Improve Cybersecurity by Moving from SIEM to SOAR

Cybersecurity monitoring technology has come a long way over the past decade. Just 10 years ago, security operations center (SOC) teams spent their days poring over the detailed logs that they accumulated on their syslog servers, hunting for signs of malicious activity. These logs came from security devices, endpoints, servers and many other sources. Analyzing them required a massive investment of time and energy. The burden was so great that most SOCs simply couldn’t handle all of the information in front of them.

Fortunately, security information and event management technology emerged and automated what used to be an arduous manual process. SIEM systems skimmed through the log records received by a SOC and identified incidents that required further investigation. They also correlated records that came from diverse sources, identifying trends and signs of risk that might have otherwise gone undetected. SIEM technology greatly advanced the ability of SOCs to maintain visibility into enterprise operations and detect potential security incidents.

These SIEM tools weren’t perfect, however. First and foremost, they simply couldn’t keep up with the pace of security information flowing into the SOC. In recent years, information streams have become exponentially more complex in terms of the volume, variety and velocity of data arriving at the SOC. SIEM tools also couldn’t keep up with the sophistication of modern threats, which now use stealth techniques to avoid detection. Finally, SIEMs still required monitoring. When a SIEM detected a potential incident, a human analyst still needed to review the alert and implement an appropriate response.

The next generation of security monitoring technology has arrived, and it promises to address the shortcomings of SIEM platforms. Security orchestration, automation and response platforms bring three key capabilities to the table:

SOAR platforms add more context to security analysis than their SIEM predecessors. They’re capable of performing deep inspection of complex log entries and also pull in real-time threat intelligence data to better identify evolving threats on a network.

SOAR tools go beyond simply alerting analysts to a potential attack. They allow the deployment of automated playbooks that immediately take action to remediate issues, instantly blocking threats without waiting for a human to review an alert. Analysts still develop playbooks for automated remediation based on the needs of their organizations, but a SOAR platform can rapidly deploy playbook actions in response to an evolving threat. This brings tremendous efficiency to the effort by reducing response times. Automation also relieves analysts from spending time on routine, repetitive tasks such as basic actions to prevent spam emails from being delivered to users’ inboxes.

Cybersecurity incident handling requires the collaboration of multiple stakeholders. Internal cybersecurity teams, engineers and subject matter experts must collaborate with management, external incident response vendors and others participating in a response. SOAR platforms provide incident-specific work areas where those teams may collaborate and share information.

Cybersecurity teams that haven’t already adopted SOAR technology should take inventory of their existing approach to security monitoring. They should examine the potential data sources that might feed a SOC, identify historic and emerging threats, and then develop a monitoring and response plan to address those needs. In almost every situation, SOAR technology will make the response more efficient and effective.

Story by Deep Acharya, a Principal Solutions Architect for Security with CDW. Deep has 19+ years of experience building and managing complex environments across different verticals. In his current role, Deep works with customers to enhance their security posture using leading solutions, frameworks and architectures.