The year 2020 was a rollercoaster ride for all of us across the globe, and the challenges persist into 2021. Security analysts and SOCs faced a new set of obstacles, including the advent of COVID-19 related phishing attacks and increased security risks as a result of more employees working from home. Unfortunately, these new challenges did not negate the old ones. Security teams today are still overwhelmed by a never-ending barrage of cyberattacks, immense workloads, and fast burnout rates.
This is not a sustainable working environment and teams must find a new apparatus to tackle the abundance of incoming threats and security alerts. Many security analysts have realized, especially over the past year, that adding a security orchestration, automation, and response (SOAR) tool to their toolkit can help decrease workloads, respond to incidents faster, and automate alert triage, investigation, and response.
Gartner recently released their 2020 SOAR Market Guide. It provides valuable insights into the must-have capabilities provided by a SOAR, the trajectory of the technology and marketplace, and recognizes Splunk Phantom amongst a representative list of SOAR vendors in alignment with Gartner’s vision.
Let’s take a look at a few notable insights from Gartner’s research:
1. “Orchestration and automation, basic incident/case management, and operationalizing threat intelligence are ‘table stakes’ for SOAR tools.”
Many security teams turn to SOAR solutions to help reduce alert fatigue, mean time to respond, and overall workload. With orchestration and automation, analysts no longer have to spend hours manually executing actions across a multitude of point products to investigate and remediate threats. Instead, the analyst can have a SOAR tool automate actions, without human interaction, across different products in a matter of seconds. This not only saves time, but frees the analyst to focus on mission critical tasks.
Capabilities such as automated alert triage help the analyst prioritize the highest risk alerts; case management helps analysts coordinate a comprehensive investigation or response at a faster rate; and automated threat intelligence empowers analysts to make better educated decisions backed by data.
Based on Gartner’s recommendations for evaluating SOAR capabilities, Splunk Phantom offers all of the above and more, including:
- A fully integrated intelligence assistant that leverages machine learning to provide suggestions on how to help investigate, contain, and eradicate a security incident
- A visual playbook editor for creating playbooks with drag and drop elements
- Modular workbooks that are reusable and customizable templates for process documentation
- Custom function blocks for easier playbook creation and execution
2. “SOAR tools are still primarily leveraged by organizations with a security operations center. Use cases to support security operations beyond threat monitoring and detection, threat intelligence, and incident response and threat hunting are still nascent.”
Some of the most common security use cases for Splunk Phantom customers include alert triage, ransomware response, and phishing email triage. And although most of the use cases for orchestration and automation in the market are security related, our customers habitually use Splunk Phantom for non-security use cases such as ticket creation and processing, service monitoring and investigation, and network access control.
3. “Security information and event management vendors continue to add SOAR capabilities via acquisitions, OEM agreements or internal development; however, the solutions are still primarily sold as premium add-ons and not being merged with SIEM tools.”
SIEM and SOAR technologies, when used together in a security workflow, greatly complement one another. The SIEM collects and organizes information and detections from your various security tools, analyzes that activity and provides insights, and then generates alerts. Then, the SOAR tool will automatically triage those alerts, and orchestrate automated responses to those alerts. In other words, while the SIEM “observes” and “orients” the security team to potential malicious activity in their environment, the SOAR tool then automates the decision-making and actions (executed by your other various security tools) to resolve such activity.
Splunk is one of the few vendors on the market that offers both SIEM and SOAR in their security portfolio. We are proud that Splunk Enterprise Security is recognized by Gartner as a leader in the 2020 Gartner Magic Quadrant for SIEM.
To learn more about the general market trends for SOAR, investment recommendations, and how Splunk Phantom aligns with Gartner’s vision for SOAR, download a complimentary copy of the 2020 Gartner SOAR Market Guide.