Researching the difference between SIEM and SOAR

-


A great matter of debate and confusion I have always seen is the line of difference between SOAR and SIEM along with fact that if you have one, do you still need the other or in conjunction.

In order to understand the clarity, let us analyze the details and the concept behind both one by one:

1.      Understanding SIEM

SIEM is the abbreviation for the technology platforms which stands for security information and event management used to collect and store security data.

This can be related to simple examples including firewalls, intrusion detection systems/ prevention systems etc.

This technically helps to aggregate and correlate all of this gathered data by help in analyze date wth focused analytics and machine learning software.

2.      Understanding SOAR

SOAR on the other hand is the collective technology involving Security orchestration, automation and response (SOAR), that is intended to help imbibe security operations with the pillars of efficiency and consistency.

If we analyze the anatomy of SOAR, it involves:

a.    Security Orchestration – This refers to the total coordination of various technologies across the stack. This helps to seamlessly integrate and interrelate giving measurable and efficient incident response workflows.

b.   Security Automation – The second in line, refers to the technology stack which helps automated handling of tasks and processes with optimized machine learning using playbooks and runbooks

c.   Security Response – The final part of the trio stack, which helps in addressing and managing the security incidents once an alert has been confirmed. This refers to the technicalities of incident response stages (including triage, containment, remediation, etc.) If we relate this to simpler terms, we all use methods derived on this concept such as quarantine potential infected files, disabling access to compromised accounts, limit access of an infected process to other services etc.

SOAR platform helps with all the three top things helping improve the defense-in-depth posture of the organization.

Let us know try to understand the integration/ segregation or unity of running SOAR and SIEM:

Technically, the answer to have SOC without a mature SIEM/ SOAR in feasibility is yes, however integrating a SIEM tool with a SOAR solution will give combined capability for running an efficient and responsive security program.

Capability wise, SIEMs can help absorb data and to generate the alert and the SOAR solution to help manage the incident response process to each alert, automating and orchestrating repetitive tasks

SecOps teams hence always prefers to use both SIEM and SOAR to optimize their security operations center (SOC).

The million dollar question which now comes to the mind is why SIEM in itself is not efficient to run SOAR capabilities?

The answer lies in the fact that SIEM tools usually needs regular tuning and periodic optimization to  understand and differentiate between normal vs suspicious activities. This lead to investment of time and efforts in the SIEM which could be in turn invested in Incident response actions.

In this way, both SIEM and SOAR would help increasing the efficacy of the overall SOC. This is achieved via SIEM solutions optimized to raise alerts while the SOAR enabling the security team to handle the containment and incident response systems.

To conclude simply, SOAR helps integrates all of the tools and technology within an firms’ s security toolset and help ramp the SecOps team to automate incident response workflows.

 A useful reference to further read from my suggestion would be: 

http://correlatedsecurity.com/soar-critical-success-factors/

This image below from this blog further helps us analyze mapping SIEM and SOAR Architecture

Also, as a valuable ally for an effective SOAR process, threat intelligence should be a strong focus.

I have covered threat intelligence is a different article which you can check out below:

https://securitywarrior9.blogspot.com/2021/01/threat-intelligence-overview.html


Comments

  1. jazz9 April 2021 at 22:21

    Computer forensic Singapore


    Get the best cyber security and computer forensic service in Singapore from AK Global Investigation Company


    to get more - https://investigation-akg.com/cyber-crime/

    ReplyDelete
  2. Mohamed Farid19 April 2021 at 04:02

    I believe this really simplified the difference between SIEM and SOAR - thank you for that. Although I was expecting you to mention the Threat Intelligence Part which is also part of the SOAR and which add a great value when investigating incidents.

    ReplyDelete

Post a Comment

Popular posts from this blog

Stored XSS in Wonder CMS- CVE-2017-14522

-
Image
By- Samrat Das Hi Readers Recently in one of my pentest research, I found a CMS " WonderCMS" hosted in github. Curious to explore its functionalities, I downloaded and set it up in my local system. After fiddling with the source code, I found that it did not have any kind of security mechanism to filter any user input and accepted and stored in blindly without any sort of input validation Title of the Vulnerability:   Stored XSS Common Vulnerability Scoring System:  7.0 Vulnerability Class:  Injection Technical Details & Description:  The application source code is coded in a way which allows user input values to be stored and processed by the application. CVE ID allocated :  CVE-2017-14522 Product & Service Introduction:  Wonder CMS 2.3.1 WonderCMS is an open source CMS (Content Management System) built with PHP, jQuery, HTML and CSS (Bootstrap responsive). WonderCMS doesn't require any configuration and can be simply unzipped a
Read more

Arbitrary file upload and RCE in Wonder CMS - CVE-2017-14521

-
Image
By- Samrat Das Hi Readers Recently in one of my pentest research, I found a CMS " WonderCMS" hosted in github. Curious to explore its functionalities, I downloaded and set it up in my local system. After fiddling with the source code, I found that it did not have any kind of file upload security mechanism and allowed the user to upload any file type! After reporting it to them, I did not receive any security relevant response, hence decided to publish a blog on this. Title of the Vulnerability:   Arbitrary File Upload Vulnerability Class: Security Misconfiguration Technical Details & Description: The application source code is coded in a way which allows arbitrary file extensions to be uploaded. This leads to uploading of remote shells/ malicious Trojans which can lead to complete system compromise and server takeover. CVE ID allocated :  CVE-2017-14521 Product & Service Introduction: Wonder CMS 2.3.1 WonderCMS is an open source CMS (Content Ma
Read more

Cross Site Request Forgery- Intex Router N-150 | CVE-2018-12529

-
Image
By- Navina Asrani Hi Readers, Recently while tinkering with my wifi router, I was curious to find if it has possible loopholes and vulnerabilities. Curious to explore its functionalities, I started probing with the options. Title of the Vulnerability:   Cross Site Request Forgery Vulnerability Class: Code Execution/ Privilege Escalation Technical Details & Description: The firmware allows malicious request to be executed without verifying source of request. This leads to arbitrary execution with malicious request which will lead to the creation of a privileged user. CVE ID allocated: -  CVE-2018-12529 Product & Service Introduction: Intex Router Steps to Re-Produce – 1.        Visit the application 2.         Go to any router setting modification page and change the values, create a request and observe the lack of CSRF tokens. 3.        Craft an html page with all the details for the built-in admin user creation and host it on a server
Read more