GigaOm Radar for Autonomous Security Operations Center (SOC)v2.0

1. Summary

Autonomous security operations center (SOC) solutions reallocate security analysts’ processing power from conducting repetitive analysis and response tasks to only investigating incidents of significant interest and importance. Using correlation engines, calibrated alarms, workflow-based automation, integrations with internal and external intelligence feeds, and AI/ML-based operations, autonomous SOC solutions present analysts consolidated views of threats and act as a central management service for gathering information and resolving incidents.

The SOC will not—and should not—be fully autonomous. Instead, it should be given only the autonomy to deal with the biggest hindrance for analysts: volume. Tackling volume-based problems without automation can only be done linearly, by hiring more security analysts. However, high-volume, low complexity attack responses can often be fully automated, enabling businesses to dedicate analysts to truly important attacks, such as unknown or zero-day attacks.

The foundation of autonomous SOC solutions are technologies in use already today: security information and event management (SIEM) and security orchestration, automation and response (SOAR). Different vendor strategies leave many observers wondering “will they or won’t they?” on the question of whether the two solutions will remain distinct or merge. While this theme deserves further exploration, it is clear that a large selection of security players have successfully integrated these two sets of capabilities to form a solution that can help the SOC become more autonomous.

Historically, SIEM has been the center of operations for analysts, and it is still a viable and powerful tool today. Incremental developments mean that SIEM is still relevant, but its core architecture of collecting and sorting through logs is limited. Vendors of SOAR solutions have been trying to alleviate this issue; the initial approach has been to deploy a vendor-agnostic third-party SOAR solution that can intake a SIEM tool’s alerts and apply some sort of automation.

While this vendor-agnostic and standalone approach for SOAR has some distinguishing benefits, the opportunities unlocked by natively integrating SIEM and SOAR capabilities have been recognized by a wide range of security vendors. This unification is taking place through two methods:

• SIEM vendors acquire SOAR solutions and integrate both solutions into a single platform.
• SIEM vendors develop native SOAR capabilities within their solutions.

Security acquisitions make a lot of noise in the market, and SOAR acquisitions have been some of the loudest, which is why most practitioners in the space would expect the majority of vendors featured in this report to belong to the first category. However, if we filter out SIEM vendors that have acquired SOAR solutions but have not integrated them into a unified solution—such as Google, IBM, Fortinet, and Splunk, which we have removed—we quickly find that the majority of vendors featured in this report have developed their solutions in-house.

There’s also a third category of players that can enter the space, namely standalone SOAR vendors, whose event ingestion capabilities and integrations with security data lakes can deliver a comparable solution. This is a theme we expect to explore further in future iterations of the report.

To evaluate a solution in practical terms, we recommend parking the idea of “SIEM plus SOAR equals autonomous SOC” and thinking instead of the core capabilities that a solution needs to help relinquish repetitive tasks from security analysts.

This GigaOm Radar report highlights key autonomous SOC vendors and equips IT decision-makers with the information needed to select the best fit for their business and use case requirements. In the corresponding GigaOm report, “Key Criteria for Evaluating Autonomous SOC Solutions,” we describe in more detail the capabilities and metrics that are used to evaluate vendors in this market.

This is our second year evaluating the autonomous SOC space in the context of our Key Criteria and Radar reports. All solutions included in this Radar report meet the following table stakes—capabilities widely adopted and well implemented in the sector:

• Multiple ingest streams
• Tunable alarms
• Third-party tool orchestration
• Workflow automation
• Flexible storage
• Dashboards and visualization