GigaOm Key Criteria for Evaluating Autonomous Security Operations Center (SOC) Solutionsv3.0

1. Executive Summary

Autonomous security operations center (SOC) solutions are converged security operations (SecOps) tools that handle data ingestion and management, threat hunting, orchestration, remediation, and response.

Facing a shortage of security analysts and a long time to value when deploying multiple tools, SOCs have an increasing need for single solutions that can provide end-to-end visibility, response, and automation capabilities. These functionalities can already be met by security information and event management (SIEM), security orchestration, automation and response (SOAR), user and entity behavior anomaly detection (UEBA), and endpoint detection and response (EDR) tools, but there is value added from hosting the features of all of these tools in a single platform.

SIEM solutions have been the main monitoring tools for SOCs. As they observe more complex infrastructure and deal with an increased number of security events, SIEM solutions have evolved to cope. At the same time, security analysts have been dealing with increasingly complex processes for alert-tuning systems, investigation, and threat hunting. Responding to that complexity, SOAR tools have been deployed to complement SIEM solutions and help analysts manage events more efficiently.

This two-solution deployment–standalone SIEM and standalone SOAR–worked well in the second half of the 2010s. However, in the early 2020s, we’ve seen SIEM solutions evolve to include native SOAR-like capabilities. This change has taken place through SIEM vendors either acquiring standalone SOAR tools or developing native orchestration and automation capabilities.

UEBA solutions have also been historically standalone tools, but similar capabilities have been added to or natively developed in SIEM products, which already include data and analytics capabilities.

EDR tools traditionally use a different product architecture that relies on agents deployed on endpoints. SIEM tools can either integrate with existing EDR tools for automated response capabilities or use an agentless approach. Some vendors that enter the autonomous SOC arena will offer agents as part of their tool, eliminating any reliance on third-party EDR or extended detection and response (XDR) vendors.

A solution that combines SIEM, SOAR, UEBA, and EDR capabilities will make up most of a SOC analyst’s daily toolset. We define this category as “autonomous SOC solutions.” They act as the center of daily activities for a security analyst, enabling them to capture their processes and perform their most common tasks from a single toolset that provides both visibility and orchestration capabilities across the entire IT environment.

Business Imperative
A multitool approach for SecOps may offer best-of-breed solutions, but the integration and management of multiple tools and associated “chair swiveling” is detrimental to the overall SOC experience. As such, vendors that offer comprehensive SOC platforms can eliminate these management and coordination challenges.

Sector Adoption Score
To help executives and decision-makers assess the potential impact and value of an autonomous SOC solution deployment to the business, this GigaOm Key Criteria report provides a structured assessment of the sector across five factors: benefit, maturity, urgency, impact, and effort. By scoring each factor based on how strongly it compels or deters adoption of an autonomous SOC solution, we provide an overall Sector Adoption Score (Figure 1) of 2.6 out of 5, with 5 indicating the strongest possible recommendation to adopt. This indicates that an autonomous SOC solution is dependent on a considerable upfront investment of time and effort that will bring long-term benefits.

The factors contributing to the Sector Adoption Score for autonomous SOC are explained in more detail in the Sector Brief section that follows.

Figure 1. Sector Adoption Score for Autonomous SOC

This is the third year that GigaOm has reported on the autonomous SOC space in the context of our Key Criteria and Radar reports. This report builds on our previous analysis and considers how the market has evolved over the last year.

This GigaOm Key Criteria report highlights the capabilities (table stakes, key features, and emerging features) and nonfunctional requirements (business criteria) for selecting an effective autonomous SOC solution. The companion GigaOm Radar report identifies vendors and products that excel in those decision criteria. Together, these reports provide an overview of the market, identify leading autonomous SOC offerings, and help decision-makers evaluate these solutions so they can make a more informed investment decision.