The toolbox of a SOC team: SIEM and SOAR

4 minutes reading

While certain solutions, like various Detection and Response tools, can greatly enhance the security posture of any company (building on top of endpoint security), there is something to be said about raising the bar of response and remediation even higher.

For a Security Operations Centre (SOC), Security Information and Event Management (SIEM) and Security Orchestration, Automation, and Response (SOAR) are two comprehensive options that do just that – raise the bar of cybersecurity. However, each offers a different set of tools and approaches, which should be considered before opting for either.

What is Security Information and Event Management (SIEM)?

One of the tasks that greatly enhances the work of any IT security admin is log collection and data analytics – which is almost exactly what SIEM is best at. It collects data from all parts of a company’s network, alerting to potential security incidents and problems, making it easier for security operators to manage their security infrastructure.

While it is not strictly an incident response and remediation tool, it gives additional information about incidents and events, fulfilling the role of a sort of observer or data monitor. However, this is also a negative of SIEM – it lacks automation. So, apart from data collection, it cannot do much more, requiring the IT team to put to use that data as they see fit. This might be an issue, as notifications can easily pile up and overwhelm security teams, straining and weakening a company’s security posture. This is where SOAR comes in.

What is Security Orchestration, Automation, and Response (SOAR)?

SOAR is a more modern solution that can greatly enhance the capabilities of security teams when trying to protect their customers and partners It is an evolution of the capabilities of SIEM, though it does not technically replace it.

SOAR technology pulls in a lot more data than SIEM not only from the company network, but also from other added security feeds like threat intelligence. It also better prioritises alerts and logs. However, its greatest strength lies in AI automation, as it can also create automated responses to incidents as set by the IT team. This is something that SIEM lacks but makes threat and incident investigation much easier.

However, SOAR can´t fully replace SIEM as the two operations really are quite different.

Which solution is better?

As mentioned before, while SOAR seems technically more impressive than SIEM, it is not a strict replacement. SOAR works best when it is supported by lots of data, and SIEM can provide that as it is more of a data aggregate tool. SOAR can then can prioritise said data, highlighting the best response and remediation, as well as automating certain parts of the process, offloading some tasks from security operators. Think of it as a two-part process, with SIEM supplying the bulk of the data and with SOAR adding more data, and then executing the response.

Enhancing a SOC’s toolbox

Security operations centres can have many different technologies and tools at their disposal to properly protect their employers or clients. As both SIEM and SOAR build on top of regular endpoint protection software, they offer added value to SOCs.

SOCs can also opt to use Extended Detection and Response (XDR) to achieve a similar kind of protection as SIEM and SOAR do. But XDR is not a replacement for either, as it doesn’t technically offer the same capabilities and use cases (SIEM does logs better, while SOAR prioritises and automates better). However, it can still provide comprehensive threat detection and response.

Another option would be to use Managed Detection and Response (MDR). In that case, a SOC team outsources a part of its job to a security vendor. This can have its benefit in enhancing detection and response capabilities by adding more security experts well-versed both in the threat landscape and the security solution that the SOC uses.

The key is to be prepared

For a SOC, the utmost task is to stay prepared for any eventuality as the world of cyber threats is always changing and evolving. Thanks to SIEM, they can have lots of data at their disposal, and with SOAR, a SOC can more easily respond to threats and incidents while keeping their understanding of threat intelligence at a high level, thanks to various integrations of external data feeds.

More solutions also exist, such as the previously mentioned XDR or MDR, and they all have different use cases. This is largely because no “jack of all trades” solution exists that can cover everything. However, combining separate tools into a multi-layered cybersecurity defence posture within a security strategy is the best way to cover and patch those gaps that each solution in itself would have, improving the level of security for anyone willing to achieve full protection.