SOAR Market Guide 2022: What does the Gartner research say?

While Gartner hasn’t released the SOAR Magic Quadrant, to the delight of many SOAR enthusiasts, the highly anticipated Gartner SOAR Market Guide for 2022 is out and we are happy to announce that Sumo Logic has been included again!

Even though Security Orchestration, Automation and Response (SOAR), as a relatively new security category, doesn’t have a SOAR Magic Quadrant, Gartner is already dedicating a market guide for SOAR solutions. This market guide will be welcomed by security vendors and companies that are interested in purchasing a solution.

In this blog post, we highlight the most relevant takeaways from the Gartner 2022 SOAR Market Guide and delve into the core of the guide, with a special emphasis on the latest market trends, market direction, and market recommendations.

Gartner SOAR Market Guide 2022

Key takeaways

Gartner’s 2022 Market Guide is both broad and highly detailed, but these are the most relevant highlights.

• According to Gartner, larger organizations with more extensive security teams and relatively well-developed security programs together with security service providers make up the main buyer persona. Organizations mainly use SOAR as a tool for improving efficiency, productivity and consistency in SecOps.

• Some of the top SOAR features SOCs leverage today are orchestration and automation, case management, and threat intelligence.

• SOAR is often coupled with other technologies—such as SIEM, email security and XDR tools—and used as a part of a larger unified security solution.

• SOAR is still mostly used by organizations that have a dedicated SOC environment. And it has become pervasive among managed detection and response services (MDR).

• Gartner underlines that the main drivers of SOAR adoption are staff shortage, alert overload, and the complexity of cyber threats; and points out automation as the primary capability to resolve those problems. Threat Intelligence is becoming increasingly prevalent in SOAR solutions, but it’s still not the main driver for buyers.

• SOAR tools are mainly used for incident response and establishing workflows, improving the threat detection processes, and enhancing prioritization and efficiency.

• SOAR is a technology that complements SIEM for incident response. SIEM aggregates data from different sources, and SOAR uses the information gathered from SIEM to initiate responses and determine whether an alert should be qualified as an incident.

• Despite the already ubiquitous use of cloud services, SOAR has yet to find its place in the context of security operations usage scenarios for cloud services.

Gartner’s definition of SOAR

In its latest market guide, “Gartner defines SOAR as solutions that combine incident response, orchestration and automation, and threat intelligence management capabilities in a single solution.” SOAR resembles the convergence of three distinct technologies:

• Security Incident Response Platforms (SIRPs)

• Security Orchestration and Automation (SOA)

• Threat Intelligence Platforms (TIPs)

Gartner proceeds to explain the core of SOAR and states that SOAR tools are also used to document and implement security processes via playbooks and workflows. In addition, it claims that SOAR finds its use in machine-based assistance to security analysts and operators.

SOAR allows organizations to automate workflows and orchestrate their use via integration with third-party technologies. Automated and orchestrated workflows can have an application in various use cases, such as:

• Incident triage

• Incident response

• TI curation and management

• More general IT contexts and low-code solutions usage

The end result would be to automate the workflows with the goal of achieving these types of desired outcomes. SOAR provides the ability to select the best workflow to respond to a certain incident.

SOAR market direction

Gartner claims that SOAR is becoming increasingly prevalent in the cyber industry and that the SOAR market is growing steadily, but it’s still most commonly adopted by mature organizations. On the other hand, less mature organizations are showing the same level of interest in automation capabilities but having minimal practitioners, they are looking for MSSPs that manage SOAR tool and related services for them. The demand for SOAR is increasing among security providers like MSSPs, as SOAR plays a crucial role in aiding MSSPs in providing remote response services. This growth in demand for SOAR is due to the fact that MSSP clients require security services that provide the ability to optimally contain a threat.

An interesting fact underlined by Gartner is that SIEM vendors are adopting SOAR solutions into their environments, mainly as premium tools to operate alongside SIEM. This means that Security Orchestration and Automation (SOA) is becoming a feature provided in other security technologies.

How organizations should evaluate SOAR solutions

Gartner advises that organizations looking to invest in a SOAR solution should be wary of the expansion of the SOAR market and must take precautionary measures to define the best solution for their needs. The most important thing is to start by evaluating SOAR solutions based on their technical capabilities, which should include the fundamentals of SOAR:

• Integration capability

• Alert triage and prioritization

• Orchestration and automation

• Case management and collaboration

• Dashboard and reporting

• Threat intelligence and investigation

• Architecture (cloud and/or on-premises)

Furthermore, Gartner points out that SOC optimization, threat monitoring, investigation and response, and TI management are among the most common use cases mentioned by Gartner customers.

Sumo Logic offers all the mentioned capabilities with special consideration for human centrality, as well as the ability to add new integrations or tailor existing ones through code implemented by the Sumo Logic team itself. For a more precise and complete picture, the Sumo Logic team develops API connectors needed by organizations without developers.

All SOAR do playbooks, but automation is much more than that, and not everyone places as much emphasis on the human factor as Sumo Logic does.

The Sumo Logic SecOps dashboard is the perfect example of human centrality approach because leveraging automation capabilities allows analysts to:

• Skip repetitive and time consuming tasks

• Have all high-value tasks in one place, including choises and manual executions

• Quickly analyze all collected information for making intsightful decision

• Search information using search query bar

• Have a complete and detailed picture of a specific incident process in the war room

Gartner SOAR Market Guide recommendations

Gartner reminds us that the core of SOAR revolves around four main pillars:

• Workflow and collaboration

• Ticket and case management

• Orchestration and automation

• Threat intelligence and management

Moreover, Gartner continues to offer valuable insights to help SRM leaders choose ideal SOAR solutions based on clear characteristics, such as:

• Pricing model aligned with the needs of the organization

• Capability to optimize the collaboration of analysts through a chat or any messaging solution

• Capability to easily create playbooks (through code or no-code techniques) based on the organization’s actual processes

• Compatibility with the already established security tools and environment

• Flexibility in terms of deployment and hosting options (cloud, on-prem and hybrid)

• Offering of use cases that complement the people, technologies, and processes vital to the organization’s security

Overall, Gartner recommends that SRM leaders choose a SOAR solution that is compatible with the technologies already installed in the working SOC ecosystem.

SOAR vendors that provide further insight into the SOAR market

We should note that the Gartner 2022 SOAR Market Guide doesn’t rank or position vendors, yet it includes vendors that provide different offerings to the SOAR market in a beneficial manner. Gartner specifically states that it commonly underlines the attributes of representative vendors that most closely illustrate the marketplace trends.

We are happy that Sumo Logic has once again been included in Gartner’s SOAR Market Guide, as our innovative and pioneering Cloud SOAR solution continues to grow and play a pivotal role in the advancement of the SOAR technology and industry.

To learn more about how SOAR can benefit your organization, read how to calculate the ROI of Cloud SOAR.