maxkabakov - Fotolia

When is SIEM the right choice over SOAR?

Better instrumentation leads to better IT security but monitoring can quickly overload IT teams. Automation can help, but it may not always be needed

This article can also be found in the Premium Editorial Download: Computer Weekly: How to choose between SIEM and SOAR

Gartner defines security information and event management (SIEM) products as technology that aggregates event data produced by security devices, network infrastructure, systems and applications. According to the analyst firm, the primary data source is log data, but SIEM technology can also process other forms of data, such as network telemetry data.

In the Gartner Magic Quadrant report for security information and event management, analysts note that event data can be combined with contextual information about users, assets, threats and vulnerabilities for the purposes of scoring, prioritisation and expediting investigations. This makes SIEM a pillar of enterprise IT security.

Rasika Somasiri, a cyber security expert at PA Consulting, says SIEM tools are one of the cornerstones of an effective monitoring capability in security operations. He says the alerts provided by a SIEM tool may point to a breach that is happening or help to predict one. 

“If you are responsible for security in a medium or large organisation and think you need a SIEM, you probably do – in fact, you probably have one already. Alongside your SIEM, you probably have a range of additional tools that provide security alerts,” says Somasiri.

But the problem with alerts is that IT security professionals need to act on them. “You need to validate that they constitute a real incident,” he adds.

This is why security orchestration, automation and response (SOAR) is starting to gain interest. Gartner defines SOAR as a class of products that combine incident response, orchestration and automation, and threat intelligence (TI) management capabilities in a single platform.

For BCS volunteer and security expert Petra Wenham, the question of whether SIEM or SOAR is the best security toolset for an organisation is a moot point. “There is overlap between the tools and, according to which tools you are looking at, the overlap can be quite small, particularly where the SIEM product has adopted artificial intelligence into the design,” she says.

Wenham believes the choice of product is not determined solely by the size of an organisation, but rather by the size and complexity of an organisation’s IT infrastructure and the value of the data held and processed by the infrastructure.

For instance, the larger and more complex the IT infrastructure is, and the greater the value of data held and processed, the greater the need to employ automation to undertake event correlation together with the short- and long-term analysis of alerts (security and others) generated within the infrastructure.

“Where possible,” says Wenham, “automation should be used to initiate corrective actions within the infrastructure as such automation would allow the freeing up of valuable IT and security staff to concentrate on the difficult-to-solve problems and on maintaining the infrastructure and associated management and monitoring toolsets.”

Options for a small and large operations

For organisations with a smaller and less complex IT infrastructure, such as those without e-commerce or customer portals, Wenham says a SIEM deployment – possibly with some artificial intelligence (AI) capabilities – would be a reasonable match.

However, she warns that to allow prioritised events to be quickly identified and investigated, it is important that IT or security staff are able to manage and use SIEM tools such that the output is not swamped with erroneous data.

Wenham says this approach would generally need to be supplemented by employing external security contractors to provide third-line support and undertake regular reviews of the SIEM configuration and, as necessary, retuning and adjusting the SIEM to better differentiate between anomalous and normal activity.

She suggests that a small SOAR system might also be an option where the monitoring capability of the SOAR is comprehensive enough to cope with all the devices within an organisation’s infrastructure.

As the complexity of the infrastructure increases, together with the value at stake, a SIEM with artificial intelligence for IT operations (AIOps) could also be considered. Wenham says such an AI-powered system would be able to track slow-moving events over time and automatically initiate some corrective actions in the infrastructure.

Should the organisation’s IT department not have the required skills and/or not enough resources, external security contractors would need to be engaged to provide assistance when required and help with the regular retuning of the SIEM.

For an organisation with a large and complex IT infrastructure, the amount of event data generated would be vast. Wenham says a high-end SIEM coupled with a SOAR product would be the preferred toolset – with the SIEM being the best product for gathering and correlating a wide range of event data and the SOAR being the best product for undertaking a detailed analysis of SIEM-generated data and automatically initiating a range of corrective actions.

The SOAR would also be able to undertake analysis of SIEM-generated event data aggregated over a long period of time which would uncover attempted covert security events.

“Even in large organisations with a SIEM and SOAR setup, there would likely be a role for external security consultancy assistance, particularly where there were resource constraints on the IT and/or security departments,” she says.

Automating security response

According to Jason Yakencheck, an associate partner at IBM’s cyber security and biometrics practice and a former ISACA president, implementing a SOAR tool is a crucial capability for security operations teams to perform incident response effectively.

“Security event volume continues to grow exponentially and the right technology components need to be in place to set an organisation up for success,” he says.

Like Wenham, Yakencheck believes SIEM is a central building block needed to get the most out of a SOAR tool.

“SIEM technology is essential to a security programme. It is that foundational building block that other tools can integrate with and truly elevate incident response capabilities to the next level”
Jason Yakencheck, IBM

These two security tools offer complementary capabilities that are essential to keep pace with ever-increasing and more sophisticated threats. But he says it is important for organisations that may be deciding when or how to implement either of these tools to understand the differences and benefits of each prior to making strategic decisions.

“A SIEM tool is primarily utilised to aggregate and correlate organisation event data in a central location. It allows security engineers to configure rule sets and thresholds by which to generate alerts on only the most meaningful and high-risk events, based on the unique risk profile of each organisation. SIEM tools parse countless volumes of data to reduce noise and filter down to a subset that require further investigation and action,” he says.

“SIEM technology is absolutely essential to a security programme. It is that foundational building block that other tools can integrate with and truly elevate incident response capabilities to the next level.”

For Yakencheck, SOAR capabilities enable security teams with fixed resources to scale to meet the demands of higher event volumes through increased automation capabilities. He says that with SOAR, traditional manual processes such as configuration updates, rule changes or other steps can be executed in a partially automated or fully automated manner in response to specific event types.

SOAR considerations

To make the most out of a SOAR investment, Jason Yakencheck, associate partner at IBM’s cyber security and biometrics practice and a former ISACA president, recommends that IT leaders should consider the following:

  • Overall objectives and expected outcomes.
  • Understand licensing models.
  • A mature centralised log management and/or SIEM tool.
  • Thoroughly understand most common events types suitable for automation.
  • Determine response steps for each event type that can then be incorporated into playbooks within the SOAR tool.
  • Identify which existing tools will be integrated with the SOAR functions for automation.
  • Establish a strong concept of operations between security and IT operations for task hand-off between ticketing tools and the SOAR workflows.
  • Create a framework in which continuous feedback and root cause analysis further refines existing tools and drives greater automation.

For an organisation to derive the greatest benefits from a SOAR implementation, Yakencheck recommends that it should be done after a well-tuned SIEM tool is in place. He says this provides the means by which existing event aggregation and correlation by the SIEM tool can be used to provide a mechanism for the SOAR component to facilitate actions with greater automation based on the full scope of security events from the organisation.

“When SOAR functions are implemented without a SIEM, some siloed automation may be performed in conjunction with tool integration, but the additional event context produced from a SIEM is going to be missing,” he warns. “Without SIEM functionality, the full benefits from implementing a SOAR tool will not be realised.”

Sizing up security

Thorough monitoring of applications and IT infrastructure are key to maintaining strong IT security, but the data provided by monitoring needs thorough analysis to determine suspicious activities. SOAR capability can elevate security programmes to the next level of operational efficiency when building on SIEM technology.

However, IBM’s Yakencheck says technology alone cannot transform an organisation. “It will only serve as a conduit for greater efficiencies and enable teams to do more with less,” he adds.

According to Gartner, by the end of 2022, 30% of organisations with a security team larger than five people will use SOAR tools in their security operations, compared with less than 5% in 2019. This shows that there is incredible growth in the segment. However, smaller IT teams may not be able to justify the investment required to implement and deploy SOAR.

While security tools can provide immense benefits, without the proper planning and operational structure within an organisation, the full benefits may not be realised. The prospect of greater security insights along with orchestration and automation to keep pace with evolving threats and protect sensitive data may well be the direction of travel IT security eventually takes.

Read more about SIEM and SOAR

  • When it comes to the SOAR versus SIEM debate, it’s important to understand their fundamental differences to get the most benefit from your security data.
  • Artificial intelligence and machine learning techniques are said to hold great promise in security, enabling organisations to operate an IT predictive security stance and automate reactive measures.

Read more on IT risk management

Data Center
Data Management