Analyst Chat #52: SOAR - A North American Product Only?

Welcome to the KuppingerCole analyst chat. I'm your host. My name is Matthias Reinwarth. I'm an analyst at adviser at KuppingerCole analysts. My guest today is John Tolbert. He is an analyst and advisor working with KuppingerCole, and he is based in Seattle. Welcome to John.
Hi Matthias. Great to join you again.
And great to have you again again, a long distance podcast episode, and we want to talk about a, yet another four letter acronym. We want to talk about sores. We're talking about S O a R. You just published a leadership compass in that area. So there is a market segment. What is SOA what's behind this acronym?
Sure. Well, soar stands for, uh, security orchestration, automation and response, and they have sort of shown up here in the last three to five years as I would call it an add on not a replacement for, but an augmentation to SIM tools, this security incident and event management tools, which are repositories of theoretically all the security event, data and log files from all the different servers, cloud servers, network devices, endpoints in an organization. But with soar, they're sort of designed to be like a centralized console, uh, for all or many different security tools. And it allows, uh, companies that deployed them to, uh, consolidate their, uh, views of their security infrastructure. So sores are mainly used by security analysts for, you know, doing investigations and sort of keeping an eye on the organization. And therefore they're also, uh, tools that are becoming more and more, uh, used in socks.
So it's this single pane of glass giving insight into more than one cm system. So it's really the tool that analysts then would use, as you said. So it's really a unifying, um, next generation on top intelligent platform on top of cm. Am I right?
Yeah. Yeah. I think that, you know, even if you have a single seam product, um, you know, most organizations are going to have other tools like endpoint protection and that has a console. You know, you may have network detection and response, and that has a console course. The SIM has a console. So I mean, if you're in a sock and you see tons and tons screens around, you know, they're all running different administrative utilities. So a soar the idea behind that is if we can centralize that and use, uh, the soar platform as a way to pull in data from seams, from endpoint protection consoles and network detection, consoles, and, and things like that, then that will give analysts yes, the single pane of glass, but it's, they're also designed to kind of go over and above just that it's not just a way to view it, but let's say an analyst sees something going on that might be suspicious.
Uh, sor tools can also do things like proactively start an investigation and go out and grab the relevant threat intelligence and pair that up on the screen with, uh, the actual events that are taking place. So it's a way of automating that's the AI part, some of the initial, uh, forensic discovery process and the more sophisticated products there, we'll do things like, um, not only pull that thread information together, uh, and tie it to what's actually being seen in the organization, but, you know, rate that do TRIA, uh, and, and maybe even suggest courses of action. The key to soar them is really how many connectors and what kind of connectors does it come with? Uh, so, I mean, you've got a wide smattering of security tools that are out there, like endpoint protection, endpoint detection, response, network detection, email, web gateway is vulnerability, scanners, intrusion, detection, firewalls, networking devices, all those things kind of need to flow up to a SIM, but it also needs to interface with them, you know, usually via API is and allow the SOC analysts to, uh, kick off actions in those downstream systems. So I think the connectors are really the key to a successful soar product.
Right. And what you just described when, when you do a leadership compass, we usually also describe the yeah. The market segment and the key features to look at when you analyze these tools. So what you just mentioned, I think that is one of the key set of features that these products need to provide this connectivity, this interoperability, to work on top of the data provided by all these different systems. When you did this research for the leadership compass, what is from your perspective as of now, you've mentioned it three to five years now that these products are around, what is the current state of soar when it comes to yeah. To maturity, to availability?
Well, I would say the tools are maturing, but they're not quite mature yet. Not all them, at least, you know, some are obviously better than others in terms of all the features that they have. Um, but you know, I think that there are like three major backgrounds that companies in soar have taken. Um, the first might be those that are specializing in it. You know, the companies that looked at the state of the SIM market and said, you know, this is sort of insufficient. We need something above and beyond SIM. There are also companies that have SIM products and they're, they're, uh, I won't say SIM two dot, oh, but you know, perhaps they see that there's additional functionality that's needed. So, uh, some of the SIM companies are building store capabilities into their platforms. Many of the large network security stack vendors are either building or more likely buying this kind of functionality in the marketplace so they can add it to the stack.
Oh, and there's, there's another category of soar vendor that is, you know, a threat intelligence platform. So they specialize in curating threat intelligence and making it available to SOC analysts. There are some of those platforms that are also soar products now as well. So they're, they're expanding their API APIs such that they can, you know, kick off actions in downstream systems, as well as pulling the threat intelligence and present that to, uh, the analysts. So, yeah, I think there's room room for growth in the soar market in terms of, you know, just market share itself. And there's probably going to be, you know, additional companies, developing products in that space and probably additional, you know, merger, acquisition activities as well.
Right? So it is an emerging market. And what I like in the talks and the chats that I have with you is that you always find that grain of salt within the market area as well. So when you say it is a maturing, but not yet a mature market. And when you say that the products are not necessarily already where they could be, and with that, the market evolution as a whole is not yet as grown up as far as it could be. What is missing in SAR then,
You know, I think soar is really all about the connectors. You know, there are some vendor products that are extensible and by that, I think they mean things like, well, you know, if you've got a product and we don't have a connector for it, if you don't mind spending a few days coding, you can sort of build your own connector. But, you know, as an enterprise looking for a sore platform, I think you're going to be motivated to find something that has connectors for all the tools that you've got in place already, so that you don't have to spend time building and integrating, uh, your other tools. And, you know, what I found in the course of this research was that many of the current soar products lack the connectors for a lot of the EU headquartered in some of the APAC headquartered security tool vendors.
You know, and I'll just list a couple here, uh, like on lab bed defender, ESET F secure Kaspersky and Sophos. You know, these are huge companies that have thousands of customers, uh, and, and hundreds of millions of seats. And I think that soar products in general need to, uh, build connectors for those kinds of products. And really until they do, I think they may have difficulty cracking, let's say the European market, uh, more thoroughly, you know, like I said, it's about having connectors for the tools you have, and those are our major security platforms, and they really need to be covered by soar products in order to succeed.
I put fully agree. And I think that is also where the value of such a leadership compass in such an emerging market really, um, plays out its strength. So you really can use this, uh, research that you did and try to identify for which saw product there is already out of the box support for the platforms that the individual organization then has in place, so that they do not have to start coding because especially in such a security related area, you really don't want to do coding when it comes to relying on that information to do security related decisions afterwards. So I think that would be the immediate benefit of, of your research for organizations currently looking into upgrading their security inside their Sox when it comes to looking at a Sora solution. And from, from your perspective, are there already some of these products supporting these more European, more apex, specific products,
There are a couple that have support for a few on the list, but, you know, by and large, mostly there isn't direct support today, you know, and I think, I think it will come, you know, I'm guessing that it is because of customer demand and, you know, the sort of product vendors are responding to what their customers are asking for. So I think that we'll get there. Um, it may just take a few months or a year or so, but, you know, I think there's a lot of potential value in soar products. I mean, especially for organizations that are larger, more geographically dispersed, trying to centralize all your activities and one or more socks, uh, and you have a lot of different tools. So our platforms can help address some of the skills and personnel shortages. If you can consolidate the view of all your tools into a single very functional tool so that I think they can make organizations more efficient. I think that solar products are going to be beneficial for, let's say, managed security service providers and, and SOC as a service kinds of vendors that are out there as well.
So if somebody is starting a professional career in it security, then so our products would be really something to look at rather than just looking at SIEM products. So it's really something that is emerging and that will be around for some time when they crack the European market as well.
Yeah, I think it will be around for a while, but I mean, we're already seeing some merger and acquisition activity in sor uh, some of them larger standalone soar specialty products have been acquired by larger network security companies. Uh, and, and I kind of expect to see more of that, um, over the next three to five years or so, I think it's gotta be functionality that that will be needed in the overall stack. And it will also be needed in what may have formerly been standalone SIM kinds of products too. So the functionality will be coming, uh, because of market demand.
Okay. And, and so it will be a functionality that many organizations will add to their security portfolio. So, um, usually I ask the question if there is any, uh, research around, but as we started this discussion, that is of course your leadership compass that is already published. I understand. Yes.
And came out about a week or so ago.
Okay, perfect. So I would highly recommend to our audience that they drop by our website KuppingerCole dot com type for, um, netters into the search engine, which is S O a R and get directly directed to your research around that area. Anything to add when it comes to our site and our research, uh, from your side.
And it is a very popular area. I'm sure that we will, um, update that, you know, and, um, the months and years ahead and continue to follow the market.
Perfect. So, and when there are new vendors coming up, maybe, and maybe they are listening also to that podcast, just get in touch to make sure that they are also included in the next incarnation of this leadership compass. So thank you very much, John, for, um, telling me an initial basis of information about this interesting security related market segment. And, um, I'm looking forward to having you in one of the upcoming episodes. Again, it's always great to talk to you and learn more about these security related products, any final words, your side. Well,
Thanks again for your time and look forward to fielding questions. If anybody has any feel free to get in touch with us.
Yeah. Perfectly. I just cannot stress that enough. Um, just get in touch. We are happy to lead a first discussion around this topic and many others in the areas of security, identity, governance, compliance, et cetera. So thanks again, John, and, um, have a great day. Thank you. Bye