SIEM or SOAR?
Tomasz Jurkowski, Security Engineer
In this article, I will introduce SOAR technology in more detail. So I'll answer the questions: what does SOAR stand for, what are its main tasks and is it able to replace the SIEM system?
What is SOAR in short?
When SOAR first appeared on the cybersecurity scene in 2015, it was called a groundbreaking, revolutionary technology of the industry by Gartner. Since then, the technology has evolved significantly. Today, SOAR plays a key role in almost every modern SOC (Security Operations Center), and many organisations are keen to learn more about this technology's potential.
SOAR, which stands for Security Orchestration, Automation and Response, is a relatively new security platform that uses centralised management of various cyber security tools to automate certain activities to analyse and eliminate threats.
Do you want to know more about SOAR in detail? Then read our resources What is SOAR? which explains the technology in more detail.
SIEM or SOAR?
But what if you already have a SIEM system implemented in your organisation? Does that mean SOAR is not for you? Well, no.
In simple terms, a SIEM (Security Information and Event Management) system is designed to collect logs and detect security incidents. With event correlation, it is able to detect suspicious behaviour of users and attempts to attack your infrastructure. It is a system which must be managed continuously. Administrators must periodically adjust the system configuration to the constantly evolving IT environment or newer types of attacks. Despite functionalities such as event aggregation, the daily number of logs from devices can often reach several hundred thousand or more. Such a number of events can certainly generate a large number of incidents, from which analysts then carry out a thorough analysis of whether the incident they are dealing with is a real threat or perhaps just a so-called false positive.
This is where SOAR technology comes to the rescue!
Not only can SOAR automate most of the SIEM incident analytics, but it also has the ability to counteract the effects of threats in our organisation. Thanks to task automation, the repetitive and manual analytical tasks, which usually take from 30 minutes to even several hours, can be programmed in such a way that we get their results within a minute or two. Some systems also have a machine learning engine, which by analysing previous incidents and gathering certain data, is able to determine whether the current incident is a threat to you or a so-called false positive.
Interaction between SIEM and SOAR
Many organisations rely on both SOAR and SIEM to provide cybersecurity defence. This is because SIEM and SOAR are not in conflict, but complement each other's strengths and actually improve by working together. Although a SIEM system is not essential to a SOAR system, it is often this tandem that we find as the main tools to combat cybersecurity threats in mature organisations.
SIEM works well in its primary role on the front line - filtering and detecting incidents. SOAR, on the other hand, takes incident management, incident analysis and appropriate remediation for real threats to the next level. Moreover, thanks to bi-directional integration with the SIEM system, SOAR is able to send the results of its analysis to the SIEM system. Then correlation rules or alarms created in it are automatically updated with the latest Indicator of Compromise, which makes SIEM detection even more accurate.
So it is not a question of SIEM or SOAR. It is best to have them both in place.