersecurity industry - distinguishing between false positives and false negatives. False positives are very frustrating for analysts, who have to spend hours analyzing alerts that end up being false threats. Thanks to its machine learning engine, SOAR is able to recognize false positives and nullify these false alerts without the need for human intervention.

Considering that SOAR takes care of the issue with false positives and is able to automate a wide range of repetitive, menial tasks, it comes as no surprise that Gartner bids SOAR as an integral part of every security team.

Automation is still a scary phenomenon for many organizations, but when implemented properly, it adds immense value to security teams. Gartner tips SOAR to become even far more widely adopted because automation is one of the key ingredients in the battle against sophisticated cyber threats.

Selecting the right SOAR partner will be key

Even though it’s still the early days of SOAR adoption, there is already a major difference in how different SOAR vendors architect their SOAR solutions. Other than having a clear vision of how SOAR is going to fit your security environment, users will also need to be even more cautious about which SOAR solution they choose.

Naturally, not every SOAR solution is the same. And as the world’s leading research and advisory company, Gartner is very well aware that different SOAR vendors offer different SOAR solutions with unique characteristics. In fact, Gartner provides a graphical competitive positioning of technology through its Gartner SOAR magic quadrant in order to assess the unique qualities of different SOAR vendors. That’s because while the premise of SOAR revolves around automation orchestration and response, there are many unique features that some SOAR solutions have while others don’t.

Gartner advises that prior to choosing a SOAR solution, it is essential to make an assessment of the need of your security team, analyze which areas of your security operations need strengthening, and find out which SOAR solutions offer the kind of features that match your actual needs. For instance, our Cloud SOAR solution differs vastly from other solutions by offering an unmatched Open Integration Framework (OIF) philosophy, which makes it the most open SOAR solution on the market.

Furthermore, DFLabs (Now Sumo Logic) has been awarded three patents (the highest number of patents in the industry for a single vendor) regarding its innovative SOAR solution, which obviously underlines the fact that merely purchasing a SOAR solution without assessing your options on the market may prove to be counterproductive. You should treat the purchase of your SOAR solution the same way you treat the purchase of every other software in your security environment - meticulous, well-planned, and in alignment with your actual needs.

Read more about our Cloud SOAR solution and its unique qualities here.