Security Information and Event Management (SIEM) solutions have been with us for some time and arose from the need to consolidate logs in different formats from across the network, including sources of security events from other equipment such as detection systems intruders (IDS), firewalls and user terminal software.
A SIEM will also provide a means to manually search and analyze data, typically using data analytics to generate alerts, present different views of the data to the analyst, and provide reports to stakeholders.
In addition, it will typically provide a capability that enables you to develop detection use cases, which look for specific sequences of events that may indicate an attack in progress and may provide some integration into ticketing and other related systems.
Today, however, systems can generate thousands of events per second, and attackers are becoming increasingly sophisticated. Some advanced persistent threat (APT) groups can now take control of a workstation and enter the network in an average time of less than 20 minutes from when a user clicks a link in a phishing email, and the average for all groups is less than two hours.
This has led to the notion of the 10/1/60 challenge: the need to detect an attack in one minute, understand it in 10 minutes, and contain it in 60 minutes. This is not possible for the best analysts who use SIEM alone.
Security Orchestration, Automation and Response (SOAR) solutions are designed to accelerate response to an attack by automating the incident detection and response process. They integrate with SIEM, the ticketing system, detection technologies, firewalls and proxies, as well as with threat intelligence platforms, in order to automate the general activity of detection and response.
Security operations teams will have a playbook detailing the decisions and actions to take from detection to containment. This can suggest actions to take in the detection of a suspicious event through escalation and possible responses. SOAR can automate this, making autonomous decisions that support investigation, obtaining threat intelligence, and presenting the results to the analyst with recommendations for future actions.
The analyst can then select the appropriate action, which would be carried out automatically, or the entire process can be automated. For example, the detection of a possible command and control transmission could be followed according to the playbook to gather relevant threat intelligence and information on which hosts are involved and other related transmissions.
The analyst would then be notified and given the option to block transmissions and isolate the hosts involved. Once selected, the actions would be performed automatically. Throughout the process, ticketing and collaboration tools would keep the team and relevant stakeholders informed and generate reports as needed.
SIEM vendors have started adding some of these features, and operational teams are using SIEM’s built-in capabilities, or SIEM application programming interfaces (APIs) to automate processes, which could be seen as an overlap between SIEM and SOAR. .
However, a SOAR solution will rise above SIEM and provide better integration with threat intelligence platforms and more advanced tools that deliver more complex results than a simple log stream. Typically, a SOAR solution will also provide case management, analytics, and reporting, and support communication and collaboration.
While a SOAR solution can help achieve the 1/10/60 goal and save scant analyst time, it requires significant setup. The default configurations can provide a start, but the playbook and defined workflows must be adjusted to automate them in a SOAR solution, as it will not generate them for you.
Also, to respond, the SOAR solution must know how to reconfigure firewalls, DNS servers, and proxies, for example, as well as isolate hosts in their specific environment. However, in the long term, SOAR will allow you to get more done faster with less input from analysts.
Although SIEM and SOAR are different, both are necessary and must work together. SIEM vendors will continue to add SOAR features, while Gartner estimates that by the end of 2020, only 15% of security organizations with five or more security professionals will adopt SOAR. However, standalone SIEM solutions are unlikely to disappear anytime soon.