SIEM and SOAR (Security Orchestration, Automation, and Response) are very similar ideas but are often compared in the security landscape. The principle difference between the two technologies is that a SOAR is active, and a SIEM is passive.
It can get a lot more complicated than that for application in security though. SOAR and SIEM both have their place in security, though SOAR is the more modern solution. Let’s cover what exactly goes into a SOAR, how it differs from a SIEM, and how this difference impacts security.
Defining SOAR
As defined above, SOAR stands for Security Orchestration, Automation, and Response. The purpose of a SOAR platform is to collate data similarly to a SIEM, but then automate certain actions and to respond sanely to potential threats. Modern SOAR solutions are use a mix of techniques ranging from heuristics to machine learning as well as human input to determine exactly what needs addressing. Post-security necessitated an evolution in response which bridges the gap in detection and response.
The orchestration behind a SOAR comes from collating, analyzing, and otherwise processing data in a way which is sane to act on. Automation comes from paring down or reacting to information, or actual actions employed in specific conditions. A good SOAR will allow a good response to specific conditions and combined with the orchestration should lead you to know what needs a response most. Ideally, a compromised agent is disabled and a Security Operations Center (SOC) is alerted what happened, where, and of any potential impact.
What makes a SOAR solution effective is how it scales for common security tasks. You shouldn’t need a security team dispatching 20 of the same action when it’s flagged as safe; someone can just hit a button, or even better, the system handles the action itself (if possible). Your most intrusive or potentially devastating events or threats shouldn’t need a person picking through a huge amount of data to triage either.
A good SOAR solution is going to most likely use a SIEM or similar log ingestion solution. For automation and response you might see an RMM (or similar tool) tapped for response actions, or some other kind of agent running on each endpoint. The response may also work with an EDR (Endpoint Detection and Response) solution or similar to more thoroughly protect the given asset. A good SOAR is a part of the security solution, not necessarily the whole solution.
Differentiating SOAR and SIEM
SOAR solutions do basically the same things as a SIEM solution, but they also handle actual response and remediation for alerts. A SIEM will ingest data and tie it together from multiple sources, but a SOAR will do the same with more flexibility and a broader range of inputs. SOAR products are “newer” than SIEM solutions.
What went into a SIEM system has existed for decades, but the automation aspect for alerting and remediation of said alerts has been extremely primitive until the advent of machine learning and other technologies. Solutions like Splunk have been around for almost two decades, and older solutions have existed. The idea has been around since the advent of modern computing, but it just wasn’t sanely feasible in the way it is now.
And, in fairness, the idea has been around for about the same amount of time for SOAR as well, it just hasn’t been practical until more recently. Ingesting logs takes a massive amount of storage and computing resources at scale. Further analysis and action takes even more. SOAR is just the evolution of SIEM into a true automation solution to not just analyze data, but to do something about it.
A SOAR is almost always a SIEM at some level, but the reverse isn’t true. SOAR builds on the same principles as SIEM, but it just fleshes the idea out further and uses newer technologies which have become commercially feasible. You aren’t using a boring heuristic engine – you’re using modern machine learning and artificial intelligence combined with other tools to make things work.
SIEM in Security
A SIEM solution helps analyze data. This can be used by a SOC (Security Operations Center) to look into potential compromises, security events, etc. Data can be fed into another system for further processing or refinement to create something resembling a SOAR (or a straight up SOAR when augmented correctly).
Most often, a SIEM is used for both proactive and reactive tasks. You want to see what might potentially get exploited while also knowing what was exploited. This can aid in compliance or general security deployments. SIEM is all about data in a security context, and this can include detecting threats, ensuring compliance, finding changes, or cataloging assets. All of these can lead to greater efficiency with security and organizational tasks.
While ingesting logs, a smart system can find information such as software or hardware version numbers, access logs for assets, etc. If you know a given software has a specific vulnerability, than a SIEM could help you pinpoint what needs manual updates. This can ensure compliance (making sure versions are uniform or deployments are correct) or show what is happening or has happened with a given security incident (did they get in on a known exploit or is this something new?). A SIEM can also tie in with an EDR or XDR solution to know what asset needs to be shut off as an attack begins before it jumps around your network.
The biggest weakness of most SIEM solutions in a security context is that while they provide robust data, you need to know what to do with said data. Your organization may build automation solutions or similar on top of a SIEM, or some product may extend it, but a SIEM is a data processing tool for security purposes (among other potential uses). SIEM is the data, but it in itself provides very little direct security.
SOAR in Security
A SOAR solution does more than SIEM. It collates data and then acts on it. This means less potential for human error and less delay between when something is detected and when it is (ideally) rectified. A SOAR is basically just a better SIEM with more potential for remediation. You have more data, more automation, and more accuracy (when done right).
A good SOAR solution is going to augment any kind of EDR or XDR solution, give a SOC (and potentially NOC) more to work with and less to do by hand, and will reduce the latency between when a threat is detected and when something is done. Good SOAR solutions will have more complex processing on data which means earlier detection of many threats, more logs which can provide better forensic insight into security incidences or other events, and less gray area for a human team to need to deal with. A human shouldn’t need to babysit common alerts, but they may want to see what was done or look at the more questionable parts of the process.
If done right, a SOAR’s automation will help strike down an attack before it can spread. The security response based on live data can eliminate threats as soon as they’re detected (in conjunction with the right tools) when tuned correctly. A SIEM is a repository of data which is acted on, a SOAR is the brain behind a good security response which is augmented by the rest of the tools and security resources.
SOAR vs. SIEM in Production
While a SOAR is a newer technology than a SIEM, there are pros and cons to each. While a SOAR is ideally better, like any other machine learning based solution, there are going to be caveats. Machine learning is only as strong as the training, and wrong assumptions lead to wrong results. Modern security is complicated and focusing on the wrong attack vectors leads to useless protection. It doesn’t matter how good the locks are if the windows are open.
A SIEM is a more traditional solution with more traditional limitations, but with less “coloring” of the process. A brain thinks, but a SIEM is just a data repository with filtering on it. It takes more human effort in maintenance, response, etc. which slows down the process and suffers from human faults. A good SOAR will always beat a good SIEM, but what makes a SOAR good is harder to measure and more situational. A good SIEM will always provide raw value, but it doesn’t really do anything on its own.
A good SOAR set up right is going to make more sense than a SIEM since SOAR encapsulates SIEM. You can audit things as needed to make sure it’s working as expected, but the security benefits of automation outweigh the potential cons more often than not.
Each level of machine learning adds a black box to the process. If that black box malfunctions, how do you know? You need to be able to trust the solution or else you end up with the potential of an unknown weakness in your defense. That said, again, a good SOAR is always going to be better than the alternative.
Image by Josiane Boute from Pixabay