How do SOAR and SIEM services fare in a rapidly changing cyber threat landscape?
Given that cyber risks are rapidly growing in sophistication and number, we look at whether SIEM and SOAR security tools are still effective
Security information and event management (SIEM) technologies have long been powerful tools for cyber security professionals. They enable security teams to gather and analyse event-based data from a plethora of sources, such as IT security systems, networks, servers, applications and more, in a bid to help identify and mitigate incoming cyber attacks.
However, security orchestration, automation and response (SOAR) products have become a viable alternative to more traditional SIEM systems in recent years. While SOAR technologies also help organisations manage multiple data sources across their IT real estate, they go further than SIEMs by automating various aspects of the cyber threat discovery and mitigation process.
But with the rapid transition to a remote working world and cyber criminals continuing to take advantage of the Covid-19 pandemic, the threat landscape has evolved significantly in the past year – and businesses face many new cyber security challenges as a consequence. So, are SIEM and SOAR services still powerful tools for security teams? And how have they evolved in 2021?
The challenges faced by network security teams have changed significantly because of the coronavirus pandemic and subsequent rise of remote working, according to Nicola Whiting, chief strategy officer at Titania.
“The shift to remote working, including the introduction of new devices and applications, as well as the adoption of cloud technology, means that teams have an ever-increasing amount of network data to collect and analyse,” she says.
“Add to that the growing sophistication of threat actors, who require a decreasing amount of time to get established on a target network, and the importance of continually monitoring the configuration state of a network is clear.”
But for security professionals looking to navigate an increasingly complex cyber threat landscape successfully, SIEMs can be powerful tools. Whiting says they offer a centralised, real-time view of a network’s actual state through the collection and analysis of data from different security tools. This allows security professionals to observe when data drifts from the desired state.
“Through aggregating and enriching frequent, if not continuous, vulnerability assessment data, network security teams can achieve configuration confidence – knowing that one’s network is correctly configured to prevent an attack,” says Whiting.
“So, especially in today’s new, complex and evolving IT networking environment, SIEMs are more critical than ever in minimising the attack surface and reducing the mean time to the detection of misconfigurations.”
However, Whiting believes that identifying anomalies and threats in a SIEM forms only one part of configuration confidence. Another critical element of this process is being able to automatically remediate issues once they have been discovered, and her view is that the triage automation capabilities of SOAR technologies are becoming increasingly essential.
“This is leading to a shift towards integrating SIEMs with security orchestration, automation and response capabilities – ie managed detection and response [MDR] functionality, reducing the mean time to triage security vulnerabilities,” she says. “However, confidence in the automation underpinning MDR are high-fidelity data.
“So network security teams – though keen to adopt automation-based technology to reduce workloads and expedite remediation – are increasingly focusing on the accuracy of tools feeding data into their MDR tools. Automation is redundant if it is based on inaccurate information. Meeting and confronting today’s security threats and challenges, therefore, starts at the vulnerability assessment level.”
SIEM tools have evolved
For two decades, SIEM technologies have acted as a vital tool in IT and cyber security departments across the globe. And while they are still important in today’s security landscape, Forrester security and risk analyst Allie Mellen says current SIEM systems focus mainly on detection and response rather than compliance use cases.
“This is exemplified in a recent survey I ran, which found that over 80% of practitioner respondents stated that they use their SIEM primarily for detection and response use cases,” she says. “They are not often discussed this way; many vendors suggest SIEMs are only good for compliance, harking back to their roots.”
While SIEMs have been around for a significant amount of time, Mellen points out that innovations are emerging in this industry and bringing about a new SIEM era. She says: “This change is more aptly named security analytics platforms, which not only handle log ingestion and storage, but also more effectively address the detection and response use cases that SOCs [security operations centres] need.”
What makes security analytics platforms so powerful is the fact that they provide SIEM, SOAR and UEBA (user and entity behaviour analytics) capabilities in a single solution. Mellen says they cover the whole incident response lifecycle – including detection, investigation and response – alongside vital areas such as compliance.
Read more about SIEM and SOAR
- Better instrumentation leads to better IT security but monitoring can quickly overload IT teams. Automation can help, but it may not always be needed.
- A successful deployment of any security tool very much depends on the maturity of security processes in the organisation.
“This year, security analytics platforms are continuing the shift to the cloud, with vendors releasing cloud-native solutions or evolving their pricing model to support this shift and the heavy costs that come along with mass data storage,” she says. “They are attempting to improve their machine learning capabilities for more accurate and dynamic detections, and are actively looking for ways to help practitioners detect threats in the cloud better.”
Mellen adds that security analytics platform suppliers are also beginning to change the way they message their offerings because of the competition posed by extended detection and response (XDR) technologies. “The focus is much more centred around threat detection and response, with a renewed emphasis on improving investigation capabilities and simplifying the SOAR playbook process with added automation,” she says.
New approaches
The industry is transitioning from purely event-driven processing tools to behavioural monitoring solutions such as XDR technologies, according to Sean Wright, application security lead at Immersive Labs.
“This makes sense because attackers are constantly evolving, meaning traditional signature-based detection falls behind,” he says. “The evolution of infrastructure also forces some changes. For example, many organisations are moving to the cloud and no longer have a single datacentre, which can impact on the effectiveness of a SIEM.”
Looking ahead, Wright believes SOAR technologies will grow in popularity as threat intelligence becomes an increasingly important part of an organisation’s cyber security posture. “Automation can drive efficiencies in its usage and analysis, which ultimately help security teams act on the information faster to reduce risk,” he says.
Jake Moore, a security specialist at ESET, says SIEM and SOAR systems offer maximum visibility and are an essential tool for organisations looking to mitigate a tsunami of cyber security threats. “Their notion is to evaluate and analyse real-time data for anomalies and patterns and to identify the risks, which is invaluable in incident response,” he says. “This is vital for any business keen to future-proof the inevitable tirade of attacks facing so many organisations.”
While Moore agrees that software-as-a-service (SaaS)-based SIEM technologies can substantially improve efficiencies in the cyber security department, he warns organisations not to rely too heavily on SIEM systems that utilise artificial intelligence because they may generate false positives.
In a perfect world, says Moore, organisations would be able to detect cyber attacks as early as possible. But he admits that autonomous threat detection technologies are not currently advanced enough for this to be the reality today. “But this is at least the start of better protection and very likely to exponentially grow with confidence while homing in with more sturdiness,” he says.
SOARs are powerful tools
When SIEMs first came onto the scene in the 2000s, they were a great way for IT security teams to control multiple data sources and use this varying information to tackle cyber attacks. But Michael Morris, director of global technology alliances at Endace, believes SOARs are emerging as a more effective solution for cyber security professionals.
“Now SOARs are becoming the next must-have platform, offering the promise of helping teams keep up with expanded and fluid attack surfaces and an ever-increasing volume of threats by automating and standardising investigation and response processes,” says Morris.
He warns that IT security threats are becoming more sophisticated, while longer dwell times are making it easier for cyber criminals to access critical assets and data. Because of this, SIEM and SOAR platforms are rising in importance as organisations increasingly aim to “connect indicators of compromise from security monitoring tools, log data and network traffic”.
Morris adds: “Together, these platforms can help teams automate the analysis, correlation and preservation of forensic evidence from potential security breaches, giving SecOps teams time to respond and a clear view of exactly what happened.”
If security teams fail to use SIEM and SOAR technologies, Morris warns that they will struggle to keep up with increasing volumes of cyber alerts, distinguish false positives from genuine threats and focus their time on tackling the most serious risks.
“In turn, that makes it hard to be more proactive,” he says. “They spend too much time fighting fires and lack time to engage in proactive threat hunting and build the experience and expertise needed to deal with more advanced threat actors and more persistent, targeted attacks.”
But although SOAR technologies offer many benefits, they are not always easy to implement if an organisation does not have prior experience. Mark Nicholls, CTO of Redscan, says the biggest challenge of SOAR adoption is the low maturity of processes and procedures in SOC teams.
When adopting a SOAR system, Nicholls recommends that organisations seek expert advice to ensure they are fully prepared and can get the most out of these technologies. “ Many organisations suffer from unrealistic expectations around SOAR and unclear metrics,” he says. “It is not a silver bullet for addressing all security challenges. If organisations fail to set clearly defined use cases, realistic goals and parameters for success, they will inevitably feel short-changed by the results.”
Also, he says, organisations looking to implement SOAR solutions must understand the different elements that need to be automated without over-relying on automation. “Organisations must not simply rely on the playbooks and processes initially set up in SOAR,” he adds. “They need to ensure that they apply up-to-date security expertise so that their SOAR capability improves as the organisation’s security posture matures and is continually ready to respond effectively to new types of threat.”
Organisations face a large array of cyber security threats today, and the cyber threat landscape continues to grow rapidly. But an excellent way for businesses to identify and mitigate cyber attacks is by using an SIEM or SOAR solution. While both are excellent technologies for modern security teams, it seems that SOAR technologies are becoming the most popular and effective option of the two.