SOAR and PTaS are over? Gartner 2024 SecOps Forecast Review
What awaits us?
Gartner experts have compiled a fairly detailed forecast for SecOps for this year, where decisions regarding time and expectations were divided into categories: innovation trigger, peak of inflated expectations, trough of disappointment, slope of enlightenment and plateau of productivity. According to this method, the maturity of decisions regarding expectations and practical application in production with results is usually determined. It is assumed that each tool and technology should go through a cycle and ideally reach the plateau of productivity. Each in the legend is assigned a predicted time before the tool, approach will become productive decisions.
Key findingswhich are brought out according to the forecast:
1. Start studying and taking the first steps towards such an architectural approach as Cybersecurity Mesh Architecturewhich assumes that information security systems will be decentralized And modularand will also dynamically adapt to policy changes.
This recommendation is, indeed, quite adequate and has a place to be. After all, the infrastructure has long gone beyond a single segment of the organization: API services, cloud computing and storage, mobile and remote devices. The infrastructure itself is becoming more complex and complicated. And the diversity of tools requires automation and orchestration at optimal levels and network depth.
2. Pentest specialists may be left without work, as the Penetration Testing as a Service service is becoming increasingly automated. It takes much less time to complete tasks for an LLM agent than for a person, and the cost of running a test is relevant to the tasks at hand.
Yes and no. In this case, Physical and Wireless Pentest are not affected, the need for this type of employee will remain unchanged. However, the issue of testing infrastructure, services and applications is indeed gradually being automated by AI. To be more objective and understand how deep the automation has become, let's look at recent reports on the effectiveness of PTaS solutions based on AI.
IN recent studies claim that the LLM multi-agent has learned to find popular vulnerabilities in real-world conditions. But the researchers assure that at the moment, agents are not doing a good job of detecting zero-day vulnerabilities.
The increase in automation and success in PTaS is noticeable and soon Junior and Middle positions may well be occupied by AI agents. However, for Senior level specialists the picture will be on the contrary favorable and it will be difficult to replace their work at the current stage.
3. When designing an information security system, pay attention to “hope slope” solutions that have recently made significant changes and demonstrated effectiveness in solving key issues.
MDR became useful small and medium-sized business segments mature in information security, due to lower costs compared to the organization of internal processes that require people, resources and technologies. This allowed the solution with analytics and response on partial outsource to move towards the “productivity plateau”.
TIPS has long been the benchmark for a mature companywhich can afford to organize internal processes of proactive response to information security events and incidents. After all, when conducting APT attacks, violators target specific weak points of the sphere and have quite characteristic “traces”. By introducing custom rules, attacks can be prevented on the information security system that are not provided for by product expertise packages.
4. Test the presented solutions in real infrastructure to assess the actual effectiveness, avoiding loud headlines.
Taking a product into a pilot is already a well-established practice and before purchasing a tool, it is worth testing it in the infrastructure and assessing what resources of the company itself or outsource specialists may be required. It often turns out that the solution is effective only if there is a sufficient number of qualified personnel who can support the management and operation of the product.
5. Evaluate AI-powered cybersecurity assistants to improve operational efficiency and expand skills.
It is no secret that GPT is already being tightly integrated into many cybersecurity products. It can mainly be used in two strategies: proactive and reactive. The first allows you to detect and respond to the actions of an intruder, and the second allows the analyst to interpret the activity found using familiar solutions for a faster response. One of the products is LLM as a Service from Serverspace.
6. SOARHow A separate product has been deemed obsolete by Gartnerwhose functions are important, however, will be absorbed by other information security systems.
This is true, given that SOAR is of more interest to more mature companies. They already have ISS solutions for which automation scenarios can be written, and personnel can, in terms of time and competence, support and configure the information security tool. Gartner statistics on ISS acquisitions and mergers look as follows.
And what is the reality? In addition to forecasts, companies are actually starting to integrate and deliver package solutions together with SIEM. For example, Security Vision already offers a SIEM + SOAR package under the new NG SOAR shell.
It is indicated that this solution will reduce costs and bypass the technical unavailability of this solution due to the lack of the necessary information security system.
An innovative solution that may be interesting after the pilot is PT O2. A kind of SOAR with AI on board that will work out the necessary scenarios when detecting actions that violate the policy, combining automation of not only response, but also detection. Conceptually it looks like this.
It is difficult to say how mature the product is now, it is most likely in the testing and development stage. However, for the sake of interest, you can take it on as a pilot.
To sum up, we can highlight the main components of a SOAR solution. One of which is monitoring and response tools. Separate purchase of each solution at the initial stage is quite expensive.
Those companies that are just approaching the maturity stage are more likely to acquire a SIEM with the SOAR function. And larger players will look at the NG SOAR or AI+SOAR options, which indicates a high probability of merging with other products of this solution.
Retrospective and opinions
However, not all industry representatives share Gartner's view on current SecOps solutions.
Alexey Lukatsky holds exactly the opposite point of view, arguing that Gartner’s analysis is entirely reasonable.
Retrospective is also one of the important indicators in maturity models. It allows us to understand how much analysts' views in previous years differ from the current forecast.
This 2023 maturity model matches the current data perfectly and many SecOps solutions have naturally taken their positions, however, “Exposure Assessment Platform” for some reason has shifted from the plateau to the leftmost category. Some of the presented technologies have been absorbed or integrated into others. XDR has significantly jumped the plateau forecast from 5-10 to 2-5 years.
In general, Gartner's forecast can be called objective and adequate for the current moment. A matrix of SecOps solutions priority is provided, which allows you to evaluate the required means of short-term and long-term planning. The reasons for the development and complexity of each maturity model solution are described in sufficient detail.
The article is supported by the team Serverspace.
Serverspace — a cloud services provider that rents out virtual servers with Linux and Windows OS in 8 data centers: Russia, Belarus, Kazakhstan, the Netherlands, Turkey, the USA, Canada and Brazil. To build an IT infrastructure, the provider also offers: creating networks, gateways, backups, CDN services, DNS, S3 object storage.
IT infrastructure | Double the first payment with promo code HABR
