View More guides on Security Orchestration Automation and Response
Posted on: August 22, 2018
What is Security Orchestration, Automation, and Response (SOAR) and how is it different from SIEM?
Security orchestration, automation, and response (SOAR) and security information and event management (SIEM) solutions address similar challenges for security teams such as managing the plethora of cybersecurity-related data and events that today’s organizations produce. The responsibility of handling these events falls onto the shoulders of security operations teams working in SOCs.
What is Security Orchestration, Automation and Response (SOAR)?
According to Gartner, “SOAR refers to technologies that enable organizations to collect inputs monitored by the security teams. For example, alerts from the SIEM system and other security technologies — where incident analysis and triage can be performed by leveraging a combination of human and machine power — help define, prioritize and drive standardized incident response activities. SOAR tools allow an organization to define incident analysis and response procedures in a digital workflow format.”
In 2015, Gartner initially identified security incident response, threat and vulnerability management, and security operations automation as three key functionalities of SOAR technologies. In 2017, the research and advisory firm revised the definition to include security incident response platforms, security orchestration and automation (SOA), and threat intelligence platforms (TIPs) as three integral elements.
Gartner further revised the definition of SOAR in 2020. Now, it defines the technology as solutions that fuse threat intelligence management, incident response, orchestration, and automation capabilities in a single platform.
What is Security Information and Event Management (SIEM)?
Gartner defines “the SIEM market by the customer’s need to analyze event data in real-time for early detection of targeted attacks and data breaches, and to collect, store, investigate and report on log data for incident response, forensics, and regulatory compliance. SIEM technology aggregates event data produced by security devices, network infrastructure, systems, and applications. The primary data source is log data, but SIEM technology can also process other forms of data, such as network telemetry. Event data is combined with contextual information about users, assets, threats, and vulnerabilities. The data may be normalized, so that events, data, and contextual information from disparate sources can be analyzed for specific purposes, such as network security event monitoring, user activity monitoring, and compliance reporting. The technology provides real-time analysis of events for security monitoring, query, and long-range analytics for historical analysis.”
SIEM are software solutions that collect and examine activities from different sources across the entire IT infrastructure. It efficiently collects and stores threat data such as logs of antivirus, firewall, network, or hashes of downloaded files in a central location. Once the data is aggregated, security teams can analyze it. SIEM solutions also help organizations with mature processes to prioritize threats and manage incidents, providing visibility into all the activities around an organization’s digital assets including its networks, databases, and systems. Moreover, a SIEM solution raises alerts in case any suspicious activity is discovered.
With the help of a SIEM solution, organizations can detect, prioritize, and respond to threats, boosting incident or threat investigation and security remediation by providing a historical analysis of security events. Furthermore, it allows security operations teams to correlate and analyze security incidents that have occurred at different times and locations.
SOAR vs SIEM
SIEM applications collect data from disparate internal sources to identify abnormal behavior that can turn out to be a threat. They provide security teams with in-depth insights into all security alerts. Among the functionalities of SIEM applications are threat intelligence aggregation, data storage, threat detection, and notifications. Also, these tools play an important role in log management, helping users comply with government regulations related to logging.
On the other hand, SOAR platforms are all-in-one security solutions that allow security teams to pool threat intelligence from different tools such as SIEM software, anti-malware solutions, EDR findings, and others, into a single location. Subsequently, security teams can orchestrate these data to automate incident responses. Unlike SIEM applications, SOAR solutions can also be used for security incident response, threat and vulnerability management, and security operations automation.
Both SIEM and SOAR platforms prove useful in improving SOC capabilities. However, they take different approaches with regard to driving action. Traditional SIEM solutions search for events and trigger alerts and leave behind the in-depth investigation, analysis, and remediation for humans, burdening SOC teams with more work. SOAR solutions go further than SIEM platforms when it comes to taking action. Although advanced SOAR platforms allow full automation, several SOAR workflows still need manual efforts and SOAR products go a step ahead in terms of pre-processing, which is carried out prior to any human being alerted.
One of the key value propositions of SOAR technology is its ability to leverage various security and networking products. Organizations already employing security tools for vulnerability management, ITSM, or threat intelligence can utilize SOAR as it provides organizations the capability to operationalize their existing tools in unique ways.
Unlike SOAR, SIEM products are limited in their capability to fuse and utilize different tools. While many SIEM products can be integrated with tools such as SaaS threat intel feeds or ITSM, their abilities are typically limited to data ingesting and raising tickets or alerts.
The Combination of SOAR and SIEM
In essence, SOAR solutions boost security automation and orchestration processes, while SIEM solutions boost incident investigation and management processes. Both SOAR and SIEM solutions play different but important roles in advancing an organization’s ability to handle threats and their overall security posture.
As SOAR and SIEM tools share multiple components, both the terms are often incorrectly used interchangeably. However, SOAR and SIEM are two different security solutions that go hand-in-hand.
Using SOAR and SIEM together makes the job of security teams easier. When a SOAR platform is in place, the SIEM solution won’t generate more alerts than security teams can handle and strategically respond to.
The use of a SOAR platform accelerates incident responses to SIEM alerts, automatically communicating with other security tools to address cyber threats. The shorter the response time to threats, the lesser is the impact in terms of cost and damage.