SOAR and SIEM are terms that people tend to use interchangeably, but they are NOT one and the same.
SOAR vs SIEM…What’s the Difference?
This post will walk you through the basics of defining SOAR and SIEM, the major differences, how they work together, and the benefits of implementing them in your infrastructure.
Security Information and Event Management (SIEM) are solutions that aggregate, correlate, and analyze data from numerous sources to try and provide visibility of risk and vulnerability inside one’s organization. Data security sources include logs and events from dozens of organizational servers, network devices, domain controllers, and more.
This data is captured typically in one of four ways:
1) An agent is installed on the device,
2) Direct connection using either an API, Webhook, or network protocol,
3) Accessing log files which are typically in a Syslog format, or
4) Through an event streaming protocol like SNMP, Netflow, etc…
Security Orchestration, Automation, and Response (SOAR) solutions incorporate the process and functionality of response, orchestration, and automation of alerts generated by SIEM solutions. These processes are assembled into what is called a playbook that defines how to respond to any number of security incidents.
SIEMs…today and tomorrow
SIEMs have been around for the better part of 18 years, with the initial objective of consolidating logs and log management across an infrastructure for monitoring and auditing purposes. As technology and infrastructures become more complex, so have SIEMs and the expected features and functionality. The primary objective was and currently is to aggregate as much data as possible into a single repository and to then try and decipher if a particular event is malicious or not. This has driven the efforts of NIST to author Special Publication 800-92, Guide to Computer Security Log Management as one of the primary documents used in the NIST Risk Management Framework. This emphasized the importance of a centralized repository of information and event management for purposes of visibility, auditing, incident management, incident response, and compliance.
With the aggregation of more data from numerous 3rd party sources, it became harder and harder for security teams to decipher good from bad with such an onslaught of more and more data. This became analogous to finding a needle in a haystack where false positives are countless and the number of alerts overwhelming. To a certain extent, this problem still exists with SIEMs, and alert fatigue goes hand-in-hand with this strategy. It could be argued that “if” SIEM technologies were paramount to the security posture and risk mitigation strategies of organizations, then why have security problems and events continued to outpace security spending on a CAGR basis by a factor of 3x? How can a SIEM event manager handle over 17k alerts per day on average? Why is the average time to identify a security breach/incident 207 days and the days to contain 70 days? What is prohibiting the collective 277 days from becoming seconds or minutes? The answer lies within the context of the type of data being populated into a SIEM and the processes around it to determine when bad or malicious activity occurs.
The simple fact of the matter is, integrity data is the most valuable data that a SIEM could digest. Integrity data is binary…if file changes or a port opened up without prior authorization, it’s indisputable and cannot be deemed a false positive.
For further reading, see “The CIA Triad – Defining Integrity” It outlines the value of integrity management and the move from FIM to NextGen FIM.
Security isn’t a product; it’s a process. What does this mean, and how does it apply to SIEMs? In the case of SIEMs, the idea that more data is better can be argued that more isn’t necessarily better; it’s just more and creates far too many false positives and alerts. What is needed is better and more valuable data that can be turned into actionable information and events.
Data, when put through a defined process or workflow, can identify:
1) If there is a security breach or incident and;
2) What steps are necessary to remediate and contain the event. Integrity data is what creates actionable events with immediate benefits.
Birth of SOARs
SOAR platforms have really become Next-Gen SIEMs with workflow orchestration and automation capabilities. Playbooks, if you will. Responses are no longer just alerts based on a trigger of meeting or not meeting a specific threshold or requirement. It’s the aggregation of security information and threat data that is turned into meaningful information through a series of processes to interrogate the event to determine if it was good or bad (malicious or non-malicious). If the event was determined to be malicious, the playbook then describes and defines the appropriate action(s) to mitigate and contain the event and tries doing so in an automated fashion.
However, the fundamental problem with SOARs leveraging the data and information within a SIEM is the idea that it could be propagating and automating false positives throughout an infrastructure or, worse, not being able to identify bad or nefarious activities that could result in a security breach or incident. It’s the same as building a house with a foundation made of clay as opposed to concrete. A SOAR can and will only be as good as the SIEM tools providing the appropriate alerts and contextual basis in preventing false positives.
Avoiding Clay Foundations
Statistics have demonstrated that organizations that adopt an integrity management strategy have unprecedented results and a realizable return on investment. Integrating integrity management principles with SIEM and SOAR tools can provide the following benefits of risk reduction and improve security:
Security and Event Management combined with Integrity Management
- Identify and prevent unwanted change(s) on critical systems in REAL-TIME!
- Easily remediate unwanted change(s) and roll-back in seconds
- Detect and contain breaches immediately rather than the industry average of 277 days
- Alerts that matter - 95%+ noise reduction
- Zero Day Detection - identify the 550k/day of malicious code variants that the anti-virus vendors do not recognize
Compliance combined with Integrity Management
- Always be audit-ready through an ability to provide continuous evidence
- Easily fix compliance failures with step-by-step instructions to correct failed compliance requirements
- Hardened systems using industry-recognized configuration benchmarks
- Gain visibility when systems drift away from a hardened state
- Drastically reduce audit costs
March 28, 2023