Modernizing Security Operations with SOAR

Featuring Research From Forrester

Now Tech: Security Orchestration, Automation, And Response (SOAR),

Q2 2022
Forrester’s Overview Of 31 SOAR Providers

Introduction:
“According to Forrester data, one of the top three challenges security teams face is day-to-day tactical activities taking up entirely too m
orchestration, automation and response) technology can provide security teams with a way to automate some of these repetitive tasks a
their tools.

In the following report Forrester examines the SOAR vendor landscape, analyzing vendors to assist security and risk professionals in ass
can expect from a SOAR vendor and providing direction on which vendors to select from.

Forrester Research lists Siemplify (Google Cloud) as a midsize ($10M to 30M in annual revenue) SOAR pure play vendor in Forrester’s O
Providers, Q2 2022 report authored by Allie Melle with Joseph Blankenship, Alexis Bouffar, and Peggy Dostie. It is worth noting that Sie
Google Cloud in January 2022, prior to the report publication, and is no longer a pure play vendor. To learn more about the acquisition,
official announcement here.

Security and risk professionals looking at SOAR solutions should consider Siemplify SOAR as part of their evaluation. Siemplify unifies d
full visibility and context, automates the tedious to free up time for more strategic initiatives, and speeds response from hours to second
teams looking to better manage security operations and improve response time, support a wide range of company sizes and industries
organizations to the largest enterprises, from retail to software to services and everything in between. Below is more detail on how we h
SOAR product expectations.

Triage And Consolidate Alerts

Siemplify SOAR ingests alerts from your SIEM, EDR or another alert generating tool to automate alert triage. But we do this in a unique w
paradigm by focusing on applying context to a threat-centric approach. Why? Focusing on alerts is mind numbing and inefficient. Each a
separate case for investigation, introduces a number of analysts working on related alerts, and ultimately lengthens the investigation an
moving to a context-driven, threat-centric approach teams can focus on what’s important instead of drowning in analysis. Our patented t
groups related alerts into a single threat-centric case, reducing caseload, improving efficiency, allowing for a single analyst to work the c
overall noise for the SOC dramatically.

Customize Enrichment
Siemplify enables security teams to conduct context-rich investigations. Analysts can easily visualize the most important contextual data
what and when - and the relationships between all involved entities attached to an event, product or source. Siemplify SOAR also enable
security operations with embedded threat intelligence. Teams can automate the collection and management of threat intelligence from h
such as VirusTotal. Siemplify turns threat intelligence into machine-readable form, normalizes data across sources, enriches it with threa
TTP information, then deduplicates it and removes false positives. Threat intelligence is then scored for confidence and severity.

Orchestrate (And Automate) Response

Siemplify’s intuitive playbooks provide the backbone for orchestration and automation. With playbooks teams can build repeatable, auto
processes and orchestrate hundreds of tools they rely on with simple drag and drop capabilities and reduce the amount of human interv
to-day tasks for more predictable and rapid incident response. Analysts can also opt to have human intervention inserted in key parts of
enabling them to make a final call and take action with a single click and execute remediation actions - such as isolating an endpoint, blo
user passwords - without leaving the Siemplify SOAR platform. Siemplify SOAR further provides playbook lifecycle management capabil
reusable blocks, version control and rollback that enable the user to easily scale and maintain their playbook library.

Your Soar Partner

We create long-lasting partnerships that ensure you get the most out of your investment.

From Fortune 500 firms to global MSSPs, Siemplify SOAR is behind some of the world’s best security teams. Join customers such as He
Cyberint and others on your SOAR journey today. Learn more about Siemplify SOAR with our product tour, try Siemplify SOAR for free

REPORT

Now Tech: Security Orchestration,

Automation, And Response (SOAR),
Q2 2022
April 14, 2022

Forrester’s Overview Of 31 SOAR Providers

by Allie Mellen

with Joseph Blankenship, Alexis Bouffard, Peggy Dostie

Modernizing Security Operations with SOAR

Summary

Forrester Report and response (SOAR) to triage and consolidate alerts, customize
‹

You can use security orchestration, automation,

enrichment, and orchestrate and automate response. But to realize these benefits, you’ll first have to select from
a diverse set of vendors that vary by size, functionality, geography, and vertical market focus. Security and risk
professionals should use this report to understand the value they can expect from a SOAR provider and to select
one based on size and functionality.
Automate Repetitive Security Workflows With SOAR
According to Forrester data, one of the top three challenges security teams face is day-to-day tactical activities

taking up too much time. Security operations teams struggle with constant alerts, manual investigations, and a

dizzying array of tools to respond from. SOAR technology provides security teams a way to automate some of

these repetitive tasks and coordinate across tools from a single technology. Forrester defines SOAR as:

Automation technology that integrates with third-party tools across the security and business ecosystem to

triage, coordinate, and take coordinated, playbook-based action to security events. The goal of SOAR

technology is to make security operations faster, less error-prone, and more efficient.

When clients implement a SOAR offering, they can expect to be able to:

Triage and consolidate alerts. Security teams use SOAR to automate alert triage and to deduplicate

alerts coming from a variety of different toolsets such as SIEM, EDR, NAV, and email security.

Customize enrichment. Security teams use SOAR to enrich detections with additional context, such as

bringing in threat intelligence or making a determination on the risk level of an indicted phishing email.

Orchestrate (and automate) response. Security teams use SOAR for ad hoc orchestration of response

actions across third-party tools. Teams more amenable to automating response use SOAR to take

automated response actions such as isolating an endpoint, restricting user access, or forcing an identity-

based action (like a password reset or multifactor authentication).

Select Vendors Based On Size And Functionality

We’ve based our analysis of the SOAR market on two factors: market presence and functionality.

SOAR Market Presence Segments

We segmented the vendors in this market into three categories, based on SOAR revenue: large established

players (more than $30 million in SOAR revenue), midsize players ($10 million to $30 million in revenue), and

smaller players (less than $10 million in revenue) (see Figure 1).

Figure 1

Now Tech Market Presence Segments: SOAR, Q2 2022

SOAR Functionality Segments
To explore functionality at a deeper level, we broke the SOAR market into five segments, each with varying

capabilities (see Figure 2 and see Figure 3):

Security analytics platform. The offering is designed to be an integral part of a larger platform that

incorporates SIEM and SUBA capabilities. It’s sold exclusively with other elements of the vendor’s security

analytics platform and is not sold as a separate offering. This has the benefit of tight integration with the

rest of the vendor’s portfolio.

 Security analytics portfolio. The offering is part of a larger portfolio of technology that often includes

security analytics capabilities. It’s sold as a standalone offering but can also be bundled with the vendor’s

other offerings, often for a discount. This has the benefit of potentially strong integrations with other

aspects of the portfolio, while also having the freedom to implement with other security analytics

technologies.

Threat intelligence. The offering is sold as a standalone offering but can also be coupled with the

vendor’s threat intelligence offering or as an add-on. This has the benefit of infusing threat intelligence into

SOAR workflows.

Pure play. The offering is an independent SOAR and is the main focus and sole product of the vendor. It’s

sold as a standalone offering. This has the benefit of independence from other offerings, with the potential

for faster innovation and more-robust integrations with third-party tools.

Automation portfolio. The offering is part of a larger portfolio of automation software for other

disciplines. It’s often sold as a standalone offering or bundled with other automation capabilities for other

business functions. This has the benefit of providing a unifying automation layer across business functions.

Figure 2

Now Tech Functionality Segments: SOAR, Q2 2022, Part 1

Figure 3

Now Tech Functionality Segments: SOAR, Q2 2022, Part 2

Align Individual Vendor Solutions To Your
Organization’s Needs
The following tables provide an overview of vendors, with details on functionality category, geography, and

vertical market focus (see Figure 4, see Figure 5, and see Figure 6).

Figure 4

Now Tech Large Vendors: SOAR, Q2 2022

Figure 5

Now Tech Midsize Vendors: SOAR, Q2 2022

Figure 6

Now Tech Small Vendors: SOAR, Q2 2022

Planning Is Paramount When Adopting SOAR
The most important step security professionals can take to succeed with SOAR is to outline before adopting it
how they will use it. There are many mischaracterizations about SOAR in the market: that its main goal is to

automate response, that security teams are using hundreds of playbooks, and that SOAR is equivalent to case

management. The reality is that SOAR is a vehicle for building custom automation in the SOC, and using it well

requires planning and structure. When adopting SOAR technology be sure to:

Set realistic expectations on what challenges automation can solve. Despite the plethora of

prebuilt playbooks available, security teams often implement a maximum of five to 10 playbooks in total

over the first several years of adoption. Process automation for complex, inconsistent workflows is

challenging and cannot address every manual task security analysts perform without racking up technical

debt and building an untenable system. Identify and automate processes that are consistent and

repeatable. Enrichment is often the best place to start.

Define — prior to purchase — detection and response processes that can be automated. SOAR

playbooks are only as useful as the underlying processes they are defined by. Before adopting SOAR,

document repeatable, consistent processes that can be automated. Security teams find success

automating enrichment, phishing response, and ransomware response.

Coordinate with automation talent in other parts of the business. Few security teams have

security-minded automation experts in their ranks, and often, a lone security analyst maintains SOAR.

Organizations that have an automation center of excellence or automation team should leverage these

adjacent functions to build better automation in the SOC instead of going it alone.

Allot resources for continuous upkeep. SOAR is not a set-it-and-forget-it technology. Depending on

the number of integrated tools, playbooks, and use cases being met (for example, detection and response,

threat intelligence, metrics gathering, and/or case management), SOAR may require one or more FTEs to

operationalize.

Look beyond detection and response. Depending on the type of SOAR provider, the offering can

provide deeper value than automation of detection and response alone. Consider whether other functions

like vulnerability management coordination, metrics gathering and dashboarding, and case management

capabilities would benefit your team when evaluating SOAR products.

Supplemental Material
Market Presence Methodology
We defined market presence in Figure 1 based on security orchestration, automation, and response (SOAR)

revenue over a 12-month period.

To complete our review, Forrester requested information from vendors. If vendors didn’t share this information

with us, we made estimates based on available secondary information. We’ve marked companies with an

asterisk if we estimated revenues or information related to geography or industries. Forrester fact-checked this

report with vendors before publishing.

Companies We Researched For This Report

We would like to thank the individuals from the following companies who generously gave their time during the

research for this report.

Cisco

Cyware

D3 Security

DTonomy

Exabeam

Fortinet

Gurucul

IBM

LogicHub

Logpoint

LogRhythm

Logsign

ManageEngine

Micro Focus

Microsoft

Palo Alto Networks

QI-ANXIN

Rapid7

Securaa

Securonix

ServiceNow

Shuffle

Siemplify (Google Cloud)

SIRP

Splunk

Sumo Logic

Swimlane

ThreatConnect

ThreatQuotient
 Tines

Torq

About Siemplify Now Part Of Google Cloud

Siemplify (now part of Google Cloud) is a security orchestration, automation and response (SOAR) product that is
redefining security operations for enterprises and MSSPs worldwide. Our holistic security operations platform is a
simple, centralized workbench that enables security teams to better investigate, analyze, and remediate threats. Using
our patented context-driven approach, Siemplify SOAR empowers SOC teams to reduce caseload and complexity while
responding to threats faster. Siemplify was acquired by Google Cloud in January 2022.

© 2022, Forrester Research, Inc. and/or its subsidiaries. All rights reserved.