Will SOAR (security orchestration, automation, and response) once day replace Security Information and Event Management (SIEM)? If so, why would SOAR replace SIEM? Have the lines between the two solutions blurred, and if so how?
After all, SIEM now features some automation and response capabilities. Either through innovation or acquisition, SIEM solutions often boast SOAR capabilities. However, this does not mean that SIEM can replace or replicate the effects of a sturdy SOAR solution. Rather, it may indicate that SOAR represents the future of SIEM.
How SOAR May Replace SIEM: A Historical Path
First, before we can determine whether SOAR may one day replace SIEM, we must determine what these solutions offer. For the sake of this conversation, we plan to focus on next-generation SIEM.
Next-generation SIEM serves as a cybersecurity tool based on log aggregation and threat intelligence. It collects security event information from throughout the IT environment, normalizes it, and analyses it for potential warning signs. From there, SIEM creates an alert that can prompt IT security teams to investigate and initiate incident response.
Additionally, next-generation solutions work to solve the problems once posed by legacy solutions. Legacy solutions struggled with false positives and false negatives, creating alert fatigue. Also, older solutions can’t aggregate log and event data from newer environments like the cloud or from software-as-a-service. Moreover, legacy SIEM often created maintenance problems, especially for businesses with limited cybersecurity resources.
Next-generation SIEM also incorporates more threat intelligence, enabling capabilities like user and entity behavior analytics (UEBA) and threat hunting.
Meanwhile, SOAR works to address some of the challenges presented by SIEM through streamlining once-manual tasks. In fact, through automation and orchestration, SOAR can help eliminate the most consistent challenge to optimal cybersecurity: human error. Additionally, SOAR works to integrate security tools and then automate them according to incident response playbooks.
For example, SOAR gathers alarm data from all of the integrated platforms; further, it puts them into a single location for additional investigation. Also, SOAR’s case management allows IT security professionals to research, assess, and perform additional relevant investigations from within a single case.
Looking at SOAR from this perspective, it seems the logical extension of SIEM. But does that mean it will replace SIEM?
SOAR: Extension of SIEM or Replacement?
Some security experts read the rise of SOAR as a response to the problems of SIEM. Indeed, there is some validity to this reading, as SIEM can still pose a labor challenge to the uninitiated or unprepared.
However, this neglects the fact that SOAR solutions often draw from SIEM solutions. After all, SIEM aggregates critical logs and alert information. With it, SOAR would lose a vital source of insight into enterprise networks. Further, SOAR works through integration, binding SIEM to other critical cybersecurity solutions like endpoint security and identity management.
However, it remains unclear whether SOAR may one day incorporate SIEM capabilities into its own offerings. Certainly, it follows the pattern of modern cybersecurity solutions to evolve into new markets as demands change. The importance of automation certainly matters as the cybersecurity staffing crisis deepens. Is now the time for true innovation?
Latest posts by Ben Canner (see all)
- Revisiting Whether SOAR Will Replace SIEM in Business Cybersecurity - May 29, 2020
- Changing SIEM From Reactive to Proactive with Threat Hunting - May 27, 2020
- Top-Down SIEM: An Interview with Avi Chesla of Empow - May 21, 2020