CYBERSECURITY PADAWAN

Previously, we’ve reviewed how SIEM and log management systems work, and how they come together in order to seal off emerging attack surfaces, bridge the detection gap, and increase your overall cybersecurity stance. In this article, we’re going to tackle another data security-related topic – SOAR vs SIEM. So, without further ado, let’s see who wins today’s match. Enjoy!

SOAR Revisited

A little refresher on SOAR – coined by Gartner, this concept is used to describe a security-centric architecture that focuses on Incident Response (IR) via automated workflows, processes, and procedures. Intel-gathering is the cornerstone of any solution that falls under SOAR; this feature empowers the IT team to gather threat intelligence from multiple sources, including SIEM. Oftentimes, SOAR(s) are deployed on top SIEM solutions, thus leveraging their data-gathering and automatic signaling abilities. For additional information on how SOAR works and how it can add to your overall security, be sure to check out my other article on Security Orchestration Automation and Response Basics. One more aspect I want to add before moving on to SIEM – SOAR doesn’t replace SIEM in the same manner as SIEM can’t replace a SOAR solution. Both ends were engineered to work in tandem; SIEM is the data mining and signaling component, while SOAR provides the necessary, interventional framework.

SIEM Revisited

As I’ve mentioned in the section dedicated to SOAR, SIEM-based solutions are employed to aggregate and normalize data from across multiple sources. For instance, your run-of-the-mill SIEM can gather firewall logs, proxy or web filtering logs, logs from miscellaneous security solutions (e.g., Sandbox, DLP, IPS/IDS, router NetFlow, etc.), network telemetry (i.e., data generated by products that do Deep Packet Inspection), Windows auth, any type of information produced by endpoint-based security products, and, of course, threat intelligence (i.e., open- or closed-source). For more info about SIEM, its capabilities, and features, be sure to check out my colleague’s article.

SOAR vs SIEM

With the intro behind us, let’s talk about today’s topic. So, who would win if we were to pit SOAR against SIEM? To make a long story short, there’s no winner here, simply because there’s no competition. SIEM and SOAR are, what you might call, the two sides of the same coin which, in our case, is security. To better understand their similarities, differences, and what each side brings to the table, let’s list their features and capabilities.

 

SIEM Features SOAR Features
Data Aggregation Integration
Data Correlation Automation and orchestration of security workflows
Advanced Reporting Phase & object tracking
Raw data querying Documentation
Data analytics to identify threats Reporting
Dashboard visualization Continuous tracking of physical and virtual assets
Retention of historical data Threat Intelligence
Context-based data correlation Incident triage
UEBA (User and Entity Behavior Analysis) Forensics
Incident timeline Disaster recovery
Real-time security monitoring Adds granularity when applied to RBAC
Real-time notification and alerting Centralized view
Data protection capabilities Playbook-based incident response
Identity-based auditing Detect anomalies
Compliance simplification Ability to automate low-level security responses

 

At first glance, one would argue that there’s no discernable difference between SIEM and SOAR. Let’s try sharpening the contrast a bit with some pros and cons.

SIEM Pros SIEM Cons SOAR Pros SOAR Cons
Increased digital ecosystem visibility Expensive Some types of security responses can be fully automated. Challenging to set up and understand. Requires technical expertise.
Helps with compliance Challenging to deploy Ability to centralize incident response processes. Support is limited in some cases.
Easier forensics Increased background noise generated by continuous data collections Increased transparency Not all types of security-related responses can be automated.
Data correlation SIEM-generated reports are often difficult to understand Ability to integrate with SIEM and/or log management. Some types of integrations can be challenging.
Increased security Configuration-based efficiency. Scalability Requires ample documentation prior to set up.
The increased threat detection rate Not manned 24/7. Multi-source threat intelligence. Lack of standardized performance metrics.

 

One final aspect to take into consideration is coverage. Both SIEM and SOAR are designed to operate in on-prem setups and in the cloud. Below you’ll find the pros and cons associated with each approach.

On Prem SIEM (Pros and Cons) Cloud-native SIEM (Pros and Cons) On-prem SOAR (Pros and Cons) Cloud SOAR (Pros and Cons)
Pros:

· Data stays on site.

· Eliminates the risk associated with data transmission.

Cons:

·Cost of maintenance.

·  May be required to upgrade the infrastructure to accommodate storage and servers.

Pros:

· Doesn’t require a dedicated team.

·  Less time to set up.

·  No extra costs.

Cons:

·Data is hosted by a third party.

·Some SIEM SaaS providers don’t allow customers to access their data.

Pros:

· Ease of Access.

· Availability.

· Security.

Cons:

·  Requires extensive technical expertise.

· High maintenance costs.

· Hard to set up.

Pros:

·No additional setup costs.

· Doesn’t require a dedicated team.

Cons:

· Licensing can be challenging to understand.

· Data is hosted by a third party.

To sum everything up: in the SOAR vs SIEM contest, both of them win. Keep in mind that both of them have their roles set in stone: SIEM is all about data aggregation and alerting, while SOAR helps us set in motion all the security cogs needed to prevent, contain or mitigate a threat.

Wrap-up + Cybersecurity Advice

The SIEM+ SOAR duo is an incredibly flexible threat identification and data gathering tool that will aid you in your threat-hunting effort, adding value to your company, while driving down costs. This concludes my article on SIEM vs SOAR. Hope you’ve enjoyed it. Now, before I scoot, here are a couple of things you may want to try out if you’ve decided to take the SIEM and SOAR road.

  1. Baselines and standards. To have a detection & response baseline, you’ll need some standards. The same rules of engagement apply to both SIEM and SOAR. In the case of the former, you’ll need to set detection and alarm thresholds. For the latter, be sure to iron out those workflows before they go online.
  2. Data hygiene. Don’t let that data simply pile out. Put in place purging procedures and figure out what to discard and what to keep.
  3. Human factor. Automation may be what defines both SIEM and SOAR, but this doesn’t leave the human factor out of the picture. Most of the fine-tuning and setup must be done manually.
  4. SOAR + SIEM. Sounds like overkill, especially when you consider the financial aspects, but you can run SOAR and SIEM at the same time. Heimdal®’s eXtended Detection and Response (XDR) centralized monitoring and incident response hub brings you the same detection, response, and mitigation capabilities as any SIEM+SOAR combo.

If you liked this article, follow us on LinkedInTwitterFacebookYoutube, and Instagram for more cybersecurity news and topics.

Best 10 SIEM Tools to Fuel Up Your Threat-Hunting Grind

SIEM vs Log Management – Definitions, Features, Capabilities, and Deployment

Security Orchestration Automation and Response (SOAR) Basics: Definition, Components, and Best Practices

Security Information and Event Management (SIEM). What It Is and How It Works.

Leave a Reply

Your email address will not be published. Required fields are marked *

GO TO TOP