Security information and event management (SIEM) and security orchestration, automation and response (SOAR) tools often feature in security operations centres (SOCs). SIEM is well established, whereas SOAR is a more recent technology. Understanding what they do and how they fit together is an important part of knowing whether they are right for you.
SIEM tools are one of the cornerstones of an effective SOC monitoring capability. They work by performing real-time analysis of data feeds from applications and infrastructure, correlating that data and alerting analysts when they identify events of interest.
These alerts might point to a breach that is happening, or even better help to predict one, and trigger your response processes.
If you are responsible for security in a medium or large organisation and think you need a SIEM, you probably do – in fact, you probably have one already.
Alongside your SIEM, you probably have a range of additional tools that provide security alerts.
The problem with alerts is that you need to do something with them. You need to validate that they constitute a real incident, for instance by correlating with threat intelligence, and you need to trigger and subsequently manage response processes.
This requires time and effort, sometimes more than is available. For many organisations, the frustration of not having enough security information can quickly be overtaken by the frustration of having too much.
Working with a SIEM can be very demanding, because large numbers of alerts require large numbers of analysts. Worse still, initial alert processing activity can be quite boring, which is why SOC analysts move between employers more often than other cyber security staff.
Managing all this can be a bit of a juggling act, with multiple playbooks, multiple tools and no real integration.
SOAR platforms address many of these challenges and the technology has been developed specifically with the smooth running of a SOC in mind. They can help to manage tools and information sources (including SIEMs), automate analyst processes and co-ordinate response.
They draw together SOC tools and make it easier to work between them. For anyone who has seen a SOC analyst’s desktop, and the number of applications open, the benefits are obvious. By automating some activity, SOAR tools can remove many of the mundane tasks that would otherwise fill an analyst’s day, such as executing attachments in a safe area to check for malware. That can free up time to look at more complex alerts without the worry that something is being missed.
Finally, SOAR tools allow response processes to be formalised, so you can be confident they are being followed. Of course, all of that can be done using other tools, but the benefits of integration are hard to ignore.
Alerts easier to manage
This technology can then make alerts much easier to manage, with the benefit of more efficient use of SOC resources, faster response times and, ultimately, better security.
If you think all that means you need a SOAR platform, you might be right. But then again, there are reasons why it might not be the right solution for you.
The first step in determining whether you need SOAR is understanding your SOC and what you have already. If your team is struggling to manage its workload, then SOAR could be useful. Likewise, if SOAR offers capabilities that you do not have already, that could be a driver towards using it.
But remember, there are a number of tools, such as Microsoft’s Sentinel, that combine SIEM and SOAR technology into a single offering and you may find your current SIEM has a roadmap to SOAR capabilities in the future.
If you do decide to go with SOAR, be aware that successful implementation is as much about people and operating models as it is technology. Getting that right requires different skills from those required to implement a SIEM.
According to Gartner, by year-end 2022, 30% of organisations with a security team larger than five people will use SOAR tools in their security operations, compared with less than 5% in 2019. That is telling. Firstly, it shows incredible growth in the segment. Secondly, it tells us that sizing is important, because smaller teams may not be able to justify the investment required.
Ultimately, if you have a small team and a manageable number of alerts, you probably don’t need SOAR. If your team is larger, and if it is having trouble keeping on top of the alerts it receives, you probably do.
Rasika Somasiri is a cyber security expert at PA Consulting