SOAR vs SIEM. Definitions, Scopes, And Limitations
Pros and Cons in SIEM/SOAR Combinations.
Previously, we’ve reviewed how SIEM and log management systems work, and how they come together in order to seal off emerging attack surfaces, bridge the detection gap, and increase your overall cybersecurity stance. In this article, we’re going to tackle another data security-related topic – SOAR vs SIEM. So, without further ado, let’s see who wins today’s match. Enjoy!
What is SOAR?
A little refresher on SOAR – coined by Gartner, this concept is used to describe a security-centric architecture that focuses on Incident Response (IR) via automated workflows, processes, and procedures. Intel-gathering is the cornerstone of any solution that falls under SOAR; this feature empowers the IT team to gather threat intelligence from multiple sources, including SIEM. Oftentimes, SOAR(s) are deployed on top SIEM solutions, thus leveraging their data-gathering and automatic signaling abilities. For additional information on how SOAR works and how it can add to your overall security, be sure to check out my other article on Security Orchestration Automation and Response Basics. One more aspect I want to add before moving on to SIEM – SOAR doesn’t replace SIEM in the same manner as SIEM can’t replace a SOAR solution. Both ends were engineered to work in tandem; SIEM is the data mining and signaling component, while SOAR provides the necessary, interventional framework.
What is SIEM?
SIEM-based solutions are employed to aggregate and normalize data from across multiple sources. For instance, your run-of-the-mill SIEM can gather firewall logs, proxy or web filtering logs, logs from miscellaneous security solutions (e.g., Sandbox, DLP, IPS/IDS, router NetFlow, etc.), network telemetry (i.e., data generated by products that do Deep Packet Inspection), Windows auth, any type of information produced by endpoint-based security products, and, of course, threat intelligence (i.e., open- or closed-source). You can check out my colleague’s article for more info about SIEM.
SOAR vs SIEM
So, who would win if we were to pit SOAR against SIEM? To make a long story short, there’s no winner here, simply because there’s no competition. SIEM and SOAR are, what you might call, the two sides of the same coin which, in our case, is security. To better understand their similarities, differences, and what each side brings to the table, let’s list their features and capabilities.
|SIEM Features||SOAR Features|
|Data Correlation||Automation and orchestration of security workflows|
|Advanced Reporting||Phase & object tracking|
|Raw data querying||Documentation|
|Data analytics to identify threats||Reporting|
|Dashboard visualization||Continuous tracking of physical and virtual assets|
|Retention of historical data||Threat Intelligence|
|Context-based data correlation||Incident triage|
|UEBA (User and Entity Behavior Analysis)||Forensics|
|Incident timeline||Disaster recovery|
|Real-time security monitoring||Adds granularity when applied to RBAC|
|Real-time notification and alerting||Centralized view|
|Data protection capabilities||Playbook-based incident response|
|Identity-based auditing||Detect anomalies|
|Compliance simplification||Ability to automate low-level security responses|
At first glance, one would argue that there’s no discernable difference between SIEM and SOAR. Let’s try sharpening the contrast a bit with some pros and cons.
|SIEM Pros||SIEM Cons||SOAR Pros||SOAR Cons|
|Increased digital ecosystem visibility||Expensive||Some types of security responses can be fully automated.||Challenging to set up and understand. Requires technical expertise.|
|Helps with compliance||Challenging to deploy||Ability to centralize incident response processes.||Support is limited in some cases.|
|Easier forensics||Increased background noise generated by continuous data collections||Increased transparency||Not all types of security-related responses can be automated.|
|Data correlation||SIEM-generated reports are often difficult to understand||Ability to integrate with SIEM and/or log management.||Some types of integrations can be challenging.|
|Increased security||Configuration-based efficiency.||Scalability||Requires ample documentation prior to set up.|
|The increased threat detection rate||Not manned 24/7.||Multi-source threat intelligence.||Lack of standardized performance metrics.|
One final aspect to take into consideration is coverage. Both SIEM and SOAR are designed to operate in on-prem setups and in the cloud. Below you’ll find the pros and cons associated with each approach.
|On Prem SIEM (Pros and Cons)||Cloud-native SIEM (Pros and Cons)||On-prem SOAR (Pros and Cons)||Cloud SOAR (Pros and Cons)|
· Data stays on site.
· Eliminates the risk associated with data transmission.
·Cost of maintenance.
· May be required to upgrade the infrastructure to accommodate storage and servers.
· Doesn’t require a dedicated team.
· Less time to set up.
· No extra costs.
·Data is hosted by a third party.
·Some SIEM SaaS providers don’t allow customers to access their data.
· Ease of Access.
· Requires extensive technical expertise.
· High maintenance costs.
· Hard to set up.
·No additional setup costs.
· Doesn’t require a dedicated team.
· Licensing can be challenging to understand.
· Data is hosted by a third party.
To sum everything up: in the SOAR vs SIEM contest, both of them win. Keep in mind that both of them have their roles set in stone: SIEM is all about data aggregation and alerting, while SOAR helps us set in motion all the security cogs needed to prevent, contain or mitigate a threat.
The SIEM+ SOAR duo is an incredibly flexible threat identification and data gathering tool that will aid you in your threat-hunting effort, adding value to your company, while driving down costs. This concludes my article on SIEM vs SOAR. Hope you’ve enjoyed it. Now, before I scoot, here are a couple of things you may want to try out if you’ve decided to take the SIEM and SOAR road.
- Baselines and standards. To have a detection & response baseline, you’ll need some standards. The same rules of engagement apply to both SIEM and SOAR. In the case of the former, you’ll need to set detection and alarm thresholds. For the latter, be sure to iron out those workflows before they go online.
- Data hygiene. Don’t let that data simply pile out. Put in place purging procedures and figure out what to discard and what to keep.
- Human factor. Automation may be what defines both SIEM and SOAR, but this doesn’t leave the human factor out of the picture. Most of the fine-tuning and setup must be done manually.
- SOAR + SIEM. Sounds like overkill, especially when you consider the financial aspects, but you can run SOAR and SIEM at the same time. Heimdal®’s eXtended Detection and Response (XDR) centralized monitoring and incident response hub brings you the same detection, response, and mitigation capabilities as any SIEM+SOAR combo.
- Granular telemetry across endpoints and networks.
- Equipped with built-in hunting and action capabilities.
- Pre-computed risk scores, indicators & detailed attack analysis.
- A single pane of glass for intelligence, hunting, and response.
If you liked this article, follow us on LinkedIn, Twitter, Facebook, Youtube, and Instagram for more cybersecurity news and topics.