Maksim Kabakou – Fotolia
The question of which is the best security toolset for an organisation out of security information and event management (SIEM) or security orchestration and event management (SOAR) is, in part, a moot point.
Yes, there is overlap between the tools and, according to which tools you are looking at, the overlap can be quite small, particularly where the SIEM product has adopted artificial intelligence (AI) into the design.
The choice of product is not determined solely by the size of an organisation, but rather by the size and complexity of an organisation’s IT infrastructure and the value of the data held and processed by the infrastructure.
The larger and more complex the IT infrastructure is and the greater the value of data held and processed, the greater the need to employ automation to undertake event correlation together with the short and long term analysis of alerts (security and others) generated within the infrastructure.
Where possible, automation should be used to initiate corrective actions within the infrastructure as such automation would allow the freeing up of valuable IT and security staff to concentrate on the difficult-to-solve problems and on maintaining the infrastructure and associated management and monitoring toolsets.
For the organisation with a smaller and less complex IT infrastructure, such as ones without e-commerce or customer portals, a SIEM deployment – possibly with some AI capabilities – would be a reasonable match.
But, of course, the IT or security staff must be able to manage and use SIEM tools such that SIEM output is not swamped with erroneous data so allowing prioritised events to be quickly identified and investigated.
This approach would generally need to be supplemented by employing external security contractors to provide third line support and undertake regular reviews of the SEIM configuration and, as necessary, retuning and adjusting the SIEM to better differentiate between anomalous and normal activity.
A small SOAR system might also be an option where the monitoring capability of the SOAR was comprehensive enough to cope with all of the devices within an organisation’s infrastructure. Again, the statements regarding employing external security contractors would also hold for this scenario.
As the complexity of the infrastructure increases together with the value at stake, a SIEM with AI for IT Operations (AIOPS) could be a possible solution as such a system would be able to track slow-moving events over time and automatically initiate some corrective actions in the infrastructure.
Should the organisation’s IT department not have the required skills and/or not enough resources, external security contractors would need to be engaged to provide assistance when required and help with the regular retuning of the SIEM.
For an organisation with a large and complex IT infrastructure, the amount of event data generated would be vast, so a high-end SIEM coupled with a SOAR product would be the solution of preference – with the SIEM being the best product for gathering and correlating a wide range of event data, while the SOAR being the best product for undertaking a detailed analysis of SIEM-generated data and automatically initiating a range of corrective actions.
The SOAR would also be able to undertake analysis of SIEM-generated event data aggregated over a long period of time which would uncover attempted covert security events.
Even in large organisations with a SIEM and SOAR setup, there would likely be a role for external security consultancy assistance, particularly where there were resource constraints on the IT and/or security departments.
In this e-guide, we will explore the links between ransomware attacks, data breaches and identity theft. First, Nicholas Fearn investigates the phenomenon of the double extortion attack, and shares some insider advice on how to stop them, while we’ll explore the top five ways data backups can protect against ransomware in the first place.
The business response to COVID-19 has accelerated technology adoption, making emerging technologies a more accessible and …
The Open Group is teaming up with a United Nations agency on best practices, guides and standards to show resource-strapped …
Companies need to work on ensuring their developers are satisfied with their jobs and how they’re treated, otherwise it’ll be …
Staffing shortages, budget allocation issues, and inadequate analytics and filtering are among the challenges organizations will …
In the first of a two-part series, Jonathan Meyers examines the issues surrounding the security skills gap that companies must …
Find out how the Secure Access Service Edge model provides increased work-from-home security and cloud access outside of the …
Network teams can avoid signal coverage issues by performing different wireless site surveys as they evaluate new spaces, set up …
SD-WAN, SASE or some combination of the two — which approach will deliver the best and most secure network connectivity in your …
Celona 5G technology uses Citizens Broadband Radio Service spectrum to bring private mobile networking to the enterprise, …
Colocation is not a silver-bullet solution for everyone. Discover the benefits and drawbacks that come with allowing a …
Finding the right server operating temperature can be tricky. ASHRAE standards provide guidance for all server classes and what …
These unexpected charges and fees can balloon colocation costs for enterprise IT organizations.
The enterprise edition of the MySQL database is being enhanced on Oracle Cloud Infrastructure to enable users to run analytics …
The U.S. government has made data sets from many federal agencies available for public access to use and analyze. Check out some …
Check out this excerpt from the new book Learn MongoDB 4.x from Packt Publishing, then quiz yourself on new updates and …
All Rights Reserved, Copyright 2000 – 2020, TechTarget
Privacy Policy
Cookie Preferences
Do Not Sell My Personal Info
