SOAR and SIEM – so similar and yet so different

SOAR and SIEM – these are two terms that have become well established in cyber security and they have many similarities. Both solutions gather security information from different sources. However, they are clearly distinguishable from each other in terms of their function. In this article, we will be explaining the differences between them and why it makes sense to include both when thinking about your security.

Security Information & Event Management (SIEM) – knowledge from various log data

Complexity is on the rise as the number of devices in businesses and data centres increases rapidly. This makes it almost impossible for IT administrators to identify and respond to disparate security problems. This is where a SIEM can help, as it gathers, normalises and analyses key data, then produces consolidated statements based on this data. This aggregation is extremely important because it is the only way to search for specific patterns across all the data collected.

What is called “pattern matching” is one of the most important features of SIEM solutions – but only if it is carried out carefully and reliably. By identifying certain patterns, working together with an analyst, a SIEM can gain insight into what is effectively happening across the entire infrastructure. This works in real-time, but also with data that has been collected earlier. Based on these findings, appropriate countermeasures can then be taken. Although SIEM solutions are very good at detecting cyber attacks, they still require manual intervention by security experts to counter the attacks.

SIEM are important, but they have their limits

The benefit of SIEMs is not disputed. SIEM solutions collect and aggregate log data from IT infrastructures, including applications, network traffic, endpoint events, etc. Analysts in the SOC (Security Operations Center) and CSIRTs (Computer Security Incident Response Team) can use this aggregated data to identify critical events and security incidents. Thereafter, additional analysis and reactions can be initiated. The processing is left to the security teams, who have to manually compile the data coming from these sources to obtain an overall picture of the situation (or even the attack) in greater depth. And this is exactly where the problem is. A large amount of data leads to more alerts and security warnings. For analysts, this means frequent shifts between different contexts, systems, data and platforms when conducting investigations, which means delayed response times. The lack of qualified cyber security experts and the required training in new tools are contributory factors. Security teams are therefore enormously challenged – and often overburdened! So it would be extremely practical if a large part of the analysis and reactions could be automated. And this is where Security Orchestration, Automation and Response (SOAR) comes in.

Security Orchestration, Automation and Response (SOAR) = SIEM 2.0?

SOAR is a combination of programmes that collect additional data on security threats from various sources, then automatically initiate responses to specific security events without any human intervention. SOAR takes over the:

• Security orchestration, i.e. the machine-based coordination of diverse but interdependent safety solutions. By collecting and centralising incident data, all the information needed to assess and respond to incidents is available and accessible at a single location. If a security incident occurs, the information is presented in context.
• Automation, i.e. the machine-based performance of security processes with only minimal human interaction.
• Reaction or the triggering of the human and/or automated security processes, procedures and actions to be carried out when a security event occurs.

What are the core functionalities of SOAR?

With the increasing complexity of cyber attack vectors, businesses need intelligent solutions to address the growing risks in an ever-changing threat landscape. SOAR is one of the current answers. Security Orchestration, Automation and Response – as the name suggests – assists in the analysis, orchestration and reaction of activities in the event of security alerts. This provides valuable insight into and context for security incidents and enables the deployment of adaptive measures that respond to complex cyber threats. Dynamic Playbooks provide the agile, intelligent and sophisticated capabilities required to fight complex attacks.

Playbooks and AI-Bots play a central role in SOAR

In a SOAR solution, individual playbooks provide automated analysis, orchestration and incident response, and they can be fully customised to meet the specific needs of a particular company. Actions or reactions to safety warnings can be partly or fully automated. In its broadest sense, SOAR can be described as a workflow system with options for analysis and functions for managing security incidents, enabling the correction status of incidents to be efficiently tracked and reported.

With the help of AI bots (a recommendation engine based on Artificial Intelligence), recommendations for Incident Response reactions can be formulated. These use monitored machine learning to examine patterns of analysts' actions and recommend or automate future actions based on these patterns.

There are (almost) no limits to the creativity of the workflow

We have already talked a lot about automated actions and workflows. But what might these actions actually look like? Here are a couple of examples:

• Management of TLS certificates
  In this scenario, the SOAR platform requests a certificate management tool to check all the (internal and external) endpoints for TLS certificates that have expired or are about to expire. With questionable certificates, the SOAR platform pulls user details from the affected user's active directory and sends an automated e-mail to the affected user and manager to notify them of the certificate in question and notify them of the need for updates. If the certificate is not then updated, the SOAR platform automatically escalates to other locations.
• Vulnerability Management
  After having received notification of a potential threat via a vulnerability management tool, the SOAR platform correlates the data with more data from other related security systems and adds additional information to the newly collected data. The SOAR platform also interrogates the vulnerability management tool for all diagnostics, ramifications and corrective actions of the vulnerability. The SOAR platform calculates the severity of the incident based on the information it has gathered and forwards it to an analyst to be manually investigated and resolved.
• NAC endpoint quarantine
  If a suspicious device is located on a NAC network port, it is automatically identified and the port/device is immediately deactivated.
• Blocking users
  If the SOC team suspects that a user account has been compromised, they can block a user's access to the different systems, no matter what device has been used.
• Gathering IOC data from machine data
  Forensic data about a suspicious endpoint can be collected in the course of a malware investigation. This is done automatically and is orchestrated across different platforms. At the same time, on this critical device, unknown or blacklisted processes can be interrupted by an automated response action.
• Standardisation of procedures, processes, implementation of guidelines and reporting
  SOAR does not just assist IT teams with threat management and eliminating vulnerabilities. It also provides standardised workflow, reporting and collaboration functions. SOAR helps your IT department with planning, organising, tracking and coordinating the response to a security incident.

SOAR and SIEM – not “either, or” but “both”

SOAR and SIEM are definitely not mutually exclusive. That's why there are many companies using SOAR products to develop their own processes and extensions to existing SIEM solutions. This improves operational efficiency by enabling automation and orchestration to respond to priority high-risk threats. SOAR also speeds up investigations by incorporating the contexts of users and entities as well as the AI-based recommendation engine, which learns from measures taken by analysts in response to threats, and recommends or automates future response actions based on the measures learned. All this reduces MTTR (Mean-Time-To-Repair; the average time to resolution), which is ultimately critical to the magnitude of a security incident; hence our recommendation to use the capabilities for analysis, orchestration and reaction in the uneven fight of “man against the machine” or “man against multiple assailants”. You can use automation to counter this unfair balance of power. Thanks to SOAR, you can gain a crucial time in the fight against cyber attackers!

InfoGuard – your specialist for SIEM, SOAR and cyber defence

Cybercrime is becoming more and more professional and the attacks are increasingly targeted. This means that these days, every company must assume that cyber attacks will not only take place, but they will also be successful. An effective defence requires world-class expertise from cyber analysts, CSIRT and advanced technologies such as SIEM, SOAR, Detection and Incident Response systems. The human and financial resources required are enormous (read more about it in our free guide). For this reason, we offer our customers not only dedicated Consulting Services and Solutions, but we also pool our expertise and technology in our ISO 27001 certified Cyber Defence Center located in Switzerland. This is available to you as professional Support Assistance, Individual Cloud and Managed Services or as Security-as-a-Service around the clock. Do you have any questions about SIEM, SOAR or more generally about how to protect your company against imminent cyber attacks? Our experts will be pleased to advise you!