Key Criteria for Evaluating Autonomous Security Operations Center (SOC) Solutionsv2.0

1. Summary

Autonomous security operations center (SOC) solutions converge security information and event management (SIEM) and security orchestration, automation, and response (SOAR) capabilities into a single integrated solution used by security operations teams. Vendors that integrate SIEM and SOAR enable autonomous SOC solutions.

Facing a shortage of security analysts and the long time to value when deploying multiple tools, SOCs need a single solution that can provide end-to-end visibility, response, and automation capabilities. These functionalities can be met by SIEM and SOAR tools, but there is value added from hosting both of these tools’ feature sets in a single platform.

SIEM solutions have been the main monitoring tools for SOCs. As they observe more complex infrastructure and deal with an increased number of security events, SIEM solutions have evolved to cope. At the same time, security analysts have been dealing with increasingly complex processes for alert tuning systems, investigation, and threat hunting. Responding to that complexity, SOAR tools have been deployed to complement SIEM solutions and help analysts manage events more efficiently.

This two-solution deployment of standalone SIEM and standalone SOAR worked well in the second half of the 2010s. However, in the early 2020s, we’ve seen SIEM continue to evolve, now natively including SOAR-like capabilities. This change has taken place through two main avenues:

1. SIEM vendors have acquired standalone SOAR tools—a large number of acquisitions in the space brings point solutions for SOAR under the same umbrella as SIEM tools. Emergent solutions work on integrating the two tools more closely, either as a combined solution or by offering SOAR access at no extra cost.
2. SIEM vendors are natively developing orchestration and automation capabilities—this is a natural evolution of SIEM tools, and their feature expansion involves slowly taking on SOAR capabilities.

As these two markets are blending, it will be increasingly difficult to talk about SIEM without talking about SOAR, and vice versa. As the market currently stands, there is still a place for each individual tool, but we expect further convergence to favor end-to-end tooling for managing security operations.

A combined SIEM and SOAR solution will make up most of a SOC analyst’s daily toolset. We can define this category as “autonomous SOC solutions.” These act as the center of daily activities for a security analyst, enabling them to capture their processes and perform their most common tasks from a single solution that provides both visibility and orchestration capabilities across the whole IT environment.

This is the second year that GigaOm has reported on the autonomous SOC space, and the need to manage large amounts of security incidents with limited numbers of analysts has continued to grow. This report builds on our previous analysis and considers how the market has evolved over the last year.

This GigaOm Key Criteria report details the capabilities (table stakes, key criteria, and emerging technologies) and non-functional requirements (evaluation metrics) for selecting an effective autonomous SOC solution. The companion GigaOm Radar report identifies vendors and products that excel in those capabilities and metrics. Together, these reports provide an overview of the category and its underlying technology, identify leading autonomous SOC offerings, and help decision-makers evaluate these solutions so they can make a more informed investment decision.