In the emerging markets of SOAR tools - SOAR stands for Security Orchestration, Automation and Response - a lot of frameworks, acquisitions of promising Start-Ups and interesting Open Source Tooling emerge.
I am also curious - personally and in regards of my profession - in the current market situation. So consider these following lines as a kind of personal note taking - hopefully also useful for you.
The following listing is without prejudice to any specific preferences.
Homepage: https://www.demisto.com/
Source (Community Edition): https://github.com/demisto
In the end of 2019 Demisto was acquired by Palo Alto Networks. I think Demisto (now XSOAR) is one of the most interesting SOAR tools. It looks well-engineered with a broad range of integrations and workflows. Undoubted it the free Community Edition assisted the grow of the ecosystem. The Community Edition will hopefully remain with us, despite the change in ownership.
Interesting to observe is also what happened to Minemeld. In the past Minemeld - an Open Source Threat Intelligence Sharing Platform also by Palo Alto - was part of Autofocus. Very helpful if you want to integrate (threat) feeds into your Firewall ruleset. This integration was recently canceled (by mid 2021), obviously to push XSOAR.
Homepage: https://www.splunk.com/en_us/software/splunk-security-orchestration-and-automation.html
Source: n/a - closed source
Like Demisto, Phantom was also an acquisition by on of a big Security player - Splunk. I only can recount some hands on experiences of a live session.
For me Phantom is - like Demisto - a very extensive system. There is a big library of integrations and workflows, also with the ability to write your own (in Python). What I personally don’t like is the WYSIWYG workflow editor, wich generates some Python Code. I think most of us had made their own experiences with generated code. I prefer to do it either or.
I have also the feeling the integration with Splunk is not as smooth at it should. Also I don’t know any existing customer in Europe who is using Phantom yet.
Homepage: https://thehive-project.org/
Source: https://github.com/TheHive-Project
The Hive is the one of the biggest Open Source SOAR projects at the moment. Also the upcoming version 4.0 with some fundamental changes looks interesting.
In my opinion the dependency to ElasticSearch is not always obviously. Cortex - the workflow engine of The Hive - for example also requires a ElasticSearch instance.
The Hive also enables Security Teams to manage Incidents. In most enterprises this could lead to double effort, if the Security Teams have to handle another “data lake” for tickets. Personally I would love to see a bigger focus on SOAR capabilities.
Homepage: https://www.shuffler.io
Source: https://github.com/frikky/Shuffle
Shuffle is one of the promise looking Open Source Projects which has just recently started. With a small footprint it only does what a SOAR tool have to do: automate tasks.
I personally keep watching Shuffle closely. I like the unbloated approach, and how easy it is to add additional workflows and apps.
To get started I recommend the following Medium articles: https://medium.com/security-operation-capybara/introducing-shuffle-an-open-source-soar-platform-part-1-58a529de7d12 https://medium.com/security-operation-capybara/getting-started-with-shuffle-an-open-source-soar-platform-part-2-1d7c67a64244
The Homepage seems not to work at the moment.
At the moment I was not able to review the following frameworks / tools. But they also might do the trick regarding automation Security Incident Response:
Homepage: https://stackstorm.com/
Homepage: https://www.patrowl.io/home
Source: https://github.com/Patrowl
I have the impression that the SOAR market is moving very fast. Nevertheless, I believe that automation will not bypass the IT security departments.
It remains exciting to observe the current developments.