Is SOAR the Missing Link to the Success of the SIEM Market?

5 Key SOAR Considerations SIEM Vendors Need to Make

It’s time for SIEM vendors to up their game—but are they? And is SOAR the holy grail to solving the issues SIEMs have faced over the past few years?

A while back, we outlined the 8 fragments of SIEM that affect SecOps teams. Introducing its own set of challenges, SIEM was declared dead more than a decade ago, yet is still widely deployed in most security organizations today. One reason it’s still used broadly is that SIEM, once deployed, has processes and procedures woven around it making it burdensome to change; meaning ‘uninstalling’ SIEM isn’t as simple as flipping an on/off switch.

In a recent article in Information Age, Andy Kays, CTO of Redscan Managed Services, believes the onus lies on SIEM vendors to improve threat detection and response for their customers, by leveraging Security Orchestration, Automation and Response (SOAR).

While this may seem to be an obvious solution, integrating SOAR into SIEM is not so black and white and there are key considerations SIEM vendors and IT security teams need to make when it comes to leveraging SOAR.

1. SOAR: Buy vs build?
SIEM vendors will have to decide if they want to start building or buying SOAR capabilities, or just figure out how to best integrate.

The problem with both? SIEM vendors will be forced to integrate yet another platform into their software and there is a lot of setup, forethought, and man-hours required for integration into their own platforms, whether or not you build vs buy.

2. SOAR adoption is slow and it requires skilled people.
While SOAR is a beneficial tool, the number of installments in the cybersecurity industry is still limited. In addition, SOAR is resource-intensive and requires a trained professional to deploy the tools and develop appropriate playbook automation for specific and relevant actions and tasks.

3. SOAR can help ease SOC task burdens for security teams.
In which areas? Specifically workflow, case creation/updates, automated response actions. The more complex the task, however, the trickier it is to automate. Like SIEM, SOAR tools require you to tackle use case individually and requires security expertise and an engineering background. This is great for security teams who have skilled employees and the time to build it.

4. Platform-based approaches are still very reliant on people, whether SIEM or SOAR.
While efficiencies can be gained, they don’t address the core issue of skill shortage and resource/budget shortage. Yes, they ultimately address the people shortage by automating certain aspects of the SOC workflow, but the reliance on people to build and maintain playbooks is still a disadvantage.

5. Both SOAR and Decision-automation have a deliberate fit in the flow of SIEM operations.
While SOAR can and should be leveraged, SIEM vendors need to consider the true missing link: the high fidelity decision-making capabilities that neither SOAR nor SIEM can provide, but can be achieved with decision-automation solutions. Simply put, both SIEMs and SOAR platforms struggle in detecting malicious intrusions because they rely on rules and simple correlations —this is where decision-automation tools can help.

Decision-automation solutions that come pre-built with the ability to replicate human judgment are an alternative that automates security alert triage and analysis, covers a breadth of use cases and does not require a team of security experts.

That being said, SOAR and decision-automation are both needed; meaning there is an optimal way to plug SIEM, SOAR, and decision-automation in together. A happy “API-enabled” coexistence with all three would provide the best long-term outcome.

All-in-all, we agree that while SIEM vendors can leverage SOAR, the combination is still very reliant on people. But, by integrating with a decision-automation software like a Respond Analyst, SIEM vendors have a plug-and-play solution to help security organizations tackle high-volume, time-consuming event analysis of fundamental data feeds. This is especially beneficial for mid-sized enterprises who may not have a front line analyst, as the Respond Analyst is there to fill that role (24×7, I might add) for smaller security organizations.