Is SOAR set to replace SIEM?
Before suggesting an answer to this question, which has been circulating in the cybersecurity world lately, we need to have an idea of where this question came from and what SIEM and SOAR can offer the SOC and the threat and vulnerability management department.
SIEM, the SOC window
SIEM – or Security Information and Event Management – is an essential tool in every security center. This tool enables security teams to read, understand and interpret the countless number of logs received by all IS equipment, firewall logs, workstations, applications, etc. SIEM also enables scenarios and alerts to be created based on the correlation of data received from different equipment within the company. To explain a little more about what SIEM can offer, we will consider a use-case that we can find in any company.
Let us assume that a malicious e-mail has found its way to the mailbox of a user who – unfortunately – has clicked on the link or the attachment contained in the e-mail, thus causing an entire computer and network contamination process to start.
By collecting logs from mailing servers, network nodes, workstations and Active Directories, we can see that the attacker tries to contact an external server (workstation log). After downloading, the malware tries to create a user account on an Active Directory (AD log). Using this account and the victim's account, the user tries to gain access to other workstations by using known vulnerabilities (workstation log).
Using all these logs and all the information, the SIEM will create a kind of path, or chain of attack, by following traces, dates and actions; the SOC security teams will quickly and easily find out where the first point of entry is and which services are affected so that they can remediate and stop the infection and the attack in progress.
However, despite all its success, the SIEM has several weaknesses – including the difficulty and complexity of the scalability aspect as well as the large number of false positives, which requiring a great deal of processing time, given that the logs never stop and that detection in a SOC is done 24 hours a day, 7 days a week and 365 days a year. It also requires a very well-trained team to be able to manage all this.
SOAR, a major time-saving asset for the SOC
As a set of software and tools, SOAR (Security Orchestration, Automation and Response) is used not only to detect and act on low-level incidents, but also to add management layers for vulnerabilities and possible threats. It also allows you to orchestrate and automate these tasks to save time. In addition to alerting the CSIRT, SOAR will automatically add blocking rules to the firewall and create incident tickets, which it will send to the relevant teams.
Using the SOC example, SOAR will even disconnect the workstation that opened the attachment, temporarily block the AD account created by the attacker and send alerts to all relevant parties. With proper configuration and adaptation, SOAR will minimize damage and save valuable time for the SOC engineers.
This is why many security experts believe that SOAR answers the questions that SIEM leaves unanswered.
Why should these two not complement each other …?
In the most advanced SOCs, SOAR and SIEM work in perfect complementarity, although many believe that SOAR replaces SIEM entirely.
However, we see that SIEMs are improving over time and adding next-gen features to help security experts better manage cybersecurity challenges.
After several comparisons, we do not believe that SIEM will be replaced by SOAR, but on the contrary, like any good product, SIEM will be open to cooperation with SOARs to create a complete solution that is ready to face the challenges of the future. The mix between the two can increase the efficiency of the SOC.