Hi, welcome to the webinar, optimize Security with Security Orchestration Automation and Response. My name is Alejandro Leal, I'm a researcher Analyst at Coer Coal and today I will be joined by or, hi Aaron.
Hi Alejandro. Nice to see. Be here with you today.
Thank you. So before we begin, we will introduce some important information regarding audio control. You're all muted so there's no need to mute or unmute yourself. We'll be conducting a few poll questions, so I encourage you all to participate. We will also have a q and A session at the end of the webinar in the last 20 minutes. So you can enter questions at any time and we will answer them at the end and we will be recording the webinar so the recording together with the slides, they will be available in the coming days. So here's agenda. I will introduce the concept of SOAR and then I will also talk about the leadership compass that we published at the beginning of this year on soar. And then Oren will talk about how not all source solutions are created equal. And then he will talk about qra soar. And like I said before, at the end we will have time for some Q and A. So here's the first poll question and the question is, what are the key drivers for your decision to invest in source solutions? The growing number of threats, the need for centralized management to reduce incident response time or to increase existing stock efficiency? I will give you 20 more seconds and then we will proceed.
Okay, we can move on. So let's talk about the origins of SOAR and let's try to understand where it came from. Back in the days security information and event management solutions cms, there were were ultimately held as the solution for managing security operations. In many organizations, CMS are the foundation of security operations centers. However, the visibility of threats and events alone, it's not enough to tackle the modern cybersecurity threats that the current landscape is facing. Some of the major problems of legacy seams included the high deployment and operational costs, the skills gap and the lack of intelligence to, to tackle some of the more more modern cybersecurity threats. And that's when source solutions comes in. They, they were introduced a few years ago and essentially source solutions are trying to provide a centralized way to coordinate, collaborate, and manage forensic data and instant responses. So platforms try to facilitate workflows and streamlined processes.
Some vendors approach SOAR from a threat intelligence perspective and during our research that we have done here at Coer Coal, we have observed that many seams have proactively added SOAR features or they simply acquire SOAR vendors. So what exactly are so solutions? So R stands for security orchestration, automation and response. SO'S job is to distinguish between related and unrelated events. Across all connected systems is to assemble it coherently to enrich the event information by acquiring additional intelligence about observe entities to create and coordinate tickets with ITSMs and to assist human analysts by taking pre-program responses in playbooks. Sore solutions can make the job of the Analyst way better. They can reduce time and they can also provide them with more information so they can make better choices.
Of course there are many capabilities, but the ones that we described in this slide are the ones that we rated and assessed during our research on soar. This includes telemetry collection, correlation, enrichment, workflow orchestration, incident response playbooks, which I thought it was something very interesting how many of the vendors that we did research on, they all had a different approach on playbooks and it was very cool to see how they all do it. Automat analysis, case management, same integration, edp, E D, PT R, integration, email, web getaway integration, cloud integration, IM integration trade, trade hunting support for standards such as sticks, taxi and S, well-documented APIs. So functionality across multi-cloud environments. Mfa, comprehensive forensic tools, oops.
So like I said, these are the main capabilities that we observed during your research and something that stood out to me was how some vendors who tried to provide the best of breed approach, these vendors are mainly the ones who offer just soar. And then we also observe some vendors that have a CM in place and they also provide SOAR or some SOAR features. And I'd say that most of them have these capabilities listed here on this slide. So now moving on, these are the top five use cases categories for so R and this includes threat hunting, CTI management, investigations, automated automation and responses and management.
Many vendors target large organizations but due to the current threat landscape that we're facing, also small and medium organizations can deploy a source solution to protect themselves from the current threats that we're facing. And due to the geopolitical situation that the world is facing, many of these organizations, especially those that are in critical infrastructure industries, they can benefit by having a SOAR in place SOAR deployment. So many of the vendors that we did research on during the lc, they all understand that many organizations are going through a process of digital transformation and many of them require the migration from on-prem to the cloud. And that's a very important aspect that many of the vendors know and that's something they're trying to tell their customers because like I said, one of the main challenges of legacy solutions was the high deployment costs. So source solutions are trying to ameliorate that particular problem.
So why soar? Like I said, attacks are happening across the supply chain and we're going through turbulent geopolitical period where organizations need to protect themselves from either cyber criminals or rogue nations that foster cyber criminals. Here we can see that SOAR is becoming an essential security architecture component. It's not just for global and large organizations but it's also appropriate for many small and medium organizations from our current research. Here are some market observations. The first one, which is something that Oren will talk about more is that not all source solutions are created equal. So is still relevant and appropriate for organizations that have security operations centers and especially for those that have a an approach to a best of breed.
The store market is mature and as such has well-defined capabilities but many small and innovative companies are trying to do things, let's say a bit differently and trying to come with new ways of doing playbooks. For example, the solar market is valid globally, but we see the biggest adoption in the United States in North America followed by Europe but with growing presence in the APAC region and we do expect to see more organizations across the world adding SOAR to the portfolios. So now I'm gonna talk about how we did the leadership compass process. Basically we have nine categories that we use to measure the different solutions. This includes security, so what are the security requirements that we're looking for? Also functionality. We take a look at all the features and capabilities that we expect to see integrate integration you see delivered as an integrated offering. Interoperability, usability which is something important. How easy is it for users and Analyst to leverage.
Also we take a look at innovation at the market, how many customers have deployed the product in how many geographical regions does the vendor have presence in? We also look at the ecosystem and the financial strength after performing those assessments. Then we come up with four categories of leadership. First one is product leadership. So we looked at the functionality and completeness of that product, then we look at the market, then at the innovation leadership and then we rate and present the overall leadership. So this is essentially the process that we do. We do research on the market, we identify the vendors, we then send them a questionnaire and I think that many of you who have done briefings with us know that sometimes we can send a lots, lots of questions and we always appreciate that. And then we have briefings, then we analyze based on the information provided from all the vendors, we can always do a fact check. So some vendors who have questions or they would like to have a second call, we can also provide that. And then we publish the report and like I said, the report on SOAR was published in January this year.
So these are the vendors rated in the lc. There were 14 rated and nine vendors in the section vendors to watch. We see here the biggest players as well as some small but innovative companies. This is the overall leaders in lc four. The overall leadership is the combined view of product innovation and market and the leaders are primarily composed of well-established vendors but we can also see some small and innovative companies. Then we look at the product leaders and here we take a look at some capabilities that we believe are essential for so R for example, in this case responses, enrichment, case management, API support, Analyst interface, investigations, automation and trade hunting. So we use the questions from the questionnaire and the demos and the conversations we had during the briefing to assess these.
Then we take a look at the innovation leaders and there's a strong correlation between the overall product and innovation leaders. And then last but not least, we have the market leadership and this is based on financial strength on partner ecosystem, number of customers and geographical distribution. And like I said on the product leadership slide, here's an example of the spider chart that we present to the vendors and the spider chart is composed of the categories that I discussed earlier. Here we can see in the case of IBM they scored pretty well in all of the areas that we were looking for such as responses, enrichment, case management, investigations, et cetera. So now we will proceed with the second poll question and then I will give the floor to Warren. So the question is, what Roy impact do you consider most important to justify investment in source solutions, reduce incident resolution time, maximize staff productivity, cost savings or other? Okay, thank you for your participation. Oren, the floor is yours.
Thank you everyone for joining us today. As mentioned, I am Oren, I lead the product management team at I B M qra ar. So very happy to be here. And can I give you a bit of a view of our solution and we've been working with the Kuppinger call team, very happy with our position in in this report and you know like very excited to like show the the participants here and everyone watching this webinar, what exactly is Keira our soar? So I know there was a poll question about some problems but things that from an I B M perspective, we've noticed, and I'm gonna really breeze through this slide here, but just to set up the stage, you know we all know the security operations problem statement these days. A lot's going on in asoc. You know, we see organizations adopt cloud moving to hybrid models.
We talk, keep talking about the skills gap that's coming in and like we ca heard before, like if you have a best of breed approach, a lot of the times you would buy a lot of tools that don't really connect to one another and you really need the right people and expertise to manage them. It actually results with information overload in the soc. We've seen it also with our own MSS team here at I B M. We see it when we talk to clients. You can see the same thread appear to you across different tools in lot of different alerts. So as a source solution we we do have that role of orchestrating and correlating some of this information and presented it very effectively. So as we've noticed, you know, about a half of organizations that we've been talking to have a big struggle with detecting responding to threats and when we do have like launched our new offering and I'm gonna talk about it, you know, we really wanted to put the Analyst in the center of it all and provide a unique approach on how to do proper incident response and of course bringing in concept from so orchestration automation and all the things that we have been scored on the Cpin Jericho report here.
So if summarizing some of the points that I made about current security operations and the problem statement, you know, we've got one or two change the paradigm. We're seeing a very technology focused socks, you know, a lot of different tools like I mentioned a lot of distractions in the SOC team and even with the skills gap and the the struggle to keep up, you know, you always need the hero or someone who is a very specific expert on the tool to really get the right value out of it. A lot of these tools that clients have also don't really talk to one another or does don't have the right set of integrations to really enable all those workflows. So when Weka wanted to modernize our store solution and the threat portfolio here at I B M, you know we wanted to take the approach of putting the Analyst Analyst in the center and I'm gonna talk a lot about the Analyst Analyst experience here through my talk track.
We wanna make sure that Analyst that use our solution, you know, gain the best value and outcomes and have a unified workflow. We wanted to bring in the best of breed from IBM either from our expertise and content, our AI capabilities and of course blending in automation and context wherever we can through the experience. And as we've done that, we also been looking at open standards. So the ability to have a community behind you that can collaborate with you and provide more content and ca force multiply basically those outcomes. Also leveraging different standards that allow Analyst to learn the tool and be able to get the best value out of it as soon as possible.
So we have made the announcement more more than a week ago about the new cleared suite. This is basically reimagining of the threat management portfolio here at I B M. We have a set of solutions spending from E D R A logging solution that we just launched our SIM of course. And so qed so also some of the market knows as resilient have been completely modernized and brought into assassinated architecture. Taking this approach, we've really wanted, like I said, put the Analyst experience. So a lot of our design efforts were around making sure that the Analyst Analyst using the tool can have the best decisions in front of them, have a streamlined approach and give a lot of our automation, AI and expertise through that. Also, of course with our thread intel from X-Force ability to connect to other thread intel sources always expand that experience.
And also we wanted to maintain open so as a solar solution, specifically integrations matter. So have the ability to connect to other tools seems and EDRs the client already have and give tho them the right outcomes. So the experience and outcomes that they should expect should not change if they have a different SIMM or a different tool connected to this environment. Also we have a unique feature called federated search. I'm gonna talk about it a little bit further, but it allows us to connect to different data lakes and Simms and bring in the right context and support investigations to these analysts as well.
So double clicking on Q. So really the value proposition as you can see on the screen and how we've modernized our, so to be able to support ats, you know we're giving them a modern case management experience, no more, a lot of different incidents to take a look at. But one case that can correlate a lot of those alerts and findings into one unified threat, it's already enriched for the Analyst. They already see some automations that's been running on that case. They can see how it's mapped to mire. They can see different severities in IOCs and also understand exactly the right thread intel sources that contributed to this decision. A a more manner to manage your tasks and responses and Annette new here, automated investigation so a case can be automatically investigated. So building the right narrative and showing the Analyst exactly the thread and how it's been progressed, literally been moving through systems.
For example, the different alerts that really constructed and builds the picture. Every step is explainable NBT mir. And the nice thing here actually we're showing and giving recommendations of responses. So really an application of our AI work here at I B M given the right recommendations to the Analyst Analyst at the right time. And of course for automation and playbook. So for more complex use cases and business logic and be able to customize your environment and responses to your needs, we have a modernized award-winning playbook design solution as well. It's all one workflow and one streamline.
So talk about the unified Analyst experience. This is very unique. It is something that we are providing to every one of our threat portfolio solutions, so included. And so really with that approach really become supercharged and I think the visual here speaks for itself. But you know, we have done a lot of research and also seen patterns in how Analyst work in the soc. A lot of pivoting between tools, investigations happen in different tools, you know sometimes like maybe there is a client that have a seam at the center of the sock and they need to also pivot to the other. So, so we really wanted to streamline that and actually take the approach of how much time would it take us to respond to an incident. We've seen the pattern that it can take an average about eight screens, 19 different steps, hours sometimes to close an incident.
And really our approach here, trying to minimize the pivoting and having one screen of course as much as we can reduce the number of steps significantly and of course reducing the response time from hours or days to merely minutes. How do we do that? So like I said, we've really taken a lot of research and talking to our clients and business partners and testing a lot of those concepts over the, the last two years we've reinvented our case experience and provided a u a common UX that provides better explainability. So the ability for analysis to drop in and understand what happened right away. I talked about having an enriched, prioritized case that gives them that narrative. I talked about automated investigation and giving them the right recommendations where they need to. And the power of federation is very, very important here as well. This supports bringing the right context, the right data at the right time into that incident.
Also helps EL to bio so that now supports the threat hunting capabilities across different systems. And the output of these is one normalized, enriched schema that is easy to understand and also easy to contextualize and anti that case and investigation. Some reactions we've seen from users and partners that's already been using our new unified Analyst experience really shows the value of that. One of our quotes here talk about that idea of implementing this approach helped our client to basically they see it as equal to five additional FTEs and made the people's job faster and better. This is a quote for one, one of our clients as I said, we're taking also some of approaches with AI and automation. So this is a vision side but you know some of these are already implemented into the product. Be able to correlate cases effectively, be able to provide the right recommendations and responses to the Analyst at the right time. We really try to map some of their journey in the SOC and given them, you know, what the, given the helping hand and assistance in all different use cases. This is powered by automation and AI models that we have and of course we have more plans to extend that.
Just double clicking on our playbook design experience. So this is also another reinvented experience that we have in the last year and a half and it's already been winning two design awards. So what we've done, we really wanted to streamline that experience of building automations and bringing it downstream to the Analyst. So this is a canvas that you know, we completely modernize and build to help streamline that approach to building that automation, having all the right tasks and widgets and tools in one place. Our playbooks are also dynamic. So when we're thinking about automation we also take into consideration the changing nature of a case or an incident. So we really wanted to have an automation solution that reacts to it. So our clients build automations, they, they know that they will be triggered exactly when the change occurs in the incident to be able to have the right automation turned on.
We also have ways for clients to adopt automation and build confidence with it. Like you don't have to automate everything. You can also create playbooks and trigger them manually through your process before you really fully automate. And also we wanted a reusable solution. So an approach to having an ability to build one snippet of a playbook, one process and reuse it in different contexts cuz our clients also want a lot of ability to customize, but also we didn't want 'em to build the same process over and over again. So also we can able to support that.
Another unique feature for Q Soar is our privacy enrich response module. This is a very interesting concept where we, we wanna bring in more users outside of the SOC to collaborate with our SOC team. So our tool provides, you know, more than 180, actually it's about 200 today global requirements and notifications and and response plans to those regulations for privacy. So what happens is if an Analyst sees that there might be a data breach as part of his investigation with one click of a button, this will audio populate the case with all the right response actions and documentations that is required by regulation to be, to report on that brings in more people working together and collaborating on a case. So, and of course helps unify that process and have a repeatable auditable process for that.
And the last piece about, so we talk, keep talking about being open in integrations, right? So definitely integrations is very important when we're talking about a so solution today. So you know, we see it as I B m that security is a team sport. We really invested and have a very wide ecosystem of partners that help us enhance and enrich our products. So included right now we have hundreds of integration of course we keep adding more and more. We are working with our clients to add and prioritize integrations that they want. We also enable clients to build integrations that are accustomed to them as we've built and our new offering here at our store. We also bet on open source and open community solutions. So I just wanna talk about that. Kaka shown and mentioned Mir i b m has also been a founding member of the Open Cybersecurity Alliance and that enabled us to bring in a lot of concepts that have been admitted as a open, open cybersecurity solution and baked it into our product. That means that we have a community of practitioners that support those tools. Federated search, for example, is a result of of an open cybersecurity alliance project. It enables our practitioners to have, like I said, a community of practitioners that supports them, kind of like attackers work together. We really think that having an open community and open approach to cybersecurity allows us to collaborate and also have, you know, a, a better approach to our SOC team and giving them the right content.
So just a few words to summarize here, just things that I mentioned in this presentation about our, so really the approach is to have a streamline and efficient SOC and really help our clients with our detection and specifically we saw with response and investigation. So leveraging the right thread intel sources with X-force here at I B M and other thread intel sources into one system. Leveraging AI where you can is very important. Helping investigation and automating as much as you can, automating and enriching cases, automating the investigation process, providing explainability on what exactly happened so our analysts can respond quickly to what they see. And of course building the right automations right, be able to enhance that response capability with the right playbook and the right automation capabilities in, in our Analyst fingertips. So really giving the people process and technology a way to show itself in, in the incident response process some more results that we've seen really implementing those concepts.
And this is from some of our case studies with our clients, we've seen 85% reduction in the initial response time. Also 75% risk reduction, sorry, in risk of security incident happening as well. So summarizing the noca one, two, I wanted to show the same view that the KuppingerCole team here Alejandro showed about IBM's position. A lot of those concepts we've shown the KuppingerCole team of course there's a lot new stuff here that we will show them in the future. Very excited. We've seen, as you can see a lot of those concepts also check a lot of the boxes around threat hunting, investigation enrichment and all the things that the, the team here have been looking when they've built the report. So that was my briefing for the day. I will hand it over to Alejandro for q and a here.
Thank you. Or maybe perhaps we jump into the questions. I'll just share some information quickly from keeping your call. This is Casey Open Select and it can help you optimize your decision making process to select solutions. We recently did password authentication and privilege access management and I really hope to see SOAR at some point coming up. We have a cyber revolution event taking place in November of this year in Frankfurt. Next week we will have the I European Identity and Cloud conference in Berlin. So I'm really excited to see people from the store community there and hopefully in November as well. And yeah, just a slide on cooking a call. What we do, we do events, research advisory and webinars and here's the related research. You can find the leadership compass on our website and other documents on soar. So now we can jump in and check the questions. I believe there's a few for you Aaron, and for me as well. Maybe we can start with one question for you. And this person is asking, does curators or integrate with other threat intel feeds?
Yes, absolutely. We have several threat Intel feeds outside of X-Force. What our clients are getting is X-force when they buy a solution, but definitely an open approach to integrate with other thread intel sources. That's part of our integration ecosystem. So definitely yes, the answer is yes sir.
Got it. The next person is asking, I guess it's asking me why do I consider IBM curator and overall leader? What stood out to me? I'd say something that or mentioned, I think that the fact that you guys are strongly committed to open security by being a founding member of Open Cybersecurity of the Open Cybersecurity Alliance, the fact that you can promote collaboration among partners and other organizations, it really puts you at the forefront of the conversation. The tight integration with the X Force trade intelligence platform was also something that stood out to me. I thought that brings very good capabilities that perhaps lacks in in other vendors and the dynamic and adaptive playbooks. I know that or briefly talked about them. That's also something that stood out to me. Okay, next question I believe is for you. Does qras or support Ms. SSPs?
Yes, I think for the sake of time we haven't mentioned this capability, but definitely we do. We have a lot of successful implementations with SSP business partners. Also the I B M MSS team also uses our, so of course drinking our own Kool-Aid here. But yes, we do have support for MSPs in briefing the idea with MSPs. They get a very easy way to manage and see those cases across their clients. Assign Analyst, be able to drill down and have, you know, high level reportability. So yes, we, we definitely have those and very successfully deployed.
Okay, I believe we have two more questions for you. This person is asking, my organization has a defined process on how we tackle specific incidents. How easy it is to build and customize playbooks in Curator or
Yeah, so as I said, should be very easy given the right of course integration. So the tools you're using, we are really focused on having that experience to be as easy as possible. So someone that doesn't know even how to code sometimes a lot of automations and source got go back is going back to scripting. Should, should be easy enough. But I think a lot of our clients have their own processes, right? So every process for itself. So you can build very simple playbooks, you can also build very complex playbooks and go beyond and start adapting scripting and customizations on top of that. So it's really picking and choosing based on your level of expertise in the process you're trying to build. But yes, and just another word that our intention with Playbook Designer is to make it simple. So in every release, in every quarter it becomes better and better for our clients and, and we're working very closely with our users to make it, give them the value that they need.
Thank you Iran. And the last question, it's also something you already talked about and perhaps it's something that also stood out to me when I had the first briefing with you is the question is how does the Porwal keep up to date with privacy regulations?
Yeah, that's a great question. Very unique value proposition actually. We have privacy Analyst Analyst working on my team to help update the content that we're pushing into the product. So we do push it on a monthly basis actually ahead of time. A lot of those regulations change so our products are updated on monthly cadence and as they are, they are ready to change and trigger that response at the right time when the new regulation or changing regulation happens. So that we do keep up and that's, that's like I said, a great unique value proposition.
I'm sure that your European customers really value that. I know they are always asking about gdpr. Okay, perhaps the last thing that we will do is maybe discuss the results of the poll questions. The first question was why would you invest in a source solution? And it seems that the answers were all split 20% for growing number of threats, but the one that had the most votes was the need for centralized management with 40%. Are you surprised to see that Oren?
Not, not really. I think, I think it's, it makes a lot of sense as a result,
Right, right. Yeah. We also have 20% for reduced incident response time and 20% for intention to increase existing SOC efficiency.
Which which which is, this is why I find it a bit interesting because you know, part of my talk track and how I'm would position so is about SOC efficiency in a way. I think efficiency is a very broad statement. It has a lot in it, but yeah, it's definitely in the end of the day, this is the outcome that we would expect to see clients using effectively as our solution. So
Absolutely. Okay. And the last Paul question was what raw impact do you consider most important to justify investment in source solutions? And the number one answer was maximize staff productivity with 50% of the answers. I think it makes sense.
Yeah and very much align with how we've talked about unified Analyst experience. Just from that approach of we wanna make sure that productivity, also, going back to my point about efficiency is growing and, and having a tool that helps giving at least all the help that they need helps them use their time to higher value activities of course. So definitely maximizing productivity in our market in in the skill, again, skills gap and resource con constrained clients that we have. Definitely we want a solution that helps them do that to make, make the, the r o i here. Make sense?
Great. Alright. I believe that's all from us. Any last comments a before we wrap up?
Yeah, again, I just wanted to thank everyone that joined and enabling in the calculation into a KuppingerCole view of the SOAR market, the BM approach. I am available if anyone wants to reach out and and kaar more. And thank you for the opportunity to present today.
Thank you Aaron. And if anyone would like to take a look at the report, it's available on the website and you can find more about B m qra there. And I know you guys are making announcements every now and then and are updating your solution, so looking forward to what you guys are doing. So thank you Aaron. You're
Welcome.
Bye.
