This article is part of our Essential Guide: Essential guide to operation-centric security

SIEM or SOAR or both? Consider your business complexity first

SIEM and SOAR have much in common, but there are key differences between the two that may influence the best fit for your organisation. What should security pros consider when making a choice?

The question of which is the best security toolset for an organisation out of security information and event management (SIEM) or security orchestration and event management (SOAR) is, in part, a moot point.

Yes, there is overlap between the tools and, according to which tools you are looking at, the overlap can be quite small, particularly where the SIEM product has adopted artificial intelligence (AI) into the design.

The choice of product is not determined solely by the size of an organisation, but rather by the size and complexity of an organisation’s IT infrastructure and the value of the data held and processed by the infrastructure.

The larger and more complex the IT infrastructure is and the greater the value of data held and processed, the greater the need to employ automation to undertake event correlation together with the short and long term analysis of alerts (security and others) generated within the infrastructure.

Where possible, automation should be used to initiate corrective actions within the infrastructure as such automation would allow the freeing up of valuable IT and security staff to concentrate on the difficult-to-solve problems and on maintaining the infrastructure and associated management and monitoring toolsets.  

For the organisation with a smaller and less complex IT infrastructure, such as ones without e-commerce or customer portals, a SIEM deployment – possibly with some AI capabilities – would be a reasonable match.

But, of course, the IT or security staff must be able to manage and use SIEM tools such that SIEM output is not swamped with erroneous data so allowing prioritised events to be quickly identified and investigated. 

This approach would generally need to be supplemented by employing external security contractors to provide third line support and undertake regular reviews of the SEIM configuration and, as necessary, retuning and adjusting the SIEM to better differentiate between anomalous and normal activity.

A small SOAR system might also be an option where the monitoring capability of the SOAR was comprehensive enough to cope with all of the devices within an organisation’s infrastructure. Again, the statements regarding employing external security contractors would also hold for this scenario.

As the complexity of the infrastructure increases together with the value at stake, a SIEM with AI for IT Operations (AIOPS) could be a possible solution as such a system would be able to track slow-moving events over time and automatically initiate some corrective actions in the infrastructure.

Should the organisation’s IT department not have the required skills and/or not enough resources, external security contractors would need to be engaged to provide assistance when required and help with the regular retuning of the SIEM.

For an organisation with a large and complex IT infrastructure, the amount of event data generated would be vast, so a high-end SIEM coupled with a SOAR product would be the solution of preference – with the SIEM being the best product for gathering and correlating a wide range of event data, while the SOAR being the best product for undertaking a detailed analysis of SIEM-generated data and automatically initiating a range of corrective actions.

The SOAR would also be able to undertake analysis of SIEM-generated event data aggregated over a long period of time which would uncover attempted covert security events.

Even in large organisations with a SIEM and SOAR setup, there would likely be a role for external security consultancy assistance, particularly where there were resource constraints on the IT and/or security departments.

Read more on IT risk management

Data Center
Data Management