respurces_bg.png

Blog

Do I Need a SIEM if I Have SOAR?

Nimmy ReichenbergAugust 14, 2018

Another year, another Black Hat has come and gone. On the show floor, we saw the continued momentum and interest building for security orchestration, automation and response (SOAR).  And as always, we met with a wide variety of security operations pros feeling the pressure of too many alerts, too many technologies and not enough process and automation to make it all work.

Do I need a SIEM if I have SOAR?

Over the two-day show, we were asked several questions, but one kept emerging over and over again.

“If I implement a SOAR solution, do I really need a SIEM?”

It’s a fair question and one that is compounded by the convergence we see happening across many categories within cybersecurity. Security operations teams have a broad spectrum of choices from pure-play security orchestration and automation platforms to traditional SIEMs that are adding orchestration capabilities. With both offering correlation and the ability to identify relationships between security events, it’s no wonder some SOCs are asking themselves what they truly need to get the job done most efficiently.

While the short answer to the question is “not necessarily,” we also have to agree with Gartner’s Anton Chuvakin, who says it really depends on what your definition of SIEM is. Security teams need log repository and analysis capabilities - that isn’t going away and is not what SOAR platforms are built to do. More user devices, an ever-growing ecosystem of security tools, high levels of network activity and the need to adhere to compliance regulations add up a continued need for robust log management capabilities. For many enterprise SOCs, this is just one of many vital functions their SIEM serves.

Logging aside - we still see plenty of runway for SIEMs and SOAR solutions to work together symbiotically instead of serving as alternatives to one another for three key reasons.

 

PROCESS AND PLAYBOOKS

SIEMs are largely focused on processing vs. process. By that we mean, SIEMs do a great job of addressing the technical challenges associated with ingesting and correlating millions of logs to surface up the ones the security team should be alerted on.

But how does your team know what to do with those alerts? That’s where SOAR steps in. SOAR solutions provide the structure needed to address the process challenges that arise once those alerts have been triggered. One of the major ways SOAR solutions do this is through the ability to document and codify processes into repeatable playbooks. This streamlines alert handling and makes it more predictable and uniform throughout the SOC, meaning teams always know what steps to take and can reduce the number of alerts that go uninvestigated.

 

A SINGLE PANE OF GLASS

SIEMs serve a hugely important function by sounding the alarm when there appears to be malicious activity. But even the most skilled security analyst will need to use a variety of interfaces beyond their SIEM - EDR, threat intelligence, vulnerability management, user information and more - to put together the full story around a threat. And then they’ll go back into those various consoles when it comes time to remediate the threat. That equals tons of screen switching - and lots of wasted time.

SOAR solutions remedy this by allowing security teams to automatically gather the context they need to investigate an alert (or better yet, a group of alerts) from across their security ecosystem. This arms your team with a threat storyline that can be used to conduct deeper investigation, speed up analysis and make more definitive remediation decisions. Once those processes are complete, your analysts can then orchestrate the necessary response steps and trigger the relevant playbook all through a single console.

 

SECURITY OPERATIONS MANAGEMENT

While many SIEMs deliver a wide range of capabilities beyond what we traditionally expect - UEBA and automation, to name two - they haven’t been built with the intent of unifying people, process and technology within the SOC. This is truly where SOAR provides value when added to a SIEM.

By enabling the integration and orchestration of an ecosystem of security tools, SOAR platforms are able to deliver the birds’ eye view teams need for day-to-day SOC operations. With robust case management, prioritization, collaboration and reporting capabilities, SOAR solutions can serve as that hub security operations teams desperately need to run more transparently, effectively and efficiently.

banner

Is it possible that some highly forward-thinking SOCs can be successful using SOAR without a SIEM? Maybe so. But at least for now, most enterprise security operations teams will find the marriage of SIEM and SOAR to be the right formula for success.

Topics: Security Operations, SOAR, Black Hat

Something Powerful

Tell The Reader More

The headline and subheader tells us what you're offering, and the form header closes the deal. Over here you can explain why your offer is so great it's worth filling out a form for.

Remember:

  • Bullets are great
  • For spelling out benefits and
  • Turning visitors into leads.

Subscribe to Email Updates

Top Stories