Security Orchestration, Automation, and Response (SOAR) tools combining inputs and alerts from your whole security stack, into a single, manageable solution. This allows you to extend your network visibility, thereby making it easier to identify and remediate threats.
SOAR solutions leverage human intelligence, artificial intelligence (AI), and machine learning (ML) to identify the most urgent threats and triage the vast quantity of data into manageable and meaningful content. SOC teams can use this intelligence to design playbooks that ensures a response is carried out in the most effective way.
When looking for a SOAR solution, some of the key things to look for include:
- Alert triage and investigation
- Intelligence management
- Case management
- Pre-built and customizable playbooks
- Reporting dashboards and analytics
In this article, we’ll explore the key features and highlights of the best SOAR solutions on the market. We’ll highlight the things that set them apart from other solutions and suggest what type of organization they are most suited to.
Originally Siemplify, Chronicle SOAR is part of the Google Cloud umbrella, designed to allow enterprises and MSPs to accumulate data and security alerts through orchestration, automation, threat intelligence, and incident response. The solution integrates with Chronicle SIEM to ensure both solutions are working effectively off the latest data.
- Efficient case management that can ingest, group, prioritize, assign, and investigate alerts
- Zero-code based playbook creation
- Effective investigation capabilities – focus on the root cause of threats, rather than alerts
- Threat intelligence is integrated across the detection and response lifecycle
- Easy collaboration – you can maximise effectiveness through incident collaboration and transparency
- Raw log scan – ability to search unprocessed data to gain new insights
Expert Insights’ Comments: Chronicle SOAR is widely praised for its ease of deployment, and effectiveness once live. The solution is highly capable and provides a range of useful insights into the status of your network and security threats. We would recommend Chronicle SOAR for organizations of all sizes thanks to its broad feature set and easy deployment – it is particularly useful for MSSP clients as it is capable of handling larger and more complex organizations.
Devo (formerly a part of LogicHub) is a cybersecurity vendor that was founded in 2011 and focuses on intelligence-driven threat detection and response products. Devo SOAR provides end-to-end automation and allows security teams to improve efficiency, collaboration, and efficacy. The solution is able to effectively prioritize and triage alerts, ensuring that you can cut through the noise and focus on the most important issues.
- Entire threat lifecycle can be automated
- Over 300 of out of the box integrations allowing quick and easy integration
- Pre-built and customizable playbooks that can be edited without coding
- Robust triaging and ability to eliminate noisy alerts
- Intuitive case management capabilities that adapts to your workflow
Expert Insights’ Comments: Devo SOAR has a particularly strong case management feature – it enriches data with context and suggests the most effective remediation actions. Many users praise it as an efficient, cost-effective, and flexible SOAR solution. We would recommend Devo SOAR to organizations of all sizes who are looking for a highly automated solution with effective triage capability.
Fortinet is a California-based market-leading cybersecurity company with a range of firewall, intrusion prevention, and endpoint solutions on offer. Fortinet FortiSOAR is the company’s SOAR offering. It works by gathering data from a range of sources, and collating it into manageable, actionable intelligence.
- Over 350 integrations and 3,000 automated workflow actions
- 160 out-of-the-box customizable playbooks
- Advanced threat intelligence management – thanks to its integration with FortiGuard
- Mobile application that enables analysts to respond to alerts and execute crucial actions
- Role-based dashboard, reporting capabilities, and incident management – this allows you to track metrics, analyze performance, create data models, generate weekly reports
Expert Insights’ Comments: Fortinet FortiSOAR is a highly sophisticated solution that offers a great deal of control over threat management. It is praised by users for its ease of integration, though some comment that the creation of playbooks could be simpler. We would recommend Fortinet FortiSOAR to a wide range of use cases thanks to its advanced protection and flexibility. It is particularly suited to SMBs, enterprise, and MSP customers who need an all-encompassing and multi-tenant incident response platform.
Headquartered in California, Palo Alto Networks is a global leader in enterprise security. Cortex XSOAR utilizes Demisto’s SOAR platform (acquired by Palo Alto in 2019), with Cortex threat prevention, response capabilities, and intelligence management. These elements together make Cortex XSOAR a powerful and sophisticated option.
- 750+ integrations and 680+ content packs
- Ability to operate completely automated, or with SOC oversight
- Correlates data points in a dedicated “war room” which allows real-time human investigation
- Ingest data from all major SIEM solutions
- Threat Intelligence Management (TIM) module adds context to alerts
- Integrations can be customized, or downloaded from the Cortex XSOAR marketplace
Expert Insights’ Comments: Cortex XSOAR is a powerful solution that gives admin an efficient dashboard to investigate and respond to threats quickly and accurately. Thanks to its integrations and automation packs, Cortex XSOAR is easy to deploy and scale as your organization grows. This solution is especially suited for MSP usage due to multi-tenancy options, and the ability to be deployed in the cloud or on-premises.
Rapid7 is a Boston-based cybersecurity company who use increased visibility, analytics, and automation to secure digital environments. InsightsConnect is the company’s SOAR platform, which benefits from Komand’s platform, which was acquired in 2017. The result is a powerful, cloud-based SOAR solution that streamlines processes and workflows, allowing you to focus on other pressing issues.
- Automate workflows without code
- Over 200 plugins and customizable workflows
- ChatOps allows integration with apps like Slack and Microsoft Teams
- Automate third-party products with InsightConnect Pro Automation
- Automate investigation and responses to threats like phishing and ransomware
- Vulnerability management with cross-functional collaboration and human decisioning where needed
Expert Insights’ Comments: InsightConnect gives users deep visibility across environments and a wealth of integrations, whilst being praised for its ease of use. Through the automation of processes, and the enrichment of data, InsightConnect allows a small SOC team, to have a large impact. We would recommend InsightConnect to organizations looking for a powerful SOAR solution that allows collaboration, customizable workflows, and a wealth of plugins.
Founded in 2004, ServiceNow is a digital workflow, IT, and business management leader. Security Incident Response (SIR) is a powerful cloud-based SOAR solution that is included as part of the Security Operations (SecOps) platform and allows SOC teams to seamlessly manage and respond to incidents, simplify collaboration, and streamline workflows. The SecOps platform includes vulnerability management and response, threat intelligence, and configuration compliance tools.
- Automate workflow and coordinate incident response
- Extensive playbook and orchestration library for a range of scenarios
- Additional applications available from the ServiceNow store
- Artificial intelligence tools for incident investigation
- MITRE ATT&CK mapping to add context
- Virtual war room for enhanced collaboration
- Granular, real-time reporting capabilities
Expert Insights’ Comments: ServiceNow offers three product options: Standard, Professional, and enterprise. Standard comes with either SIR or Vulnerability Response, while professional still has this binary option, it adds vulnerability management, threat intelligence, event management, and performance analytics. Enterprise offers both SIR and Vulnerability Response. We would recommend ServiceNow SIR for mid-sized and enterprise organizations who need a powerful SOAR solution alongside the full capabilities of the SecOps package.
Founded in 2003, Splunk is a software provider that specializes in helping organizations search, monitor, and analyze data with its powerful data platform. Splunk SOAR (originally Splunk Phantom) is a powerful solution that allows for effective collaboration and engagement with security orchestration and response workflows.
- Integration with more than 350 tools
- Comes with 100 out-of-the-box playbooks
- Visual editor for code-free editing
- Threat intelligence enhanced by Splunk SURGe cybersecurity research team
- Powerful case management tools
- Linked SOAR mobile app allows SOC teams to respond to threats, triage alerts, run playbooks and collaborate anytime and anywhere
Expert Insights’ Comments: The solution is easy to integrate, thanks to the large library of third-party tools. It can be deployed flexibly through cloud, on-premises, hybrid environments. Ease is at the heart of this solution with playbooks being intuitive to design, without the need for any coding ability. The case management features allow organizations to define workflows, and build operational rigor to inform procedures. We recommend Splunk SOAR for mid-sized to enterprise organizations looking for powerful case management, threat intelligence, and easy collaboration.
Headquartered in California, Sumo Logic provides data analytics for security, operations, and business intelligence. Cloud SOAR is a comprehensive solution that enables SOC analysts to cut through alert noise, automate incident triage and response, and boost collaboration. The solution can be deployed as SaaS, on-premises, or in the cloud, making it easy to integrate however you work.
- Full automation of incident lifecycle
- Advanced ML-based threat triage filters out false positives or duplicate events
- IOC investigation, incident classification, and alert enrichment
- Effective built-in playbooks that use historical data to plan the best remediation
- Customizable reports and dashboards to track IOCs, workflow processes, and performance indicators
Expert Insights’ Comments: Cloud SOAR is part of Sumo Logic’s Enterprise Suite subscription package – included in this are tools for intelligence, orchestration, and analytics. The solution can be finely tuned to suit and array of use cases and requirements. We recommend Sumo Logic to mid-sized to enterprise organizations who need powerful ML-based triage and automated response suggestions. Cloud SOAR would also be useful for MSPs due to its strong multi-tenant capabilities.
Swimlane is a Colorado-based industry-leading SOAR vendor specializing in security automation. The platform collects alerts and data from a wide range of sources, as well as automating incident responses and operational workflows. The solution is low-code, making remediation playbooks easier to create and visualize. The platform can be deployed on-premises, or via cloud, and is charged on a per-user basis. This makes the solution scalable, and easy to roll out.
- Manage and coordinate workflows via easy-to-configure playbooks
- Powerful case management
- Advanced reporting dashboards
- Customizable and open platform – this allows SOC teams to build the tools they need and address a wide range of use cases and challenges
- Hundreds of out-of-the-box integrations
Expert Insights’ Comments: Swimlane SOAR is a flexible and highly customizable solution that gives you a great deal of control over how the solution operates. To utilize this level of customization, a level of coding experience is required. We would, therefore, recommend Swimlane SOAR to enterprise businesses who need a highly flexible and customizable solution for a diverse range of use cases.
Founded in 2011, ThreatConnect is a cybersecurity vendor who specialize in threat intelligence, analytics, and cyber risk quantification. Its SOAR platform can integrate seamlessly with a host of security tools to coordinate investigations, add additional context, and provide effective response.
- Ability to automate tasks with a drag-and-drop editor
- Use historical data to triage alerts so you can focus on crucial tasks
- Extensive threat hunting capabilities using automated and templated workflows
- Malware and phishing attack analysis and response
- Hundreds of built-in playbooks
- Threat detection and blocking utilizing high-fidelity intelligence
Expert Insights’ Comments: ThreatConnect’s SOAR platform excels in its threat intelligence management capabilities, enabling teams an overview of their entire IT estate – including key performance indicators and case metrics. It offers flexible pricing models and can be deployed either on-premises or in the cloud. We recommend ThreatConnect SOAR for mid-sized to enterprise organizations and MSPs that need a powerful SOAR platform that also has advanced threat intelligence management capabilities built in.
What Is Security Orchestration, Automation, And Response?
Security Orchestration, Automation, and Response (SOAR) solutions take information from all the security tools in your cybersecurity stack to gain extensive visibility. From this vantage point, it is easier to identify threats and understand their potential impact, than from one security tool alone. This centralized management then allows remediation and response capabilities to be initiated.
SOAR can effectively analyse data from your endpoints through its comprehensive use of AI and ML capabilities. This allows it to work much faster than a human could, without increasing the risk of making a mistake. In practice, this allows it to carry out advanced threat hunting and even identify dormant malware that may be activated later. As it monitors your network, it can also identify network vulnerabilities and catalogue how previous attacks have been initiated.
What Should You Look For In A SOAR Solution?
There are three key features to look out for when selecting a SOAR solution.
- Alert triage and investigation. As these solutions will take in a great deal of information from across your entire network, the amount of data they can gather will be vast. It is simply unfeasible for a human analysis to shift through this data and identify anomalies. Your SOAR solution should analyse data automatically, and only alert admin users to the most critical events, or events that require human input.
- Playbooks. There are many thousands of events that your SOAR solution could run into. Rather than needing AI and ML capabilities to “decide” how best to respond in each case, you can use pre-built playbooks to respond. For instance, if a known attack type is encountered, you can follow the steps as prescribed in a playbook to ensure that you are responding efficiently an effectively. Your SOAR solution should have pre-built and customizable playbooks for you to use.
- Reporting dashboard. As these solutions assess large quantities of data, there should be an effective and streamlined dashboard that can highlight key findings and present information in an accessible way. There should be a record of remediation events that have happened without any need for human interaction. Overtime you can assess these trends and decide if any security protocols need changing.