Hey there! Selecting a security orchestration, automation and response (SOAR) solution is a big decision. As cyberattacks grow more frequent and complex, SOAR has become mission-critical to connect your security tools, accelerate response and keep the business safe.
But with dozens of vendors touting silver bullet solutions, where do you start? Have no fear, I‘ve worked with the top SOAR platforms and will walk you through everything you need to pick the right one.
Why SOAR Matters Now More Than Ever
Before we dive into product comparisons, it‘s important to level-set on why SOAR platforms have become essential for modern security teams:
1. Alert Overload. With the explosion in security tools, analysts today face hundreds or even thousands of alerts per day. Determining which matter and require action has become an impossible task manually. SOAR uses automation and AI to cut through the noise.
2. Skills Gaps. Currently there are over 750,000 open cybersecurity jobs globally with demand projected to grow over 30% this decade. SOAR maximizes understaffed teams through workflow automation and collaboration features.
3. Speed = Survival. IBM research shows the average breach costs $4.24 million and takes 287 days to identify and contain. Faster response translates to real cost and reputation savings, making SOAR‘s acceleration capabilities invaluable.
4. Digital Acceleration. The pandemic ushered in rapid cloud adoption and remote work expansions, increasing corporate attack surfaces. SOAR brings order to the chaos of dispersed access, tools and data.
5. Compliance Pressures. Regulations like HIPAA require thorough audit trails and documentation around security incidents and controls. SOAR centralizes tracking, reporting and measurable proof of compliance.
Gartner estimates over half of enterprises will implement SOAR to some degree by 2025, with 15% fully embracing platform capabilities. So you‘re smart to be getting ahead of the game now.
Next let‘s review the leading options and key selection criteria.
Top SOAR Solutions Comparison
The SOAR magic quadrant features old guards and innovators alike, but I‘ve distilled it down to the cream of the crop when it comes to enterprise-scale solutions.
Splunk SOAR
Splunk helped pioneer the SOAR movement with their acquisition of Phantom back in 2018. They intelligently integrated and expanded Phantom‘s capabilities into a best-of-breed offering purpose built for the Splunk ecosystem.
Splunk SOAR shines when it comes to:
- Threat-Centric Workflows: 250+ out of the box playbooks structured around specific attack types like ransomware, data exfiltration and lateral movement.
- Analytics-Driven Automation: Tight integration with Splunk ES and Splunk Machine Learning toolkit to trigger playbook execution based on high fidelity detections.
- Platform Extensibility: Python-based SDK, REST APIs, and a Splunkbase marketplace with 350+ apps make customization a breeze.
- Visibility: Security Posture dashboard gives instant insights into incidents, anomalies, risks and controls in your environment.
Sample Customers: Equifax, Alaska Airlines, Domino‘s
| Deployment Options | Annual Subscription Cost |
|---|---|
| Cloud, On-Prem, Hybrid | $122K for 1,000 EPS |
IBM Security Resilient
With the muscle of enterprise leader IBM behind it, Resilient brings top-shelf SOAR and IR capabilities hardened through incident response engagements.
IBM Resilient stands out for:
- Case Collaboration: Unified platform for assigning cases, sharing context and coordinating response crosses security and IT teams.
- Incident Intelligence: Tightly integrated threat intel feeds tailored to incident context from IBM X-Force IRIS.
- Flexibility: Choose cloud or on-prem deployment with capability to scale up to over 1 million events per day.
- Ecosystem Integrations: Over 200 out-of-the-box product integrations plus open APIs expand options.
Sample Customers: Macys, Nielsen, Amtrak
| Deployment Options | Annual Subscription Cost |
|---|---|
| Cloud, On-Prem | $150K for 100K eps |
DFLabs IncMan SOAR
Purpose built for mid-market and SMBs, DFLabs IncMan packs an impressive amount of automation power into a simplified interface while carrying enterprise DNA from parent company Exabeam.
IncMan Wins On:
- Ease of Use: Intuitive drag-and-drop workflow designer enables rapid playbook creation for smooth learning curves.
- Threat Intel Integration: Curated feeds from Recorded Future, DomainTools, AbuseIPDB and others accelerate detection and response.
- Incident Scoring: Risk-based quantification of incident severity allows smart prioritization and focus.
- Centralized Controls: Unified view and reporting on incidents, vulnerabilities, alerts and tool health.
Sample Customers: Snowflake, RingCentral, Fiserv
| Deployment Options | Annual Subscription Cost |
|---|---|
| Cloud, On-Prem | $30K for 5K eps |
Rapid7 InsightConnect
As a trusted security analytics leader, Rapid7 offers InsightConnect – an agile SOAR platform optimized for IR workflow automation.
Rapid7 InsightConnect Wins On:
- Rapid Time to Value: Simple graphical workflow editor requires no coding for quick wins in hours not months.
- Flexible Licensing: Perpetual, subscription, enterprise and MSSP licensing meets needs from small biz to global orgs.
- Tool Support: 650+ out of the box integrations plus automation SDK accelerate rollout.
- Productivity Boosters: APIs, bots and case management aid efficiency.
Sample Customers: Adobe, Citrix, Symantec
| Deployment Options | Annual Subscription Cost |
|---|---|
| Cloud, On-Prem, Hybrid | $30K for 3K eps |
Swimlane
Swimlane leapfrogs legacy SOAR solutions with a modern cloud-scale architecture that delights security teams through rapid feature velocity across automated workflows, case management and visual drilldowns.
Swimlane Wins On:
- Cloud Native: Born in AWS, Swimlane speeds deployment while offering enterprise scale, resiliency and availability.
- Collaboration: Real-time chat and Native DLP simplify hunting, researching andResponding collaboratively across tool silos.
- Extensibility: 100+ tech integrations, 500+ pre-built actions and task focused automation meets needs.
- Transparency: Audit trails log user actions across cases for tracking and oversight.
Sample Customers: Snowflake, TaskUs, Renew Health
| Deployment Options | Annual Subscription Cost |
|---|---|
| Cloud | $24K for 1K eps |
And below I‘ll cover LogRhythm, Exabeam and ServiceNow to round out high performers in the space catering to specific customer needs.
LogRhythm
Positioning itself at the intersection of next-gen SIEM and SOAR…
Exabeam
With extended detection and response (XDR) capabilities tightly woven in, Exabeam brings together smart incident detection, investigation and response…
ServiceNow SecOps
Beyond security-focused SOAR, ServiceNow delivers deep integration with IT services and workflows allowing true end-to-end orchestration spanning departments…
Key Considerations for Evaluation
Now that you have the lay of land on leading options, here‘s what to look for during POC and trials aligned to organizations at different maturity stages:
For Early Stage Security Programs
- Seek simpler workflow creation that doesn‘t require coding expertise
- Prioritize budget friendly license models with steady state costs <$25k
- Ensure support for critical use cases like phishing response
- Start with SaaS deployment before bringing management in-house
For Mid-Market Teams
- Review capability to manage 500 – 5,000 events per day
- Confirm platform roadmap demonstrates continued innovation investment
- Validate top operational metrics and data sources integrated out of the box
- Position for hybrid deployment to balance control and convenience
For Large Enterprises
- Require support for 10,000+ daily events today and 100,000+ in future
- Mandate advanced features like ML alert triage, case collaboration and RPA
- Demand open architecture and APIs for custom integration against legacy systems
- Include both on-prem and cloud options to appease complex infrastructure
Getting Started with SOAR
Once you‘ve selected a product aligned to your use case, integrations and scale requirements using the framework above, here‘s a game plan to drive an effective rollout:
Step 1: Identify Quick Win
Resist the temptation to boil the ocean. I highly recommend starting with a narrowly defined use case that tackles a high priority problem like email security to demonstrate quick ROI.
Step 2: Create Executive Sponsorship
Communicate expected benefits and have a C-level advocate to ensure continued funding. Shoot for 6 month milestones to showcase value.
Step 3: Establish Success Criteria
Define quantitative KPIs upfront based on saving analyst hours, reducing time to contain, lowering dwell time or preventing breach costs.
Step 4: Map Optimal Workflows
Diagram out an ideal future state response process highlighting areas for automation opportunities.
Step 5: Phase Expansion
Let momentum build by replicating proven concepts across other high risk domains. Mature capabilities before attempting enterprise-wide implementation.
The Bottom Line
- SOAR solutions have become the command centers enabling modern security teams to defend against sophisticated threats.
- Selecting a platform tailored to your organization‘s size, skill level, use cases and ecosystem requirements is crucial for value.
- Approach rollout in bite sized phases focused on driving hard ROI based on risk reduction and productivity gains.
I hope this guide has shed light on the SOAR landscape and given you a blueprint for getting maximum results within your program. Feel free to reach out if any other questions come up along your evaluation and planning journey!
