alphaspirit - Fotolia


SIEM vs. SOAR: Key considerations for software evaluation

SIEM and SOAR tools are now seen as complementary to each other, but key differences in purpose and features may determine which one you decide to use in your data center.

IT security software offerings are now more diverse than ever, and well-established security information and event management offerings face contention from a newer crop of security orchestration, automation and response products. As both options evolve, they have become more complementary than competitive.

SIEM offers broad log support but needs careful tuning and manual remediation. SOAR offers great automation and autonomy but relies on connectors and playbooks to be effective.

Both products tout some similar features, but their tradeoffs also enable both technologies to work together and expand and improve an organization's security posture. As admins weigh the possibilities of SIEM vs. SOAR, there are specific functionalities to evaluate for successful software selection.

What is SIEM?

The main goal of SIEM tools is to identify log patterns and provide log analytics capabilities. Long-term analytics collect and aggregate log and error data, and then identify, correlate, categorize and report critical events. Administrators can then carefully evaluate and remediate alerts.

SIEM focuses on three key types of features: strong use of data collection, aggregation and correlation/analysis; detailed organization and prioritization of events; and reporting and alerting to address events promptly.

The primary challenge with SIEM technologies is intelligence. Data centers are rife with event types, but not all events are attacks or problems. It takes careful tuning to discern normal events from abnormal events and to determine the appropriate level of criticality. SIEM tools can impose a high level of complexity that requires regular review and adjustment to properly detect issues and avoid false positives.

SIEM features and products

Available SIEM tools include SolarWinds Security Event Manager, ManageEngine EventLog Analyzer, Splunk Enterprise Security, OSSEC, LogRhythm NextGen SIEM Platform and RSA NetWitness Suite.

These tools can tout an astonishing array of features and capabilities, but IT teams can consider a short list of certain SIEM features to ease the evaluation process.

Log correlation and analysis. Log interoperability is a key component. SIEM tools must ingest a multitude of log files from a wide array of sources, as log files possess no single standard.

Some logs provide highly detailed and granular data, while others may omit details; some sources may generate log files in human-readable plain text, while other tools may encode the data in ways that require parsers to read. It's important to select a SIEM tool that can ingest and interpret the logs within the organization's specific IT network.

However, ingested logs must be correlated. The capability to read multiple logs helps a SIEM tool understand that a certain log error might correlate to network traffic or error messages. The foundation of a SIEM's tool value is the functionality to decipher and correlate this diverse data.

A third analytical feature is threat detection, and this a key limitation for SIEM technology. SIEM tools must have correlated log data to identify potential threats. Some threat detection is automatic based on log errors and correlated data, but admins should still implement additional administrative tuning and threat intelligence which can define threat behavior or skip "false positives."

Event prioritization, notifications and alerts. The ability of a SIEM tool to detect threats is vital, but it is essential to communicate those threats to admins in a timely and meaningful way. Consider that a SIEM system in a busy IT setup can produce hundreds -- or thousands -- of issues each second.

Evaluate how the SIEM tool supports notifications when it detects and prioritizes issues. Tools let admins configure actions for triggered events and deliver real-time alerts to members of the security team. The goal is to reduce the time a security incident is active. Reduction in response times can benefit key performance indicators such as application availability, downtime and user satisfaction ratings.

Reporting and UI. SIEM tools can provide an array of basic and customized reports to meet particular business needs. For example, reporting can track metrics such as mean time to remediation and indicate how the security team has found and fixed threats month over month.

Be sure to evaluate the UI. Many SIEM tools offer a dashboard-style UI that admins can configure to present data points that are particularly valuable to the business. Admins and IT managers may ignore UIs that are cumbersome, inflexible and difficult to use, so consider the readability and configurability of the UI in SIEM software selection.

Process workflows. Countless issues and alerts can easily result in incomplete remediation and loose ends. More SIEM tools are implementing process workflows to help admins track incident progress, from monitoring and detection to remediation.

What is SOAR?

SOAR tools include products that offer strong analytics and automation capabilities. These programs reduce reliance on traditional logs and use more real-time data collection to provide faster and more autonomous threat response.

These tools offer four major types of features: strong use of data collection and analytics; broad integration with systems and management software; autonomous, policy-driven responses to incidents; and incident categorization, alerting and escalation.

SOAR software works to accelerate incident detection and response, but there are still challenges with intelligence. SOAR typically relies on policies and workflows to identify incidents and orchestrate appropriate responses; the policies and workflow playbooks SOAR uses are never singular efforts.

Just as SIEM admins must tune and adapt the platform to spot events, SOAR admins must regularly update the software to handle new or unknown threats.

SOAR features and products

Current SOAR tools include offerings such as Demisto Enterprise, LogicHub, Panaseer, Resolve Systems, Respond Software and more. Such tools often share similar features with SIEM products, but SOAR products should focus on automation and orchestration functionality that allows greater autonomy than SIEM products.

Automation and orchestration. SOAR's primary purpose is to reduce the amount of time and effort needed to complete security tasks. Automation plays a major factor here, and automation helps mitigate time-consuming tasks.

SOAR software may respond to a security event and automatically file a ticket in a ticket tracking system and invoke any subsequent steps in a workflow. Because the behavior is automatic, humans don't require a security alert to open a ticket and manually address the issue.

Coordinated workflows. The deep reliance on automation and orchestration drives a close dependence on workflows to define the proper sequence of steps to address and remediate a security threat. Workflows do not just involve the security team and can reach across multiple teams within the organization.

Reporting and case management. SOAR tools facilitate time savings and orchestration by applying strong organization and categorization to all data collected from myriad different sources.

For example, the software can gather alarm data from multiple integrated systems and then consolidate it into a common location for additional research and investigation. SOAR products also offer strong case management capabilities that let admins correlate data and alerts with corresponding tickets to support detailed investigations.

Support for playbooks. Playbooks are a means of implementing workflows by outlining the entire set of steps needed to complete an action. A playbook summarizes a single action, and admins can chain multiple playbooks together to complete complex actions. IT teams can also tie playbooks to issue tracking systems as a way to implement specific paybooks are for certain workflows. Playbooks are routinely shared and require periodic updates as threats evolve and proliferate.

For example, an alert entered into an issue tracking system may trigger the isolation of network traffic from a suspect IP address in certain logs, search security intelligence feeds, and check destination IP addresses for any compromised processes or accounts.

Support for integration. SOAR software can only achieve a useful level of time-saving automation and orchestration when there is comprehensive integration with other systems across all infrastructure.

Integrations are typically handled through connectors that allow the SOAR software to interoperate and automate information collection and responses. Connectors can be one of the most demanding and problematic aspects of SOAR, because connectors are required for the diverse array of firewalls, endpoint systems, application logs, routers and SIEM tools. Any changes to integrated systems may require admins to update connectors.

Dig Deeper on Data center ops, monitoring and management

Cloud Computing