SIEM vs SOAR: What’s The Difference?
Technology and cyber threats alike are advancing more every day. In the security community, we must strive to push forward with innovation to keep up with the latest threats. One way of accomplishing this is through the utilization of a SOAR (Security Orchestration automation & response) platform. It takes the traditional SIEM solution to the next level. Gone are the days of mindlessly clicking through log events to determine if an event is malicious. The platform helps empower the security team to continuously build actions for known threats to appropriately detect, isolate and even remediate them with minimal human interaction. This article will cover some of the benefits of a SOAR solution and how they can enhance, if not replace, what a SIEM solution can provide.
Security Orchestration is simply tying together different security solutions to streamline the detection and response of vulnerabilities. The traditional SIEM involves heavy, hands-on activity from dedicated resources; they act as the orchestrator. The Security analyst, in a conventional sense, would be in charge of manually handling the following actions to detect and respond to a security incident appropriately:
- Consistently tune/review SIEM rules to ensure they fit business infrastructure
- Respond to items of interest to determine if they are legitimate or a false positive.
- If legitimate, an analyst may have to coordinate efforts for remediation, including:
- Isolation of the machine using an EDR solution
- Documenting the incident in a centralized, reputable solution
- Running vulnerability scans on the affected device to confirm the issue has been corrected.
Think about repeatedly performing the above actions; This is where automation comes into play within a SOAR solution. Automating an analyst’s responsibilities is a huge time saver and allows the analyst to focus on more prevalent activities like threat hunting or rule building. This will take the above objectives and string them together in an automated timeline to streamline incident response. From the moment an issue is detected, it can be carried through to remediation without human interaction.
When combining orchestration and automation, we get the ability to sculpt different responses for different situations. For example, for a phishing email, if the user receives it but doesn’t interact with it, we may want the response to include pulling the email from the user’s mailbox. If the user opens and clicks on a URL by chance, we may want an additional response that performs a virus scan on the user’s machine or emails the user informing they just clicked a phishing email. The possibilities are endless with how easy SOAR makes it to automated response tasks.
Below are some examples of responses that can be automated within a SOAR platform that would otherwise be manual in a SIEM:
- Create a service desk ticket in your issue tracking solution and assign it to an open queue or team.
- The network contains an infected machine, remove affected files, run a virus scan, and contain the machine.
- Pull a phishing email with a specific threat score from an end-users mailbox.
- Trigger a call list or alerts if a particular indicator is discovered.
This may not seem like much, but for a more detailed look into how much effort goes into monitoring a network with a SIEM, check out this course.
A SOAR solution can help any security team take that next step in growth towards a more advanced and responsive approach. Some examples of vendors that provide SOAR technology include Splunk, Rapid7, and Demisto. Growing your response capabilities is essential in today’s world of advanced threats over time. Want to learn more about SOAR and SIEM solutions? Head over to Cybrary’s website and check out the interactive courses offered.