Insights From The State of SOAR Survey, 2020

Palo Alto Networks

By: Rishi Bhargava

The data is in: security operations are changing, and the need for better automation and integration has never been more critical.

Each year, we conduct a survey of enterprise security operations teams to understand their processes, challenges, needs and plans. We call this study "The State of SOAR" -- and the results of our 2020 study show some key trends that will shape priorities for the coming year:

  • Security teams will work to integrate fragmented processes. Despite research showing that security leaders are shifting their investment mindsets to focus on consolidated suite solutions rather than narrow point products, most organizations still utilize a wide range of poorly integrated tools and efficiency-killing manual processes. Workflows involving other teams are even worse: only 23% of security operations teams have good process integration with IT, which is the team that they are most tightly coordinated with.

    We are seeing organizations take two approaches to solving this:

    • Investment in tools that consolidate their incident response workflows, such as XDR, which delivers detection, investigation and response across endpoint, network, and cloud infrastructure.
    • Investment in tools that can help to integrate and automate their security stack, such as security orchestration, automation, and response (SOAR). This brings us to our second finding:
  • SOAR use will accelerate. 67% of security teams plan to increase spending on SOAR in the next year. This is partially to remediate the many manual incident management processes still in place -- however, security teams are also interested in expanding SOAR to many other use cases in the next year, from cloud security to employee onboarding to vulnerability management. Those using SOAR report consistent business benefits including faster time-to-action and simpler, more defined processes.
  • Security teams will embrace playbooks built by other trusted sources. As much as security teams want to expand their use of SOAR, they don't want to do it all on their own if they don't have to. 78% expressed interest in a common framework and community for sharing playbooks and integrations. The top sources that they're likely to trust are playbooks created or certified by the SOAR vendor and playbooks that are created by an MSSP or other security partner. Cortex XSOAR users will have access to all of these in the new Cortex XSOAR marketplace, a community for sharing certified ‘content packs' that deliver single-click activation of complete security use-cases.
  • Threat intelligence integration will be a key consideration for security tool investments. Integration with threat intelligence sits atop the list of considerations for security tool investments. 81% say that threat intelligence is critical to their incident response processes, yet a majority (62%) say that threat intelligence is time consuming, largely due to poor integration into their other security tools. Cortex XSOAR can help, featuring integrated threat intel management and realizing a natural marriage between threat intelligence and SOAR that Gartner predicted back in 2017.

The study confirms that security leaders need to simplify and automate operations, aiming for the north star of an autonomous SOC to protect the modern enterprise. We are excited to help facilitate that journey.

Subscribe to our blog to get notified when "The State of SOAR, 2020" report is released in September.

Sustaining Partners