Maksim Kabakou – Fotolia
Security information and event management (SIEM) and security orchestration, automation and response (SOAR) tools often feature in security operations centres (SOCs). SIEM is well established, whereas SOAR is a more recent technology. Understanding what they do and how they fit together is an important part of knowing whether they are right for you.
SIEM tools are one of the cornerstones of an effective SOC monitoring capability. They work by performing real-time analysis of data feeds from applications and infrastructure, correlating that data and alerting analysts when they identify events of interest.
These alerts might point to a breach that is happening, or even better help to predict one, and trigger your response processes.
If you are responsible for security in a medium or large organisation and think you need a SIEM, you probably do – in fact, you probably have one already.
Alongside your SIEM, you probably have a range of additional tools that provide security alerts.
The problem with alerts is that you need to do something with them. You need to validate that they constitute a real incident, for instance by correlating with threat intelligence, and you need to trigger and subsequently manage response processes.
This requires time and effort, sometimes more than is available. For many organisations, the frustration of not having enough security information can quickly be overtaken by the frustration of having too much.
Working with a SIEM can be very demanding, because large numbers of alerts require large numbers of analysts. Worse still, initial alert processing activity can be quite boring, which is why SOC analysts move between employers more often than other cyber security staff.
Managing all this can be a bit of a juggling act, with multiple playbooks, multiple tools and no real integration.
SOAR platforms address many of these challenges and the technology has been developed specifically with the smooth running of a SOC in mind. They can help to manage tools and information sources (including SIEMs), automate analyst processes and co-ordinate response.
They draw together SOC tools and make it easier to work between them. For anyone who has seen a SOC analyst’s desktop, and the number of applications open, the benefits are obvious. By automating some activity, SOAR tools can remove many of the mundane tasks that would otherwise fill an analyst’s day, such as executing attachments in a safe area to check for malware. That can free up time to look at more complex alerts without the worry that something is being missed.
Finally, SOAR tools allow response processes to be formalised, so you can be confident they are being followed. Of course, all of that can be done using other tools, but the benefits of integration are hard to ignore.
This technology can then make alerts much easier to manage, with the benefit of more efficient use of SOC resources, faster response times and, ultimately, better security.
If you think all that means you need a SOAR platform, you might be right. But then again, there are reasons why it might not be the right solution for you.
The first step in determining whether you need SOAR is understanding your SOC and what you have already. If your team is struggling to manage its workload, then SOAR could be useful. Likewise, if SOAR offers capabilities that you do not have already, that could be a driver towards using it.
But remember, there are a number of tools, such as Microsoft’s Sentinel, that combine SIEM and SOAR technology into a single offering and you may find your current SIEM has a roadmap to SOAR capabilities in the future.
If you do decide to go with SOAR, be aware that successful implementation is as much about people and operating models as it is technology. Getting that right requires different skills from those required to implement a SIEM.
According to Gartner, by year-end 2022, 30% of organisations with a security team larger than five people will use SOAR tools in their security operations, compared with less than 5% in 2019. That is telling. Firstly, it shows incredible growth in the segment. Secondly, it tells us that sizing is important, because smaller teams may not be able to justify the investment required.
Ultimately, if you have a small team and a manageable number of alerts, you probably don’t need SOAR. If your team is larger, and if it is having trouble keeping on top of the alerts it receives, you probably do.
Rasika Somasiri is a cyber security expert at PA Consulting
In this e-guide, we will explore the links between ransomware attacks, data breaches and identity theft. First, Nicholas Fearn investigates the phenomenon of the double extortion attack, and shares some insider advice on how to stop them, while we’ll explore the top five ways data backups can protect against ransomware in the first place.
Companies need to work on ensuring their developers are satisfied with their jobs and how they’re treated, otherwise it’ll be …
Companies must balance customer needs against potential risks during software development to ensure they aren’t ignoring security…
With the right planning, leadership and skills, companies can use digital transformation to drive improved revenues and customer …
A security operations center can help lessen the fallout of a data breach, but its business benefits go much further than that. …
Remote browser isolation benefits end-user experience and an organization’s network security. Compare the pros, cons and cost …
Explore five SecOps certifications available to IT professionals looking to demonstrate and enhance their knowledge of threat …
Celona 5G technology uses Citizens Broadband Radio Service spectrum to bring private mobile networking to the enterprise, …
Cisco DevNet certifications require a lot of time investment, but network pros who pursue the certifications say the gained …
Cloud automation use cases highlight the benefits these tools can provide to companies evaluating how best to manage and …
Finding the right server operating temperature can be tricky. ASHRAE standards provide guidance for all server classes and what …
These unexpected charges and fees can balloon colocation costs for enterprise IT organizations.
Off-site hardware upkeep can be tricky and time-consuming. With remote hands options, your admins can delegate routine …
MongoDB’s online archive service gives organizations the ability to automatically archive data to lower-cost storage, while still…
Data management vendor Ataccama adds new automation features to its Gen2 platform to help organizations automatically discover …
IBM has a tuned-up version of Db2 planned, featuring a handful of AI and machine learning capabilities to make it easier for …
All Rights Reserved, Copyright 2000 – 2020, TechTarget
Privacy Policy
Cookie Preferences
Do Not Sell My Personal Info
