Security Think Tank: Integration between SIEM/SOAR is critical

Security information and event management (SIEM) solutions have been with us for some time and grew out of the need to consolidate logs in different formats from across the network, including security event feeds from other equipment such as intrusion detection systems (IDSs), firewalls and user endpoint software.

A SIEM will also provide a means of manually searching and analysing the data, typically using data analytics to generate alerts, present different views of the data to the analyst and to provide reports to stakeholders.

In addition, it will typically provide a capability allowing detection use cases to be developed, which look for specific sequences of events that may indicate an ongoing attack and can provide some integration into ticketing and other related systems. 

Today, however, systems can generate thousands of events per second and attackers are becoming more sophisticated. Some advanced persistent threat (APT) groups can now take control of a workstation and break out into the network in an average time of less than 20 minutes from a user clicking on a link in a phishing email, and the average for all groups is less than two hours.

This has led to the notion of the 1/10/60 challenge: the need to detect an attack within one minute, understand it in 10 minutes and contain it within 60 minutes. This is not possible for the best analysts using a SIEM alone.

Security orchestration, automation and response (SOAR) solutions are intended to speed up the response to an attack by automating the incident detection and response process. They integrate with the SIEM, ticketing system, detection technologies, firewalls and proxies, as well as with threat intelligence platforms, to be able to automate the overall detection and response activity.

Security operations teams will have a playbook which details the decisions and actions to be taken from detection to containment. This may suggest actions to be taken on detection of a suspicious event through escalation and possible responses. SOAR can automate this, taking autonomous decisions that support the investigation, drawing in threat intelligence and presenting the results to the analyst with recommendations for further action.

The analyst can then select the appropriate action, which would be carried out automatically, or the whole process can be automated. For example, the detection of a possible command and control transmission could be followed up in accordance with the playbook to gather relevant threat intelligence and information on which hosts are involved and other related transmissions.

The analyst would then be notified and given the option to block the transmissions and isolate the hosts involved. Once selected, the actions would be carried out automatically. Throughout the process, ticketing and collaboration tools would keep the team and relevant stakeholders informed and generate reports as required.

SIEM providers have started to add some of these functions, and operational teams do use the built-in capabilities of the SIEM, or SIEM application programming interfaces (APIs) to automate processes, which could be seen as an overlap between SIEM and SOAR.

A SOAR solution will, however, sit above the SIEM and provide better integration with threat intelligence platforms and more advanced tools that provide more complex outputs than a simple stream of logs. Typically, a SOAR solution will also provide case management, analysis and reporting and support communication and collaboration.

While a SOAR solution can help achieve the 1/10/60 target and save scarce analyst’s time, they require significant configuration. Default configurations may provide a start, but playbook and defined workflows must be tuned to automate them in a SOAR solution as it will not generate these for you.

Also in order to respond, the SOAR solution must know how to reconfigure firewalls, DNS servers and proxies for example, as well as isolating hosts in your specific environment. In the long run though, SOAR will allow more to be done faster with less analyst input.

Although SIEM and SOAR are different, they are both necessary and they need to operate together. SOAR features will continue to be added by SIEM providers, while Gartner estimates that by the end of 2020, only 15% of security organisations with five or more security professionals will adopt SOAR. However, it is unlikely that standalone SIEM solutions will be disappearing soon.