Your SOAR isn’t your SIEM
On my journey from a Linux guy to a Security guy I have seen my fair share of SIEM and SOAR solutions and their evolution.
During the 24 years I am working in the IT field I have seen log storage platforms evolve and I was witness to the birth of the Security Intelligence and Event Management Platform (SIEM) as well as the Security Operations and Response Platform (SOAR).
Although none of these being new solutions, as the tools got bigger and better it seemed they started doing the same thing, integrating with and getting the same data from the same sources. So as a result many mistake one as a replacement for the other, but that is simply not true and is based on a huge and confusing misconception of the tools
Security Intelligence and Event Management
The SIEM is your friend when it comes to correlating data. A security event might play out as events from a variety of different platforms. Your antivirus may report on it, as well does your firewall or email gateway.
The SIEM is their to help and correlate this events into a single thing QRadar for example calls offense. This offense, if the rules are done right (and there is a lot which you can do wrong), represent all the events, and that’s important, your verbose firewall might reports hundreds of events every damn minute, taking all this portscans or shellshock attempts as a security event is just madness as you don’t want your analyst to chase down that. He will just lose focus on the important stuff
Over the time, the SIEM got a lot smarter, maybe beyond its own good. Back when working at IBM I had a lot discussions where I pointed out that we should not market QRadar as a SIEM, cause all the reference lists where you can add indicators and all the capabilities in adding threat intelligence feeds and create much smarter rules to detect things made it pretty much a Security Intelligence Platform.
Security Operations and Response
The next best thing which happened to the security world is the SOAR Platform. A SOAR Platform should sit behind a system which reports security events. I guess it would be easier for people if we called it a Security Response and Operations, but I admit that SRAO has really no ring to it, but people may would understand the order a bit better, as the main focus is response and the operations are part of the “taking action”part of the response and not much else.
The SOAR is meant to take your standard actions you take after every security event and make them repeatable, with the aim to automate those boring tasks as the optimal objective.
I started in Security when every event also meant looking stuff up, IP addresses in IPvoid, full name in LDAP and hashes in the malware database. That is a very boring task and it takes valuable minutes out of an urgent task you should perform.
The SOAR takes that away, the seconds you spend between receiving an alert and getting the browser to open the case, in this time the SOAR platform does it for you, presenting any information on the screen the second you can start working on the Remediation and response. On the top of that it offers the capabilities to respond right here and right now, as it integrates well with every tool you might use, blocking an IP or shutting down an infected host is just a click or command away.
Thats at least true if you use an SOAR Platform like Palo Alto Networks XSOAR Platform. Which has more the 550+ integrations with almost every vendor you come across in Security.
Maybe you guess the difference between SIEM and SOAR by now, if not lets have a look at the biggest confusion and where it comes from.
SIEM and SOAR integrate with the same things for a different reason. But when people buy an expensive SOAR and an expensive SIEM, finding out that they support the same ecosystem, there is an natural conclusion that one could do the job of the other. But that’s simply not true
The main differences
- Collecting events
- Event correlation
- Creating Security Events
- Response (to security events)
- Data Enrichment
- Threat Intelligence
- Automation and Orchestration
So yes, your SIEM and your SOAR might integrate great with your EDR/NDR/XDR platform, but that doesn’t mean that it is easy for the SOAR to deal with thousands of unfiltered events per day and being able to deduplicate those to make sense to you analyst. Don’t get me wrong, SOAR platforms can deduplicate, link and update security events, especially XSOAR can do that quite well, but it still expects that this is a security event and all the tools in the chain make sure that the noise is filtered out already.
Bottom line, you want both or you want Palo Alto Networks Cortex XSIAM of course