2022 Gartner® Magic Quadrant™ SIEM
Get the reportMore
While Gartner hasn’t released the SOAR Magic Quadrant, to the delight of many SOAR enthusiasts, the highly anticipated Gartner SOAR Market Guide for 2022 is out and we are happy to announce that Sumo Logic has been included again!
Even though Security Orchestration, Automation and Response (SOAR), as a relatively new security category, doesn’t have a SOAR Magic Quadrant, Gartner is already dedicating a market guide for SOAR solutions. This market guide will be welcomed by security vendors and companies that are interested in purchasing a solution.
In this blog post, we highlight the most relevant takeaways from the Gartner 2022 SOAR Market Guide and delve into the core of the guide, with a special emphasis on the latest market trends, market direction, and market recommendations.
Gartner’s 2022 Market Guide is both broad and highly detailed, but these are the most relevant highlights.
According to Gartner, larger organizations with more extensive security teams and relatively well-developed security programs together with security service providers make up the main buyer persona. Organizations mainly use SOAR as a tool for improving efficiency, productivity and consistency in SecOps.
Some of the top SOAR features SOCs leverage today are orchestration and automation, case management, and threat intelligence.
SOAR is often coupled with other technologies—such as SIEM, email security and XDR tools—and used as a part of a larger unified security solution.
SOAR is still mostly used by organizations that have a dedicated SOC environment. And it has become pervasive among managed detection and response services (MDR).
Gartner underlines that the main drivers of SOAR adoption are staff shortage, alert overload, and the complexity of cyber threats; and points out automation as the primary capability to resolve those problems. Threat Intelligence is becoming increasingly prevalent in SOAR solutions, but it’s still not the main driver for buyers.
SOAR tools are mainly used for incident response and establishing workflows, improving the threat detection processes, and enhancing prioritization and efficiency.
SOAR is a technology that complements SIEM for incident response. SIEM aggregates data from different sources, and SOAR uses the information gathered from SIEM to initiate responses and determine whether an alert should be qualified as an incident.
Despite the already ubiquitous use of cloud services, SOAR has yet to find its place in the context of security operations usage scenarios for cloud services.
In its latest market guide, “Gartner defines SOAR as solutions that combine incident response, orchestration and automation, and threat intelligence management capabilities in a single solution.” SOAR resembles the convergence of three distinct technologies:
Security Incident Response Platforms (SIRPs)
Security Orchestration and Automation (SOA)
Threat Intelligence Platforms (TIPs)
Gartner proceeds to explain the core of SOAR and states that SOAR tools are also used to document and implement security processes via playbooks and workflows. In addition, it claims that SOAR finds its use in machine-based assistance to security analysts and operators.
SOAR allows organizations to automate workflows and orchestrate their use via integration with third-party technologies. Automated and orchestrated workflows can have an application in various use cases, such as:
TI curation and management
More general IT contexts and low-code solutions usage
The end result would be to automate the workflows with the goal of achieving these types of desired outcomes. SOAR provides the ability to select the best workflow to respond to a certain incident.
Gartner claims that SOAR is becoming increasingly prevalent in the cyber industry and that the SOAR market is growing steadily, but it’s still most commonly adopted by mature organizations. On the other hand, less mature organizations are showing the same level of interest in automation capabilities but having minimal practitioners, they are looking for MSSPs that manage SOAR tool and related services for them. The demand for SOAR is increasing among security providers like MSSPs, as SOAR plays a crucial role in aiding MSSPs in providing remote response services. This growth in demand for SOAR is due to the fact that MSSP clients require security services that provide the ability to optimally contain a threat.
An interesting fact underlined by Gartner is that SIEM vendors are adopting SOAR solutions into their environments, mainly as premium tools to operate alongside SIEM. This means that Security Orchestration and Automation (SOA) is becoming a feature provided in other security technologies.
Gartner advises that organizations looking to invest in a SOAR solution should be wary of the expansion of the SOAR market and must take precautionary measures to define the best solution for their needs. The most important thing is to start by evaluating SOAR solutions based on their technical capabilities, which should include the fundamentals of SOAR:
Alert triage and prioritization
Orchestration and automation
Case management and collaboration
Dashboard and reporting
Threat intelligence and investigation
Architecture (cloud and/or on-premises)
Furthermore, Gartner points out that SOC optimization, threat monitoring, investigation and response, and TI management are among the most common use cases mentioned by Gartner customers.
Sumo Logic offers all the mentioned capabilities with special consideration for human centrality, as well as the ability to add new integrations or tailor existing ones through code implemented by the Sumo Logic team itself. For a more precise and complete picture, the Sumo Logic team develops API connectors needed by organizations without developers.
All SOAR do playbooks, but automation is much more than that, and not everyone places as much emphasis on the human factor as Sumo Logic does.
The Sumo Logic SecOps dashboard is the perfect example of human centrality approach because leveraging automation capabilities allows analysts to:
Skip repetitive and time consuming tasks
Have all high-value tasks in one place, including choises and manual executions
Quickly analyze all collected information for making intsightful decision
Search information using search query bar
Have a complete and detailed picture of a specific incident process in the war room
Gartner reminds us that the core of SOAR revolves around four main pillars:
Workflow and collaboration
Ticket and case management
Orchestration and automation
Threat intelligence and management
Moreover, Gartner continues to offer valuable insights to help SRM leaders choose ideal SOAR solutions based on clear characteristics, such as:
Pricing model aligned with the needs of the organization
Capability to optimize the collaboration of analysts through a chat or any messaging solution
Capability to easily create playbooks (through code or no-code techniques) based on the organization’s actual processes
Compatibility with the already established security tools and environment
Flexibility in terms of deployment and hosting options (cloud, on-prem and hybrid)
Offering of use cases that complement the people, technologies, and processes vital to the organization’s security
Overall, Gartner recommends that SRM leaders choose a SOAR solution that is compatible with the technologies already installed in the working SOC ecosystem.
We should note that the Gartner 2022 SOAR Market Guide doesn’t rank or position vendors, yet it includes vendors that provide different offerings to the SOAR market in a beneficial manner. Gartner specifically states that it commonly underlines the attributes of representative vendors that most closely illustrate the marketplace trends.
We are happy that Sumo Logic has once again been included in Gartner’s SOAR Market Guide, as our innovative and pioneering Cloud SOAR solution continues to grow and play a pivotal role in the advancement of the SOAR technology and industry.
To learn more about how SOAR can benefit your organization, read how to calculate the ROI of Cloud SOAR.
Reduce downtime and move from reactive to proactive monitoring.
Build, run, and secure modern applications and cloud infrastructures.Start free trial