SIEM vs. SOAR

SIEM is a correlation technique to detect potential attacks by establishing meaningful connections between seemingly independent events, aided by established policies and rules. SIEM products are like central hubs, gathering, storing, and analyzing logs generated by systems from peripherals to end users. They offer a holistic view of a network in real-time, empowering IT teams to be more proactive in combatting security threats.

When exploring SIEM, it boils down to the necessity of device logs. They’re the lifeblood, enabling SIEM to decipher them, establish connections, and pinpoint threats and vulnerabilities. Compliance standards like ISO 27001 and regulations such as 5651 underscore the management, storage, and importance of logs. SIEM is the linchpin product in meeting these regulatory demands, as it encompasses all the features demanded by these regulations.

The most significant feature of SIEM products is correlation. At its core, correlation means setting off an alarm when a certain number of logs from multiple systems meet specific conditions within a designated timeframe. This alarm can then trigger actions like sending emails, creating help desk tickets, or executing scripts for deeper investigations.

Other vital features of SIEM include:

• Filtering through millions of events to focus on the crucial ones, using techniques like time windows, context analysis, and data mining.
• Linking seemingly independent events or associating events with data.
• Aggregating multiple event records to streamline data analysis and expedite operations.
• Providing real-time visibility into an organization’s information security systems.
• Significantly enhancing the efficiency of understanding and processing events in the IT environment.
• Detecting incidents by correlating and analyzing log data generated across hosts.
• Serving as a real-time analyzer.
• Tracking corporate security standard violations.

To kick things off, a SIEM product must have access to network devices to collect logs. These logs are then transferred to SIEM in two basic ways. The system either directly collects logs or uses agents to gather them and then sends them to the SIEM. Alternatively, the SIEM accesses applications, systems, or databases to retrieve logs. The most suitable method is chosen based on the system to be logged. The collected logs undergo normalization and categorization, transforming them into a universal format and classifying events based on attack types. Subsequently, the SIEM links these events together, a pivotal function. After triggering alerts, it can notify administrators via email, SMS, or SNMP messages.

It presents the collected data and correlation results to security experts via a real-time dashboard. Additionally, SIEMs can generate reports on these processes.

Like SIEM, SOAR is designed to help security teams manage and respond to endless alarms at machine speeds.

Security Orchestration, Automation, and Response (SOAR) is the terminology adopted by Gartner and is an approach to security operations and incident response used today to improve the efficiency, effectiveness, and consistency of security operations.

SOAR platforms take it a step further by amalgamating comprehensive data collection, case management, standardization, workflow, and analytics. This integration equips organizations with advanced defense-in-depth capabilities.

To better understand what this means, let’s delve into its individual components.

Security Orchestration involves harmonizing various security tools and technologies to seamlessly integrate and communicate with each other. This creates repeatable, actionable, measurable, and effective incident response processes and workflows. People and processes must also be managed appropriately to ensure maximum efficiency.

Security Automation involves handling tasks and processes automatically without the need for manual human intervention, reducing time by automating repeatable processes and applying machine learning to appropriate tasks. Automation often occurs through the use of “playbooks” and “runbooks” to eliminate mundane actions.

Security Response entails handling and managing a security incident after an alert is triggered, including filtering, containment, remediation, and more. Today, many actions, such as quarantining files and disabling access to compromised accounts, are performed automatically so that incidents that once posed real threats can be quickly resolved.

SOAR solutions allow security teams to automatically gather the context needed to further investigate alerts generated from their ecosystem. Using a SOAR platform, security alerts can be automatically responded to by seamlessly bringing together all the tools and technologies needed to provide the individual pieces of the puzzle. Various “playbooks” and “runbooks” are triggered to execute the most appropriate response steps and actions to different threats. This ensures that all alerts receive a response while freeing up analyst time for higher-priority tasks.

Benefits of SOAR

• SOAR enables security teams to achieve more with fewer resources, shortening the time from breach discovery to resolution, minimizing risks from security incidents, and increasing the overall effectiveness and efficiency of SOC operations.
• SOAR solutions collect alarm data from each integrated platform and place it in a single location for additional investigation.
• SOAR’s case management approach allows users to investigate, evaluate, and perform additional related investigations from within a single case.
• SOAR integrates as a tool to accommodate highly automated, complex incident response workflows, delivering faster results and streamlining defense.
• SOAR solutions include multiple “playbooks” in response to specific threats. Each step in a playbook can be fully automated or tuned to proceed with one click directly from within some platform, including interaction with third-party products for comprehensive integration.
• Simply put, SOAR integrates all the tools, systems, and applications in an organization’s security inventory and then enables the SecOps team to automate incident response workflows.
• SOAR’s primary benefit to a SOC is that it automates and streamlines time-consuming, manual tasks, including opening tickets in a monitoring system like Jira, without requiring any human intervention – which allows engineers and analysts to utilize their specialized skills better.

• SIEM cannot be used to unify people, processes, and technologies within a security operations center (SOC).
• SIEM runs correlation across all logs to generate alerts.
• SOAR can use third-party sources such as threat intelligence services and other external data sources.
• SOAR can integrate with other security and networking products.

Both SIEM and SOAR aim to improve the lives of the entire security team, from analyst to CISO, by increasing the effectiveness of the SOC and reducing vulnerability to the organization. While data collection is incredibly meaningful, SIEM solutions tend to generate more alerts than SecOps teams can handle while maintaining effectiveness.

SOAR enables the security team to handle the alert load quickly and efficiently, leaving time for more important and skills-based tasks that result in a higher-performing SOC.

To illustrate with examples;

SIEM collects logs from network devices and runs correlations on them to generate alerts.

L1 Analysts evaluate the alerts to assess them to see which are real events and which are false positives.

These activities can take hours to complete before the analyst can move to incident response.

SOAR systems promise to automate this routine work by interacting with other security technologies to automatically perform the first steps of incident response.

L1 Activities; After receiving an alert from SIEM, the SOAR platform automates the alert enrichment and evaluation process, creating events and eliminating false positives.

It then creates and assigns a ticket in the event tracking system.
In this way, SOAR automates L1 activities.

L2 Activities; The L2 Analyst receives the first alert along with other information from internal and external sources.

SOAR can automate the first steps using Digital playbooks.

Digital playbooks are the steps to follow to handle an incident.

In this way, SOAR technology saves valuable response time and acts as a cybersecurity accelerator.

Stay tuned for more blog posts on netsmartsecurity.nl