Researching the difference between SIEM and SOAR


A great matter of debate and confusion I have always seen is the line of difference between SOAR and SIEM along with fact that if you have one, do you still need the other or in conjunction.

In order to understand the clarity, let us analyze the details and the concept behind both one by one:

1.      Understanding SIEM

SIEM is the abbreviation for the technology platforms which stands for security information and event management used to collect and store security data.

This can be related to simple examples including firewalls, intrusion detection systems/ prevention systems etc.

This technically helps to aggregate and correlate all of this gathered data by help in analyze date wth focused analytics and machine learning software.

2.      Understanding SOAR

SOAR on the other hand is the collective technology involving Security orchestration, automation and response (SOAR), that is intended to help imbibe security operations with the pillars of efficiency and consistency.

If we analyze the anatomy of SOAR, it involves:

a.    Security Orchestration – This refers to the total coordination of various technologies across the stack. This helps to seamlessly integrate and interrelate giving measurable and efficient incident response workflows.

b.   Security Automation – The second in line, refers to the technology stack which helps automated handling of tasks and processes with optimized machine learning using playbooks and runbooks

c.   Security Response – The final part of the trio stack, which helps in addressing and managing the security incidents once an alert has been confirmed. This refers to the technicalities of incident response stages (including triage, containment, remediation, etc.) If we relate this to simpler terms, we all use methods derived on this concept such as quarantine potential infected files, disabling access to compromised accounts, limit access of an infected process to other services etc.

SOAR platform helps with all the three top things helping improve the defense-in-depth posture of the organization.

Let us know try to understand the integration/ segregation or unity of running SOAR and SIEM:

Technically, the answer to have SOC without a mature SIEM/ SOAR in feasibility is yes, however integrating a SIEM tool with a SOAR solution will give combined capability for running an efficient and responsive security program.

Capability wise, SIEMs can help absorb data and to generate the alert and the SOAR solution to help manage the incident response process to each alert, automating and orchestrating repetitive tasks

SecOps teams hence always prefers to use both SIEM and SOAR to optimize their security operations center (SOC).

The million dollar question which now comes to the mind is why SIEM in itself is not efficient to run SOAR capabilities?

The answer lies in the fact that SIEM tools usually needs regular tuning and periodic optimization to  understand and differentiate between normal vs suspicious activities. This lead to investment of time and efforts in the SIEM which could be in turn invested in Incident response actions.

In this way, both SIEM and SOAR would help increasing the efficacy of the overall SOC. This is achieved via SIEM solutions optimized to raise alerts while the SOAR enabling the security team to handle the containment and incident response systems.

To conclude simply, SOAR helps integrates all of the tools and technology within an firms’ s security toolset and help ramp the SecOps team to automate incident response workflows.

 A useful reference to further read from my suggestion would be: 

http://correlatedsecurity.com/soar-critical-success-factors/

This image below from this blog further helps us analyze mapping SIEM and SOAR Architecture

Also, as a valuable ally for an effective SOAR process, threat intelligence should be a strong focus.

I have covered threat intelligence is a different article which you can check out below:

https://securitywarrior9.blogspot.com/2021/01/threat-intelligence-overview.html


Comments

  1. Computer forensic Singapore


    Get the best cyber security and computer forensic service in Singapore from AK Global Investigation Company


    to get more - https://investigation-akg.com/cyber-crime/

    ReplyDelete
  2. I believe this really simplified the difference between SIEM and SOAR - thank you for that. Although I was expecting you to mention the Threat Intelligence Part which is also part of the SOAR and which add a great value when investigating incidents.

    ReplyDelete

Post a Comment

Popular posts from this blog

Arbitrary file upload and RCE in Wonder CMS - CVE-2017-14521

Cross Site Request Forgery- Intex Router N-150 | CVE-2018-12529

Stored XSS in Wonder CMS- CVE-2017-14522