Dec 1, 2021
Paul-Arthur
Jonville
SIEM vs SOAR is a question that people often ask. Is SOAR (Security Orchestration, Automation, and Response) a relatively new set of technology, set to replace the old Security Information and Event Management (SIEM)?
Before suggesting an answer to this question, we need first to understand the role of the former only after we can understand what's a SOAR and if it can replace the SIEM or come as a complementary solution to it.
What's a SIEM?
How can a SOAR add up?
What's a SIEM?
SIEM is one of the most popular tools Security Operations Centers (SOC) are using. It has been around for 15 years.
It ingests logs received by information security equipment, firewalls, network sensors, endpoint devices, and so on. This way, it enables security teams to catch everything happening at a given time in their information security system. It's the SOC's window on their information system.
Theoretically, your SIEM is not only able to ingest all the data flowing from your devices but can also aggregate and identify unusual or suspicious behaviors. As such, it can decipher patterns showing that incidents and events underway are worth human intervention. As a result, it issues alerts to your analysts, leaving them the burden of the decision by triaging positive alerts from false ones.
If analysts were to deal with only a handful of alerts per day, this would be fine. They would need to give a small amount of their time to investigate and depart positives from false.
However, the number and variety of threats are rising. On average, a SOC can receive up to 11,000 alerts per day from their SIEMs. Consequently, because most alerts delivered by SIEMs need to be treated by the human brain, this leaves them with a massive amount of manual triage work per day.
Between these alerts, there are real ones that, ideally, would need to be detected and remediated ASAP. Still, they are drowned between more and more false positives and, as tools multiply, duplication. In the end, this creates the so-called alert fatigue phenomenon.
Plus, the threat environment is evolving fast. Variety and sources of attack are growing. To counter this, SIEM needs constant fine-tuning to keep up. This leads your analysts to constantly arrange your SIEM to understand and differentiate the malicious and regular activity. To fulfill this task, they rely on external sources, such as threat intelligence databases. This is multiplying the panes of glass and, in turn, the time needed to make your SIEM work—another addition to their already overworked daily labor.
A SIEM is a detection tool, not a remediation one. It provides the alert. Then it's the analyst's role to decide further investigation and remediation, which are more often than not manual and time-intensive.
But, we've seen that triage tasks already crowd analysts' time because it hardly scales up. It leaves little time for proper remediation, thus creating black holes.
Let's take a look at how a SIEM takes its part in one of the most common incidents your company faces daily: malicious email. A user mailbox receives malicious mail. Unfortunately, the user clicks on the link and/or attachment contained in it. Malware is spreading, contamination process starts.
In the meantime, your Security event collects logs from mailing servers, network sensors, workstations, and Active Directories. Between all the alerts popping on records, some indicate that the attacker is trying to contact an external server. A user account is created on an Active Directory. Using these compromised accounts, the attacker attempts to gain access to other workstations and resources.
All these indicators of compromise are ingested by your SIEM, which is creating the chain of attack. Your SOC teams then have to act according to this path described: is it an actual alert, a false positive? What's the next step?
How can SOAR add up?
A SOAR is a convergence of technologies. Security Orchestration and Automation (SOA), Security Incident Response Platforms (SIRPs), and Threat Intelligence Platforms (TIPs) are gathered into a single product.
It allows organizations to streamline security processes in three domains; threat and vulnerability management, incident response, and security operations automation.
In opposition to a SIEM, a SOAR product takes a different approach to help SOC's burden. It is used to facilitate the detection and remediation of incidents and, most of all, to add a management layer over your tool stack: orchestration.
For instance, in our malicious mail case, in addition to alerting the CSIRT, SOAR will automatically add blocking rules to the firewall and open a ticket in Jira, elevated to your analyst.
But it also goes further in incident detection and response, thanks to automation. Workflows/Playbooks allow your teams to predetermine the actions that have to be taken in a given scenario before they're alerted. If IoCs checks out, the SOAR executes its playbook to handle the incident, freeing analysts to focus on more complex threats.
Back at our example again. What's happening to our malicious mail? To determine whether if this email is a threat, a playbook is triggered as soon as there's a suspicion. It allows us to check databases about known indicators of compromise automatically. If the threat is acknowledged, the playbook can plan mail's deletion and any mail that presents the same indicators.
In this regard, the only limit to these automation capacities is the human brain.
Adding to that capacity, we're easing the work by providing a product based on no-code language. Creating the playbooks becomes faster and easier for your analysts since you only have to drag your connector and drop it onto your workflow.
Ultimately, SOAR is to be pictured as the duct tape of your security tool-stack and its conductor. There's no other technology that allows security teams to organize and manage their solutions by integration. It then enables them to automate the incident response workflow for each issue your company faces.
Based on automation and orchestration, this approach is why security experts believe that SOAR answers questions that SIEM cannot.
SIEM vs SOAR?
Both are complementary to strengthen security architecture.
Both of the solutions consume data feeds. However, SIEM is positioned to ingest larger volumes of data with disparate sources and formats. All in all, both of them are meant to provide automation to detect and manage security incidents.
But, the latter stands out in its automation capabilities and its finality. From detection to response, it can create loops while minimizing or taking the human out of it.
Typically, in our example, any already known threat would be handled by the playbook alone since it automatically syncs the databases in which the comparisons will be made, contain the malicious mail, and update the firewall rules. Human analysts would be notified of the final reports of the incidents and their remediation.
Finally, while SIEM will continue to be the first pane of control for teams to analyze logs, both tools can leverage the data and functionality of other security products. SOAR again takes the crown due to its flexibility and extensive library of integrations.
In a modern SOC, it's not about SIEM vs SOAR. They work in complementarity, not in competition.