Post on 06-Jul-2020
Now Tech: Security Automation And Orchestration (SAO), Q3 2018Forrester’s Overview Of 17 SAO Providers
by Joseph BlankenshipJuly 5, 2018
NOT LICENSED FOR DISTRIBUTION
FOrreSTer.cOm
Key TakeawaysImprove SOc efficiency With Security Automation And OrchestrationSAO tools orchestrate processes and automate many of the mundane tasks performed by security operations center (SOC) analysts, saving time and improving productivity.
Select Vendors Based On Size And FunctionalityThe SAO market is crowded with new vendors and larger vendors adding capabilities. Some consolidation has occurred, with further consolidation a certainty. Expect volatility with smaller vendors, and choose a vendor that best fits your operating model and need for a long-term partner.
make SAO Part Of Your SOc StrategyDigital enterprises move quickly, and the threat environment continues to evolve, making it impossible for manual security processes to keep pace. Embracing automation and orchestration helps security catch up to their IT counterparts.
Why Read This ReportYou can use security automation and orchestration (SAO) to increase analyst capacity, shorten incident response times, and integrate disparate security technologies. But to access these benefits, you’ll first have to select from a diverse set of vendors — vendors that vary by size, functionality, geography, and vertical market focus. S&R professionals should use Forrester’s Now Tech report to understand the value they can expect from a security automation and orchestration provider and select vendors based on size and functionality.
2
2
7
10
11
© 2018 Forrester Research, Inc. Opinions reflect judgment at the time and are subject to change. Forrester®, Technographics®, Forrester Wave, TechRadar, and Total Economic Impact are trademarks of Forrester Research, Inc. All other trademarks are the property of their respective companies. Unauthorized copying or distributing is a violation of copyright law. Citations@forrester.com or +1 866-367-7378
Forrester Research, Inc., 60 Acorn Park Drive, Cambridge, MA 02140 USA+1 617-613-6000 | Fax: +1 617-613-5000 | forrester.com
Table Of Contents
Improve SOC Efficiency With Security Automation And Orchestration
Select Vendors Based On Size And Functionality
Align Individual Vendor Solutions To Your Organizational Needs
Recommendations
Make SAO Part Of Your SOC Strategy
Supplemental Material
Related Research Documents
Breakout Vendors: Security Automation And Orchestration (SAO)
Reduce Risk And Improve Security Through Infrastructure Automation
Rules Of Engagement: A Call To Action To Automate Breach Response
FOR SECURITY & RISK PROFESSIONALS
Now Tech: Security Automation And Orchestration (SAO), Q3 2018Forrester’s Overview Of 17 SAO Providers
by Joseph Blankenshipwith Stephanie Balaouras, Bill Barringham, and Peggy Dostie
July 5, 2018
Share reports with colleagues. Enhance your membership with Research Share.
For Security & riSk ProFeSSionalS
Now Tech: Security Automation And Orchestration (SAO), Q3 2018July 5, 2018
© 2018 Forrester research, inc. unauthorized copying or distributing is a violation of copyright law. citations@forrester.com or +1 866-367-7378
2
Forrester’s Overview Of 17 SAO Providers
Improve SOC Efficiency With Security Automation And Orchestration
Alert fatigue, lack of formal processes, and manual activities plague security teams, and these problems are compounded by a cybersecurity skills shortage (it’s estimated that up to 1.8 million cybersecurity jobs will go unfilled by 2022).1 As a result, security teams are slow to detect and respond to security events — the median time to discover a breach in 2017 was 101 days — leaving systems vulnerable and giving attackers time to carry out a breach.2 To get ahead of attackers, enterprises must orchestrate security processes and automate mundane security tasks. In a Forrester survey, 68% of global security technology decision makers at enterprises said that using automation and orchestration tools to improve security operations is a high or critical priority.3
Forrester defines security automation and orchestration (SAO) as:
Technology products that provide automated, coordinated, and policy-based action of security processes across multiple technologies, making security operations faster, less error-prone, and more efficient.
Since SAO tools first appeared, established vendors have added capabilities to their portfolios, and numerous startups have emerged.4 S&R pros were initially reluctant to embrace automation, due to the need for human analysis, but have begun adoption in earnest because SAO tools:
› Increase analyst capacity. Much of the work junior analysts do is repetitive and labor intensive. Automating tasks like context gathering and lookups lets them handle more events. SAO tools can also provide guidance that enables them to address events they may have otherwise escalated to more senior staff and, because they are less focused on security minutiae, frees them to do more proactive work like threat hunting.
› Shorten incident response times. Automation allows for faster response by quickly providing analysts with needed information for decisions and through automated remediation. Most current SAO deployments focus on alert triage and context gathering, but S&R pros will enable automated response as they gain confidence with the tools.
› Integrate disparate security technologies. Enterprise environments include myriad individual security technologies. Each technology is likely delivered by a different vendor, meaning that they don’t talk to each other or share common management interfaces. SAO tools act as an orchestration layer, using APIs to integrate diverse technologies.
Select Vendors Based On Size And Functionality
We segmented the vendors in this market into three categories, based on revenue: large established players (more than $20 million in SAO revenue), midsize players ($10 million to $20 million in SAO revenue), and smaller players (less than $10 million in SAO revenue) (see Figure 1). We did not include vendors that we estimated to have less than $5 million in revenue.
For Security & riSk ProFeSSionalS
Now Tech: Security Automation And Orchestration (SAO), Q3 2018July 5, 2018
© 2018 Forrester research, inc. unauthorized copying or distributing is a violation of copyright law. citations@forrester.com or +1 866-367-7378
3
Forrester’s Overview Of 17 SAO Providers
*Forrester estimate.
Swimlane
Syncurity
ThreatConnect
Ayehu*
Cyberbit
Exabeam
Resolve Systems*
Siemplify
CyberSponse
Demisto
FireEye*
Nokia
Phantom
Proofpoint
Rapid7*
ServiceNow*
IBM* (Resilient)
<$10M SAO annual product revenue
$10M to $20M SAO annual product revenue
>$20M SAO annual product revenue
Security Automation And Orchestration
Q3 2018
FIGUre 1 Security Automation And Orchestration (SAO), Q3 2018
For Security & riSk ProFeSSionalS
Now Tech: Security Automation And Orchestration (SAO), Q3 2018July 5, 2018
© 2018 Forrester research, inc. unauthorized copying or distributing is a violation of copyright law. citations@forrester.com or +1 866-367-7378
4
Forrester’s Overview Of 17 SAO Providers
Forrester spoke with our expert analysts and interviewed external subject matter experts in our search for the most important SAO technologies. We identified the following segments, each with varying capabilities (see Figure 2 and see Figure 3):
› IT solution providers bridge the gap between security and operations. IT operations and security often operate in silos with minimal interaction. For SAO, incident response, and automated remediation to be effective, security and IT operations must work together effectively. IT solution providers address this by bringing their operations expertise to security teams.
› SAO pure plays provide solution independence. These vendors work across the security ecosystem without tying customers to any one vendor or platform. Security leaders who are concerned about vendor lock-in may see pure plays as a means to avoid being overly entangled with any single vendor. Over time, however, most of the pure plays will be acquired and subsumed by larger vendors.5
› Security analytics providers deliver SAO as an extension of their platforms. Many of the alerts acted upon in the SOC are generated by security analytics tools, and these tools are often the primary console for security analysts. SAO tools help to prioritize and provide additional context for these alerts, making the security analytics tools more effective and reducing the burden on SOC teams.
› Security portfolio vendors offer SAO as part of their broad offerings. Building on their security expertise in other areas, these vendors seek to help security teams operationalize security and use threat intelligence more effectively. SAO gives these providers an opportunity to build strong integrations between their products and work across the security ecosystem.
For Security & riSk ProFeSSionalS
Now Tech: Security Automation And Orchestration (SAO), Q3 2018July 5, 2018
© 2018 Forrester research, inc. unauthorized copying or distributing is a violation of copyright law. citations@forrester.com or +1 866-367-7378
5
Forrester’s Overview Of 17 SAO Providers
FIGUre 2 Now Tech Functionality Segments: Security Automation And Orchestration (SAO), Q3 2018, Part 1
High segment functionality Moderate segment functionality Low segment functionality
IT solution providers
SAOpure plays
Alert triage
Case management
Context building
Enterprisewide orchestration
Extensibility
Flexible deployment
Guided investigation
Investigative tools
Machine learning/AI
Playbook builder/customization
Prepackaged playbooks
Reporting and dashboards
Security analytics platform integration
Security technology integrations
Threat intelligence integration
For Security & riSk ProFeSSionalS
Now Tech: Security Automation And Orchestration (SAO), Q3 2018July 5, 2018
© 2018 Forrester research, inc. unauthorized copying or distributing is a violation of copyright law. citations@forrester.com or +1 866-367-7378
6
Forrester’s Overview Of 17 SAO Providers
FIGUre 3 Now Tech Functionality Segments: Security Automation And Orchestration (SAO), Q3 2018, Part 2
High segment functionality Moderate segment functionality Low segment functionality
Security analytics providers
Security portfolio vendors
Alert triage
Case management
Context building
Enterprisewide orchestration
Extensibility
Flexible deployment
Guided investigation
Investigative tools
Machine learning/AI
Playbook builder/customization
Prepackaged playbooks
Reporting and dashboards
Security analytics platform integration
Security technology integrations
Threat intelligence integration
For Security & riSk ProFeSSionalS
Now Tech: Security Automation And Orchestration (SAO), Q3 2018July 5, 2018
© 2018 Forrester research, inc. unauthorized copying or distributing is a violation of copyright law. citations@forrester.com or +1 866-367-7378
7
Forrester’s Overview Of 17 SAO Providers
Align Individual Vendor Solutions To Your Organizational Needs
The following tables provide an overview of vendors with details on functionality category, geography, and vertical market focus (see Figure 4, see Figure 5, and see Figure 6).
FIGUre 4 Now Tech Large Vendors: Security Automation And Orchestration (SAO), Q3 2018
>$20M SAO annual product revenue
Primaryfunctionalitysegments
Geographic presence(by revenue %)
Vertical market focus(top three by revenue %)
Security analytics provider
NA: 55%; EMEA: 30%; AP: 10%; LATAM: 5%*
Banking/�nance, government, technology
Marketentry
2011IBM
* The vendor did not provide information for this cell; this is Forrester’s estimate.
For Security & riSk ProFeSSionalS
Now Tech: Security Automation And Orchestration (SAO), Q3 2018July 5, 2018
© 2018 Forrester research, inc. unauthorized copying or distributing is a violation of copyright law. citations@forrester.com or +1 866-367-7378
8
Forrester’s Overview Of 17 SAO Providers
FIGUre 5 Now Tech Midsize Vendors: Security Automation And Orchestration (SAO), Q3 2018
Primaryfunctionalitysegments
Geographic presence(by revenue %)
Vertical market focus(top three by revenue %)
Marketentry
* The vendor did not provide information for this cell; this is Forrester’s estimate.
$10M to $20M
SAO pure play
SAO pure play
Security portfolio vendor
Security portfolio vendor
SAO pure play
Security portfolio vendor
Security portfolio vendor
IT solution provider
NA: 90%; EMEA: 5%; AP: 5%
NA: 80%; EMEA: 18%; AP: 2%
NA: 60%; EMEA: 27%; AP: 11%; LATAM: 4%*
NA: 25%; EMEA: 35%AP: 25%; LATAM: 15%
NA: 90%; EMEA: 5%; AP: 5%
NA: 80%; EMEA: 15%AP: 5%*
NA: 70%; EMEA: 20%; AP: 10%*
NA: 64%; EMEA: 28%; AP: 8%*
Financial services, government, healthcare
Technology and IT, �nance, energy
Financial services, government, healthcare
Critical infrastructure,telecoms, high-tech*
Financial services, technology, manufacturing
Financial services, healthcare, business services
Technology, healthcare, and �nancial services
Financial services, healthcare, technology
2011
2015
2014
2017
2014
2013
2016
2015
CyberSponse
Demisto
FireEye
Nokia
Phantom
Proofpoint
Rapid7
ServiceNow
For Security & riSk ProFeSSionalS
Now Tech: Security Automation And Orchestration (SAO), Q3 2018July 5, 2018
© 2018 Forrester research, inc. unauthorized copying or distributing is a violation of copyright law. citations@forrester.com or +1 866-367-7378
9
Forrester’s Overview Of 17 SAO Providers
FIGUre 6 Now Tech Small Vendors: Security Automation And Orchestration (SAO), Q3 2018
Primaryfunctionalitysegments
Geographic presence(by revenue %)
Vertical market focus(top three by revenue %)
Marketentry
* The vendor did not provide information for this cell; this is Forrester’s estimate.
SAO pure play
Security portfolio vendor
Security analytics provider
IT solution provider
SAO pure play
SAO pure play
SAO pure play
Security portfolio vendor
NA: 60%; EMEA: 30%; AP: 2%; LATAM: 8%
NA: 31%; EMEA: 38%; AP: 25%; LATAM 6%
NA: 70%; EMEA: 20%; APAC: 9%; LATAM: 1%
NA: 60%; EMEA: 30%; AP: 10%
NA: 80%; EMEA: 10%; AP: 10%
NA: 75%; EMEA: 14%; AP: 11%
NA: 90%; EMEA: 10%*
NA: 87%; EMEA: 11%; AP: 2%
Healthcare, �nancial services, retail
MSSPs, �nancial services, government
Financial services, healthcare, energy/utilities
Communications service providers, �nancial services, MSP/MSSPs
MSSPs, �nancial services, other
Financial services, energy & utilities, federal government
Healthcare, technology, �nancial services
Financial services, technology, energy/utilities
2010
2015
2017
2016
2015
2014
2014
2017
Ayehu
Cyberbit
Exabeam
Resolve Systems
Siemplify
Swimlane
Syncurity
Threat Connect
<$10M
For Security & riSk ProFeSSionalS
Now Tech: Security Automation And Orchestration (SAO), Q3 2018July 5, 2018
© 2018 Forrester research, inc. unauthorized copying or distributing is a violation of copyright law. citations@forrester.com or +1 866-367-7378
10
Forrester’s Overview Of 17 SAO Providers
recommendations
Make SAO Part Of Your SOC Strategy
Security teams are playing catch-up with their IT brethren, who have long embraced automation and commonly use orchestration tools.6 As enterprises have invested in digital transformation projects and have moved large portions of their IT operations to the cloud, security has continued to do things the old-fashioned way — by throwing people at the problem. To catch up with threats and the velocity of change, security teams must embrace automation.7 As you consider how SAO can enhance your security program:
› Assess your readiness for SAO. The old adage “garbage in, garbage out” applies doubly to SAO. Many security teams lack defined workflows and SOC processes. Automating poor processes will only help you make bad decisions faster. Before implementing SAO, assess the maturity of your processes, document them, and standardize them across the SOC.
› View SAO as a workforce enhancement, not replacement. Some vendor marketing has suggested that their solutions will “automate away tier 1 analysts.” This is unfortunate and sends the wrong message. Focus on how SAO will enhance your analysts and improve operations. SAO is a tool, not a miracle salve.
› Understand that SAO requires focus and effort. Like any technology investment, you will only get out of SAO what you put into it. You will need to assign resources to manage the SAO effort, develop playbooks, and keep the solution updated. Don’t regard this as a set-and-forget project, as your operations will continue to evolve.
› choose a vendor that supports your current security investments. An SAO tool is useless if it doesn’t work with your current technology stack. Before purchasing, ask the vendor for a proof of concept to ensure that the solution works with your infrastructure.
› Start small and gain experience. Avoid the temptation to create a thousand playbooks and turn them all on, as this will quickly overwhelm the security team and make it difficult to determine what’s working. Find simple use cases that involve a high degree of manual effort. Phishing investigation is a typical first use case that provides significant resource savings and the opportunity to learn and trust the product.
For Security & riSk ProFeSSionalS
Now Tech: Security Automation And Orchestration (SAO), Q3 2018July 5, 2018
© 2018 Forrester research, inc. unauthorized copying or distributing is a violation of copyright law. citations@forrester.com or +1 866-367-7378
11
Forrester’s Overview Of 17 SAO Providers
Supplemental Material
market Presence methodology
We defined market presence in Figure 1 based on factors such as such as survey data provided by vendors, advisory information, client engagements, publicly available data, and comparisons to peer organizations.
To complete our review, Forrester requested information from vendors. If vendors did not share this information with us, we made estimates based on available secondary information. We’ve marked companies with an asterisk if we estimated revenues or information related to geography or industries. Forrester fact-checked this report with vendors before publishing.
Engage With An Analyst
Gain greater confidence in your decisions by working with Forrester thought leaders to apply our research to your specific business and technology initiatives.
Forrester’s research apps for iOS and Android.Stay ahead of your competition no matter where you are.
Analyst Inquiry
To help you put research into practice, connect with an analyst to discuss your questions in a 30-minute phone session — or opt for a response via email.
Learn more.
Analyst Advisory
Translate research into action by working with an analyst on a specific engagement in the form of custom strategy sessions, workshops, or speeches.
Learn more.
Webinar
Join our online sessions on the latest research affecting your business. Each call includes analyst Q&A and slides and is available on-demand.
Learn more.
For Security & riSk ProFeSSionalS
Now Tech: Security Automation And Orchestration (SAO), Q3 2018July 5, 2018
© 2018 Forrester research, inc. unauthorized copying or distributing is a violation of copyright law. citations@forrester.com or +1 866-367-7378
12
Forrester’s Overview Of 17 SAO Providers
Survey methodology
The Forrester Analytics Global Business Technographics® Security Survey, 2017 was fielded between May and June 2017. This online survey included 3,752 respondents in Australia, Brazil, Canada, China, France, Germany, India, New Zealand, the UK, and the US from companies with two or more employees.
Forrester Analytics Business Technographics ensures that the final survey population contains only those with significant involvement in the planning, funding, and purchasing of business and technology products and services. ResearchNow fielded this survey on behalf of Forrester. Survey respondent incentives include points redeemable for gift certificates.
Please note that the brand questions included in this survey should not be used to measure market share. The purpose of Forrester Analytics Business Technographics brand questions is to show usage of a brand by a specific target audience at one point in time.
companies Interviewed For This report
We would like to thank the individuals from the following companies who generously gave their time during the research for this report.
Ayehu
Cyberbit
CyberSponse
Demisto
Exabeam
FireEye
IBM
Nokia
Phantom
Proofpoint
Rapid7
Resolve Systems
ServiceNow
Siemplify
Swimlane
Syncurity
ThreatConnect
Endnotes1 Source: “Cybersecurity Workforce Shortage Projected At 1.8 Million By 2022,” (ISC)² Blog, February 15, 2017 (http://
blog.isc2.org/isc2_blog/2017/02/cybersecurity-workforce-gap.html).
2 See the Forrester report “Rules Of Engagement: A Call To Action To Automate Breach Response.” Source: “M-Trends 2018,” FireEye (https://www.fireeye.com/current-threats/annual-threat-report/mtrends.html).
3 We asked 1,169 global security technology decision makers at enterprises (firms with 1,000 or more employees) what priority their firm will put on using automation and orchestration tools to improve security operations. Sixty-eight percent indicated it was a high or critical priority; 22% that it was a moderate priority; and 7% that it was a low priority or not on their agenda. Source: Forrester Analytics Global Business Technographics Security Survey, 2017.
For Security & riSk ProFeSSionalS
Now Tech: Security Automation And Orchestration (SAO), Q3 2018July 5, 2018
© 2018 Forrester research, inc. unauthorized copying or distributing is a violation of copyright law. citations@forrester.com or +1 866-367-7378
13
Forrester’s Overview Of 17 SAO Providers
4 See the Forrester report “Brief: FireEye Is Evolving Into An Enterprise Security Vendor” and see the Forrester report “Breakout Vendors: Security Automation And Orchestration (SAO).”
5 Phantom Cyber, formerly an SAO pure play, was acquired by security analytics platform provider, Splunk, in early 2018. See the Forrester report “The Forrester Wave™: Security Analytics Platforms, Q1 2017.” Source: Cat Zakrzewski, “Phantom Cyber Fetches $350 Million in Acquisition by Splunk,” The Wall Street Journal, Feb. 27, 2018 (https://www.wsj.com/articles/phantom-cyber-fetches-350-million-in-acquisition-by-splunk-1519776987).
6 See the Forrester report “The CIO’s Guide To Automation, AI, And Robotics.”
7 See the Forrester report “Reduce Risk And Improve Security Through Infrastructure Automation.”
We work with business and technology leaders to develop customer-obsessed strategies that drive growth.
Products and services
› core research and tools › data and analytics › Peer collaboration › analyst engagement › consulting › events
Forrester research (nasdaq: Forr) is one of the most influential research and advisory firms in the world. We work with business and technology leaders to develop customer-obsessed strategies that drive growth. through proprietary research, data, custom consulting, exclusive executive peer groups, and events, the Forrester experience is about a singular and powerful purpose: to challenge the thinking of our clients to help them lead change in their organizations. For more information, visit forrester.com.
client suPPort
For information on hard-copy or electronic reprints, please contact client support at +1 866-367-7378, +1 617-613-5730, or clientsupport@forrester.com. We offer quantity discounts and special pricing for academic and nonprofit institutions.
Forrester’s research and insights are tailored to your role and critical business initiatives.
roles We serve
Marketing & Strategy ProfessionalscMoB2B MarketingB2c Marketingcustomer experiencecustomer insightseBusiness & channel strategy
Technology Management Professionalscioapplication development & deliveryenterprise architectureinfrastructure & operations
› security & risksourcing & vendor Management
Technology Industry Professionalsanalyst relations
141600