Another year, another Black Hat has come and gone. On the show floor, we saw the continued momentum and interest building for security orchestration, automation and response (SOAR). And as always, we met with a wide variety of security operations pros feeling the pressure of too many alerts, too many technologies and not enough process and automation to make it all work.
Over the two-day show, we were asked several questions, but one kept emerging over and over again.
“If I implement a SOAR solution, do I really need a SIEM?”
It’s a fair question and one that is compounded by the convergence we see happening across many categories within cybersecurity. Security operations teams have a broad spectrum of choices from pure-play security orchestration and automation platforms to traditional SIEMs that are adding orchestration capabilities. With both offering correlation and the ability to identify relationships between security events, it’s no wonder some SOCs are asking themselves what they truly need to get the job done most efficiently.
While the short answer to the question is “not necessarily,” we also have to agree with Gartner’s Anton Chuvakin, who says it really depends on what your definition of SIEM is. Security teams need log repository and analysis capabilities - that isn’t going away and is not what SOAR platforms are built to do. More user devices, an ever-growing ecosystem of security tools, high levels of network activity and the need to adhere to compliance regulations add up a continued need for robust log management capabilities. For many enterprise SOCs, this is just one of many vital functions their SIEM serves.
Logging aside - we still see plenty of runway for SIEMs and SOAR solutions to work together symbiotically instead of serving as alternatives to one another for three key reasons.
PROCESS AND PLAYBOOKS
SIEMs are largely focused on processing vs. process. By that we mean, SIEMs do a great job of addressing the technical challenges associated with ingesting and correlating millions of logs to surface up the ones the security team should be alerted on.
But how does your team know what to do with those alerts? That’s where SOAR steps in. SOAR solutions provide the structure needed to address the process challenges that arise once those alerts have been triggered. One of the major ways SOAR solutions do this is through the ability to document and codify processes into repeatable playbooks. This streamlines alert handling and makes it more predictable and uniform throughout the SOC, meaning teams always know what steps to take and can reduce the number of alerts that go uninvestigated.
A SINGLE PANE OF GLASS
SIEMs serve a hugely important function by sounding the alarm when there appears to be malicious activity. But even the most skilled security analyst will need to use a variety of interfaces beyond their SIEM - EDR, threat intelligence, vulnerability management, user information and more - to put together the full story around a threat. And then they’ll go back into those various consoles when it comes time to remediate the threat. That equals tons of screen switching - and lots of wasted time.
SOAR solutions remedy this by allowing security teams to automatically gather the context they need to investigate an alert (or better yet, a group of alerts) from across their security ecosystem. This arms your team with a threat storyline that can be used to conduct deeper investigation, speed up analysis and make more definitive remediation decisions. Once those processes are complete, your analysts can then orchestrate the necessary response steps and trigger the relevant playbook all through a single console.
SECURITY OPERATIONS MANAGEMENT
While many SIEMs deliver a wide range of capabilities beyond what we traditionally expect - UEBA and automation, to name two - they haven’t been built with the intent of unifying people, process and technology within the SOC. This is truly where SOAR provides value when added to a SIEM.
By enabling the integration and orchestration of an ecosystem of security tools, SOAR platforms are able to deliver the birds’ eye view teams need for day-to-day SOC operations. With robust case management, prioritization, collaboration and reporting capabilities, SOAR solutions can serve as that hub security operations teams desperately need to run more transparently, effectively and efficiently.
Is it possible that some highly forward-thinking SOCs can be successful using SOAR without a SIEM? Maybe so. But at least for now, most enterprise security operations teams will find the marriage of SIEM and SOAR to be the right formula for success.