Now Tech: Security Automation And Orchestration (SAO), Q3 2018Forrester’s Overview Of 17 SAO Providers

by Joseph BlankenshipJuly 5, 2018

NOT LICENSED FOR DISTRIBUTION

FOrreSTer.cOm

Key TakeawaysImprove SOc efficiency With Security Automation And OrchestrationSAO tools orchestrate processes and automate many of the mundane tasks performed by security operations center (SOC) analysts, saving time and improving productivity.

Select Vendors Based On Size And FunctionalityThe SAO market is crowded with new vendors and larger vendors adding capabilities. Some consolidation has occurred, with further consolidation a certainty. Expect volatility with smaller vendors, and choose a vendor that best fits your operating model and need for a long-term partner.

make SAO Part Of Your SOc StrategyDigital enterprises move quickly, and the threat environment continues to evolve, making it impossible for manual security processes to keep pace. Embracing automation and orchestration helps security catch up to their IT counterparts.

Why Read This ReportYou can use security automation and orchestration (SAO) to increase analyst capacity, shorten incident response times, and integrate disparate security technologies. But to access these benefits, you’ll first have to select from a diverse set of vendors — vendors that vary by size, functionality, geography, and vertical market focus. S&R professionals should use Forrester’s Now Tech report to understand the value they can expect from a security automation and orchestration provider and select vendors based on size and functionality.

2

2

7

10

11

© 2018 Forrester Research, Inc. Opinions reflect judgment at the time and are subject to change. Forrester®, Technographics®, Forrester Wave, TechRadar, and Total Economic Impact are trademarks of Forrester Research, Inc. All other trademarks are the property of their respective companies. Unauthorized copying or distributing is a violation of copyright law. Citations@forrester.com or +1 866-367-7378

Forrester Research, Inc., 60 Acorn Park Drive, Cambridge, MA 02140 USA+1 617-613-6000 | Fax: +1 617-613-5000 | forrester.com

Table Of Contents

Improve SOC Efficiency With Security Automation And Orchestration

Select Vendors Based On Size And Functionality

Align Individual Vendor Solutions To Your Organizational Needs

Recommendations

Make SAO Part Of Your SOC Strategy

Supplemental Material

Related Research Documents

Breakout Vendors: Security Automation And Orchestration (SAO)

Reduce Risk And Improve Security Through Infrastructure Automation

Rules Of Engagement: A Call To Action To Automate Breach Response

FOR SECURITY & RISK PROFESSIONALS

Now Tech: Security Automation And Orchestration (SAO), Q3 2018Forrester’s Overview Of 17 SAO Providers

by Joseph Blankenshipwith Stephanie Balaouras, Bill Barringham, and Peggy Dostie

July 5, 2018

Share reports with colleagues. Enhance your membership with Research Share.

For Security & riSk ProFeSSionalS

Now Tech: Security Automation And Orchestration (SAO), Q3 2018July 5, 2018

© 2018 Forrester research, inc. unauthorized copying or distributing is a violation of copyright law. citations@forrester.com or +1 866-367-7378

2

Forrester’s Overview Of 17 SAO Providers

Improve SOC Efficiency With Security Automation And Orchestration

Alert fatigue, lack of formal processes, and manual activities plague security teams, and these problems are compounded by a cybersecurity skills shortage (it’s estimated that up to 1.8 million cybersecurity jobs will go unfilled by 2022).1 As a result, security teams are slow to detect and respond to security events — the median time to discover a breach in 2017 was 101 days — leaving systems vulnerable and giving attackers time to carry out a breach.2 To get ahead of attackers, enterprises must orchestrate security processes and automate mundane security tasks. In a Forrester survey, 68% of global security technology decision makers at enterprises said that using automation and orchestration tools to improve security operations is a high or critical priority.3

Forrester defines security automation and orchestration (SAO) as:

Technology products that provide automated, coordinated, and policy-based action of security processes across multiple technologies, making security operations faster, less error-prone, and more efficient.

Since SAO tools first appeared, established vendors have added capabilities to their portfolios, and numerous startups have emerged.4 S&R pros were initially reluctant to embrace automation, due to the need for human analysis, but have begun adoption in earnest because SAO tools:

› Increase analyst capacity. Much of the work junior analysts do is repetitive and labor intensive. Automating tasks like context gathering and lookups lets them handle more events. SAO tools can also provide guidance that enables them to address events they may have otherwise escalated to more senior staff and, because they are less focused on security minutiae, frees them to do more proactive work like threat hunting.

› Shorten incident response times. Automation allows for faster response by quickly providing analysts with needed information for decisions and through automated remediation. Most current SAO deployments focus on alert triage and context gathering, but S&R pros will enable automated response as they gain confidence with the tools.

› Integrate disparate security technologies. Enterprise environments include myriad individual security technologies. Each technology is likely delivered by a different vendor, meaning that they don’t talk to each other or share common management interfaces. SAO tools act as an orchestration layer, using APIs to integrate diverse technologies.

Select Vendors Based On Size And Functionality

We segmented the vendors in this market into three categories, based on revenue: large established players (more than $20 million in SAO revenue), midsize players ($10 million to $20 million in SAO revenue), and smaller players (less than $10 million in SAO revenue) (see Figure 1). We did not include vendors that we estimated to have less than $5 million in revenue.

For Security & riSk ProFeSSionalS

Now Tech: Security Automation And Orchestration (SAO), Q3 2018July 5, 2018

© 2018 Forrester research, inc. unauthorized copying or distributing is a violation of copyright law. citations@forrester.com or +1 866-367-7378

3

Forrester’s Overview Of 17 SAO Providers

*Forrester estimate.

Swimlane

Syncurity

ThreatConnect

Ayehu*

Cyberbit

Exabeam

Resolve Systems*

Siemplify

CyberSponse

Demisto

FireEye*

Nokia

Phantom

Proofpoint

Rapid7*

ServiceNow*

IBM* (Resilient)

<$10M SAO annual product revenue

$10M to $20M SAO annual product revenue

>$20M SAO annual product revenue

Security Automation And Orchestration

Q3 2018

FIGUre 1 Security Automation And Orchestration (SAO), Q3 2018

For Security & riSk ProFeSSionalS

Now Tech: Security Automation And Orchestration (SAO), Q3 2018July 5, 2018

© 2018 Forrester research, inc. unauthorized copying or distributing is a violation of copyright law. citations@forrester.com or +1 866-367-7378

4

Forrester’s Overview Of 17 SAO Providers

Forrester spoke with our expert analysts and interviewed external subject matter experts in our search for the most important SAO technologies. We identified the following segments, each with varying capabilities (see Figure 2 and see Figure 3):

› IT solution providers bridge the gap between security and operations. IT operations and security often operate in silos with minimal interaction. For SAO, incident response, and automated remediation to be effective, security and IT operations must work together effectively. IT solution providers address this by bringing their operations expertise to security teams.

› SAO pure plays provide solution independence. These vendors work across the security ecosystem without tying customers to any one vendor or platform. Security leaders who are concerned about vendor lock-in may see pure plays as a means to avoid being overly entangled with any single vendor. Over time, however, most of the pure plays will be acquired and subsumed by larger vendors.5

› Security analytics providers deliver SAO as an extension of their platforms. Many of the alerts acted upon in the SOC are generated by security analytics tools, and these tools are often the primary console for security analysts. SAO tools help to prioritize and provide additional context for these alerts, making the security analytics tools more effective and reducing the burden on SOC teams.

› Security portfolio vendors offer SAO as part of their broad offerings. Building on their security expertise in other areas, these vendors seek to help security teams operationalize security and use threat intelligence more effectively. SAO gives these providers an opportunity to build strong integrations between their products and work across the security ecosystem.

For Security & riSk ProFeSSionalS

Now Tech: Security Automation And Orchestration (SAO), Q3 2018July 5, 2018

© 2018 Forrester research, inc. unauthorized copying or distributing is a violation of copyright law. citations@forrester.com or +1 866-367-7378

5

Forrester’s Overview Of 17 SAO Providers

FIGUre 2 Now Tech Functionality Segments: Security Automation And Orchestration (SAO), Q3 2018, Part 1

High segment functionality Moderate segment functionality Low segment functionality

IT solution providers

SAOpure plays

Alert triage

Case management

Context building

Enterprisewide orchestration

Extensibility

Flexible deployment

Guided investigation

Investigative tools

Machine learning/AI

Playbook builder/customization

Prepackaged playbooks

Reporting and dashboards

Security analytics platform integration

Security technology integrations

Threat intelligence integration

For Security & riSk ProFeSSionalS

Now Tech: Security Automation And Orchestration (SAO), Q3 2018July 5, 2018

© 2018 Forrester research, inc. unauthorized copying or distributing is a violation of copyright law. citations@forrester.com or +1 866-367-7378

6

Forrester’s Overview Of 17 SAO Providers

FIGUre 3 Now Tech Functionality Segments: Security Automation And Orchestration (SAO), Q3 2018, Part 2

High segment functionality Moderate segment functionality Low segment functionality

Security analytics providers

Security portfolio vendors

Alert triage

Case management

Context building

Enterprisewide orchestration

Extensibility

Flexible deployment

Guided investigation

Investigative tools

Machine learning/AI

Playbook builder/customization

Prepackaged playbooks

Reporting and dashboards

Security analytics platform integration

Security technology integrations

Threat intelligence integration

For Security & riSk ProFeSSionalS

Now Tech: Security Automation And Orchestration (SAO), Q3 2018July 5, 2018

© 2018 Forrester research, inc. unauthorized copying or distributing is a violation of copyright law. citations@forrester.com or +1 866-367-7378

7

Forrester’s Overview Of 17 SAO Providers

Align Individual Vendor Solutions To Your Organizational Needs

The following tables provide an overview of vendors with details on functionality category, geography, and vertical market focus (see Figure 4, see Figure 5, and see Figure 6).

FIGUre 4 Now Tech Large Vendors: Security Automation And Orchestration (SAO), Q3 2018

>$20M SAO annual product revenue

Primaryfunctionalitysegments

Geographic presence(by revenue %)

Vertical market focus(top three by revenue %)

Security analytics provider

NA: 55%; EMEA: 30%; AP: 10%; LATAM: 5%*

Banking/�nance, government, technology

Marketentry

2011IBM

* The vendor did not provide information for this cell; this is Forrester’s estimate.

For Security & riSk ProFeSSionalS

Now Tech: Security Automation And Orchestration (SAO), Q3 2018July 5, 2018

© 2018 Forrester research, inc. unauthorized copying or distributing is a violation of copyright law. citations@forrester.com or +1 866-367-7378

8

Forrester’s Overview Of 17 SAO Providers

FIGUre 5 Now Tech Midsize Vendors: Security Automation And Orchestration (SAO), Q3 2018

Primaryfunctionalitysegments

Geographic presence(by revenue %)

Vertical market focus(top three by revenue %)

Marketentry

* The vendor did not provide information for this cell; this is Forrester’s estimate.

$10M to $20M

SAO pure play

SAO pure play

Security portfolio vendor

Security portfolio vendor

SAO pure play

Security portfolio vendor

Security portfolio vendor

IT solution provider

NA: 90%; EMEA: 5%; AP: 5%

NA: 80%; EMEA: 18%; AP: 2%

NA: 60%; EMEA: 27%; AP: 11%; LATAM: 4%*

NA: 25%; EMEA: 35%AP: 25%; LATAM: 15%

NA: 90%; EMEA: 5%; AP: 5%

NA: 80%; EMEA: 15%AP: 5%*

NA: 70%; EMEA: 20%; AP: 10%*

NA: 64%; EMEA: 28%; AP: 8%*

Financial services, government, healthcare

Technology and IT, �nance, energy

Financial services, government, healthcare

Critical infrastructure,telecoms, high-tech*

Financial services, technology, manufacturing

Financial services, healthcare, business services

Technology, healthcare, and �nancial services

Financial services, healthcare, technology

2011

2015

2014

2017

2014

2013

2016

2015

CyberSponse

Demisto

FireEye

Nokia

Phantom

Proofpoint

Rapid7

ServiceNow

For Security & riSk ProFeSSionalS

Now Tech: Security Automation And Orchestration (SAO), Q3 2018July 5, 2018

© 2018 Forrester research, inc. unauthorized copying or distributing is a violation of copyright law. citations@forrester.com or +1 866-367-7378

9

Forrester’s Overview Of 17 SAO Providers

FIGUre 6 Now Tech Small Vendors: Security Automation And Orchestration (SAO), Q3 2018

Primaryfunctionalitysegments

Geographic presence(by revenue %)

Vertical market focus(top three by revenue %)

Marketentry

* The vendor did not provide information for this cell; this is Forrester’s estimate.

SAO pure play

Security portfolio vendor

Security analytics provider

IT solution provider

SAO pure play

SAO pure play

SAO pure play

Security portfolio vendor

NA: 60%; EMEA: 30%; AP: 2%; LATAM: 8%

NA: 31%; EMEA: 38%; AP: 25%; LATAM 6%

NA: 70%; EMEA: 20%; APAC: 9%; LATAM: 1%

NA: 60%; EMEA: 30%; AP: 10%

NA: 80%; EMEA: 10%; AP: 10%

NA: 75%; EMEA: 14%; AP: 11%

NA: 90%; EMEA: 10%*

NA: 87%; EMEA: 11%; AP: 2%

Healthcare, �nancial services, retail

MSSPs, �nancial services, government

Financial services, healthcare, energy/utilities

Communications service providers, �nancial services, MSP/MSSPs

MSSPs, �nancial services, other

Financial services, energy & utilities, federal government

Healthcare, technology, �nancial services

Financial services, technology, energy/utilities

2010

2015

2017

2016

2015

2014

2014

2017

Ayehu

Cyberbit

Exabeam

Resolve Systems

Siemplify

Swimlane

Syncurity

Threat Connect

<$10M

For Security & riSk ProFeSSionalS

Now Tech: Security Automation And Orchestration (SAO), Q3 2018July 5, 2018

© 2018 Forrester research, inc. unauthorized copying or distributing is a violation of copyright law. citations@forrester.com or +1 866-367-7378

10

Forrester’s Overview Of 17 SAO Providers

recommendations

Make SAO Part Of Your SOC Strategy

Security teams are playing catch-up with their IT brethren, who have long embraced automation and commonly use orchestration tools.6 As enterprises have invested in digital transformation projects and have moved large portions of their IT operations to the cloud, security has continued to do things the old-fashioned way — by throwing people at the problem. To catch up with threats and the velocity of change, security teams must embrace automation.7 As you consider how SAO can enhance your security program:

› Assess your readiness for SAO. The old adage “garbage in, garbage out” applies doubly to SAO. Many security teams lack defined workflows and SOC processes. Automating poor processes will only help you make bad decisions faster. Before implementing SAO, assess the maturity of your processes, document them, and standardize them across the SOC.

› View SAO as a workforce enhancement, not replacement. Some vendor marketing has suggested that their solutions will “automate away tier 1 analysts.” This is unfortunate and sends the wrong message. Focus on how SAO will enhance your analysts and improve operations. SAO is a tool, not a miracle salve.

› Understand that SAO requires focus and effort. Like any technology investment, you will only get out of SAO what you put into it. You will need to assign resources to manage the SAO effort, develop playbooks, and keep the solution updated. Don’t regard this as a set-and-forget project, as your operations will continue to evolve.

› choose a vendor that supports your current security investments. An SAO tool is useless if it doesn’t work with your current technology stack. Before purchasing, ask the vendor for a proof of concept to ensure that the solution works with your infrastructure.

› Start small and gain experience. Avoid the temptation to create a thousand playbooks and turn them all on, as this will quickly overwhelm the security team and make it difficult to determine what’s working. Find simple use cases that involve a high degree of manual effort. Phishing investigation is a typical first use case that provides significant resource savings and the opportunity to learn and trust the product.

For Security & riSk ProFeSSionalS

Now Tech: Security Automation And Orchestration (SAO), Q3 2018July 5, 2018

© 2018 Forrester research, inc. unauthorized copying or distributing is a violation of copyright law. citations@forrester.com or +1 866-367-7378

11

Forrester’s Overview Of 17 SAO Providers

Supplemental Material

market Presence methodology

We defined market presence in Figure 1 based on factors such as such as survey data provided by vendors, advisory information, client engagements, publicly available data, and comparisons to peer organizations.

To complete our review, Forrester requested information from vendors. If vendors did not share this information with us, we made estimates based on available secondary information. We’ve marked companies with an asterisk if we estimated revenues or information related to geography or industries. Forrester fact-checked this report with vendors before publishing.

Engage With An Analyst

Gain greater confidence in your decisions by working with Forrester thought leaders to apply our research to your specific business and technology initiatives.

Forrester’s research apps for iOS and Android.Stay ahead of your competition no matter where you are.

Analyst Inquiry

To help you put research into practice, connect with an analyst to discuss your questions in a 30-minute phone session — or opt for a response via email.

Learn more.

Analyst Advisory

Translate research into action by working with an analyst on a specific engagement in the form of custom strategy sessions, workshops, or speeches.

Learn more.

Webinar

Join our online sessions on the latest research affecting your business. Each call includes analyst Q&A and slides and is available on-demand.

Learn more.

For Security & riSk ProFeSSionalS

Now Tech: Security Automation And Orchestration (SAO), Q3 2018July 5, 2018

© 2018 Forrester research, inc. unauthorized copying or distributing is a violation of copyright law. citations@forrester.com or +1 866-367-7378

12

Forrester’s Overview Of 17 SAO Providers

Survey methodology

The Forrester Analytics Global Business Technographics® Security Survey, 2017 was fielded between May and June 2017. This online survey included 3,752 respondents in Australia, Brazil, Canada, China, France, Germany, India, New Zealand, the UK, and the US from companies with two or more employees.

Forrester Analytics Business Technographics ensures that the final survey population contains only those with significant involvement in the planning, funding, and purchasing of business and technology products and services. ResearchNow fielded this survey on behalf of Forrester. Survey respondent incentives include points redeemable for gift certificates.

Please note that the brand questions included in this survey should not be used to measure market share. The purpose of Forrester Analytics Business Technographics brand questions is to show usage of a brand by a specific target audience at one point in time.

companies Interviewed For This report

We would like to thank the individuals from the following companies who generously gave their time during the research for this report.

Ayehu

Cyberbit

CyberSponse

Demisto

Exabeam

FireEye

IBM

Nokia

Phantom

Proofpoint

Rapid7

Resolve Systems

ServiceNow

Siemplify

Swimlane

Syncurity

ThreatConnect

Endnotes1 Source: “Cybersecurity Workforce Shortage Projected At 1.8 Million By 2022,” (ISC)² Blog, February 15, 2017 (http://

blog.isc2.org/isc2_blog/2017/02/cybersecurity-workforce-gap.html).

2 See the Forrester report “Rules Of Engagement: A Call To Action To Automate Breach Response.” Source: “M-Trends 2018,” FireEye (https://www.fireeye.com/current-threats/annual-threat-report/mtrends.html).

3 We asked 1,169 global security technology decision makers at enterprises (firms with 1,000 or more employees) what priority their firm will put on using automation and orchestration tools to improve security operations. Sixty-eight percent indicated it was a high or critical priority; 22% that it was a moderate priority; and 7% that it was a low priority or not on their agenda. Source: Forrester Analytics Global Business Technographics Security Survey, 2017.

For Security & riSk ProFeSSionalS

Now Tech: Security Automation And Orchestration (SAO), Q3 2018July 5, 2018

© 2018 Forrester research, inc. unauthorized copying or distributing is a violation of copyright law. citations@forrester.com or +1 866-367-7378

13

Forrester’s Overview Of 17 SAO Providers

4 See the Forrester report “Brief: FireEye Is Evolving Into An Enterprise Security Vendor” and see the Forrester report “Breakout Vendors: Security Automation And Orchestration (SAO).”

5 Phantom Cyber, formerly an SAO pure play, was acquired by security analytics platform provider, Splunk, in early 2018. See the Forrester report “The Forrester Wave™: Security Analytics Platforms, Q1 2017.” Source: Cat Zakrzewski, “Phantom Cyber Fetches $350 Million in Acquisition by Splunk,” The Wall Street Journal, Feb. 27, 2018 (https://www.wsj.com/articles/phantom-cyber-fetches-350-million-in-acquisition-by-splunk-1519776987).

6 See the Forrester report “The CIO’s Guide To Automation, AI, And Robotics.”

7 See the Forrester report “Reduce Risk And Improve Security Through Infrastructure Automation.”

We work with business and technology leaders to develop customer-obsessed strategies that drive growth.

Products and services

› core research and tools › data and analytics › Peer collaboration › analyst engagement › consulting › events

Forrester research (nasdaq: Forr) is one of the most influential research and advisory firms in the world. We work with business and technology leaders to develop customer-obsessed strategies that drive growth. through proprietary research, data, custom consulting, exclusive executive peer groups, and events, the Forrester experience is about a singular and powerful purpose: to challenge the thinking of our clients to help them lead change in their organizations. For more information, visit forrester.com.

client suPPort

For information on hard-copy or electronic reprints, please contact client support at +1 866-367-7378, +1 617-613-5730, or clientsupport@forrester.com. We offer quantity discounts and special pricing for academic and nonprofit institutions.

Forrester’s research and insights are tailored to your role and critical business initiatives.

roles We serve

Marketing & Strategy ProfessionalscMoB2B MarketingB2c Marketingcustomer experiencecustomer insightseBusiness & channel strategy

Technology Management Professionalscioapplication development & deliveryenterprise architectureinfrastructure & operations

› security & risksourcing & vendor Management

Technology Industry Professionalsanalyst relations

141600