Need of SIEM when You have SOAR

1
Security Orchestration, Automation Response

• Need of SIEM when You have SOAR

2
Introduction (SIEM)

• A SIEM (Security Information and Event
  Management) makes sense of all event-related data
  of network appliances and intrusion detection
  systems by collecting and aggregating and then
  identifying, categorizing and analyzing incidents
  and events. This is often done using machine
  learning, specialized analytics software and
  dedicated sensors.

3
Introduction (SOAR)

• SOAR (Security Orchestration, Automation
  Response) is designed to help security teams
  manage and respond to endless alarms at machine
  speeds. SOAR takes things a step further by
  accumulating comprehensive data gathering, case
  management, standardization, workflow and
  analytics to provide organizations the ability to
  implement sophisticated defense-in-depth
  capabilities.

4
If I implement a SOAR solution, do I really need
a SIEM?
5
Do I Need SIEM If Have SOAR

• Its a fair question and one that is compounded
  by the convergence we see happening across many
  categories within cybersecurity. Security
  operations teams have a broad spectrum of choices
  from pure-play security orchestration and
  automation platforms to traditional SIEMs that
  are adding orchestration capabilities.

6
SIEM SOAR Solutions Together

• Security teams need log repository and analysis
  capabilities - that isnt going away and is not
  what SOAR platforms are built to do. For many
  enterprise SOCs, this is just one of many vital
  functions their SIEM serves.
• Logging aside - we still see plenty of runway for
  SIEMs and SOAR solutions to work together
  symbiotically instead of serving as alternatives
  to one another for three key reasons.

7
Process and Playbooks

• SIEMs are largely focused on processing vs.
  process. By that we mean, SIEMs do a great job of
  addressing the technical challenges associated
  with ingesting and correlating millions of logs
  to surface up the ones the security team should
  be alerted on. One of the major ways SOAR
  solutions do this is through the ability to
  document and codify processes into repeatable
  playbooks.

8
SIEM vs SOAR
9
Function of SIEMs

• SIEMs serve a hugely important function by
  sounding the alarm when there appears to be
  malicious activity. But even the most skilled
  security analyst will need to use a variety of
  interfaces beyond their SIEM - EDR, threat
  intelligence, vulnerability management, user
  information and more - to put together the full
  story around a threat.

10
Function of SOAR

• SOAR solutions remedy this by allowing security
  teams to automatically gather the context they
  need to investigate an alert (or better yet, a
  group of alerts) from across their security
  ecosystem. This arms your team with a threat
  storyline that can be used to conduct deeper
  investigation, speed up analysis and make more
  definitive remediation decisions.

11
Security Operation Management

• While many SIEMs deliver a wide range of
  capabilities beyond what we traditionally expect
  - UEBA and automation, to name two - they havent
  been built with the intent of unifying people,
  process and technology within the SOC.
• By enabling the integration and security
  orchestration of an ecosystem of security tools,
  SOAR platforms are able to deliver the birds eye
  view teams need for day-to-day SOC operations.

12
Conclusion

• Is it possible that some highly forward-thinking
  SOCs can be successful using SOAR without a SIEM?
  Maybe so. But at least for now, most enterprise
  security operations teams will find the marriage
  of SIEM and SOAR to be the right formula for
  success. Both SIEM and SOAR intend to make the
  lives of the entire security team, from analyst
  to CISO, better through increased efficiency and
  efficacy.