It’s a fair question and one that is compounded by the convergence we see happening across many categories within cybersecurity. Security operations teams have a broad spectrum of choices from pure-play security orchestration and automation platforms to traditional SIEMs that are adding orchestration capabilities.
Visit - https://siemplify.co/blog/do-i-need-a-siem-if-i-have-soar/
2. Introduction (SIEM)
A SIEM (Security Information and Event Management)
makes sense of all event-related data of network appliances
and intrusion detection systems by collecting and
aggregating and then identifying, categorizing and
analyzing incidents and events. This is often done using
machine learning, specialized analytics software and
dedicated sensors.
3. Introduction (SOAR)
SOAR (Security Orchestration, Automation & Response)
is designed to help security teams manage and respond to
endless alarms at machine speeds. SOAR takes things a step
further by accumulating comprehensive data gathering,
case management, standardization, workflow and analytics
to provide organizations the ability to implement
sophisticated defense-in-depth capabilities.
5. Do I Need SIEM If Have SOAR
It’s a fair question and one that is compounded by the
convergence we see happening across many categories
within cybersecurity. Security operations teams have a
broad spectrum of choices from pure-play security
orchestration and automation platforms to traditional
SIEMs that are adding orchestration capabilities.
6. SIEM & SOAR Solutions Together
Security teams need log repository and analysis capabilities - that
isn’t going away and is not what SOAR platforms are built to
do. For many enterprise SOCs, this is just one of many vital
functions their SIEM serves.
Logging aside - we still see plenty of runway for SIEMs and
SOAR solutions to work together symbiotically instead of
serving as alternatives to one another for three key reasons.
7. Process and Playbooks
SIEMs are largely focused on processing vs. process. By that we
mean, SIEMs do a great job of addressing the technical
challenges associated with ingesting and correlating millions of
logs to surface up the ones the security team should be alerted
on. One of the major ways SOAR solutions do this is through
the ability to document and codify processes into repeatable
playbooks.
9. Function of SIEMs
SIEMs serve a hugely important function by sounding the alarm
when there appears to be malicious activity. But even the most
skilled security analyst will need to use a variety of interfaces
beyond their SIEM - EDR, threat intelligence, vulnerability
management, user information and more - to put together the
full story around a threat.
10. Function of SOAR
SOAR solutions remedy this by allowing security teams to
automatically gather the context they need to investigate an alert
(or better yet, a group of alerts) from across their security
ecosystem. This arms your team with a threat storyline that can
be used to conduct deeper investigation, speed up analysis and
make more definitive remediation decisions.
11. Security Operation Management
While many SIEMs deliver a wide range of capabilities beyond
what we traditionally expect - UEBA and automation, to name
two - they haven’t been built with the intent of unifying people,
process and technology within the SOC.
By enabling the integration and security orchestration of an
ecosystem of security tools, SOAR platforms are able to deliver
the birds’ eye view teams need for day-to-day SOC operations.
12. Conclusion
Is it possible that some highly forward-thinking SOCs can be
successful using SOAR without a SIEM? Maybe so. But at least
for now, most enterprise security operations teams will find the
marriage of SIEM and SOAR to be the right formula for
success. Both SIEM and SOAR intend to make the lives of the
entire security team, from analyst to CISO, better through
increased efficiency and efficacy.