2020-06-17T09:37:00Z

What is the difference between SIEM and SOAR platforms?

Rony_Sklar - PeerSpot reviewer
  • 7
  • 8946
PeerSpot user
9

9 Answers

MG
User
2020-06-17T15:26:44Z
Jun 17, 2020

What is SIEM?


Firewalls, network appliances, and intrusion detection systems generate an immense amount of event-related data—more data than security teams can reasonably expect to interpret. A SIEM makes sense of all of this data by collecting and aggregating and then identifying, categorizing, and analyzing incidents and events. This is often done using machine learning, specialized analytics software, and dedicated sensors.


A SIEM solution examines log data for patterns that could indicate a cyberattack, then correlates event information between devices to identify potentially anomalous activity, and finally, issues alert accordingly.


So why isn’t a SIEM solution effective on its own?


SIEM tools usually need regular tuning to continually understand and differentiate between anomalous and normal activity. The need for regular tuning leads to security analysts and engineers wasting precious time on making the tool work for them instead of triaging the constant influx of data.


What is SOAR?


Like SIEM, SOAR is designed to help security teams manage and respond to endless alarms at machine speeds. SOAR platforms take things a step further by combining comprehensive data gathering, case management, standardization, workflow and analytics to provide organizations the ability to implement sophisticated defense-in-depth capabilities.


Here’s how:


SOAR solutions gather alarm data from each integrated platform and place them in a single location for additional investigation.


SOAR’s approach to case management allows users to research, assess, and perform additional relevant investigations from within a single case.


SOAR establishes integration as a means to accommodate highly automated, complex incident response workflows, delivering faster results and facilitating an adaptive defense.


SOAR solutions include multiple playbooks in response to specific threats: Each step in a playbook can be fully automated or set up for one-click execution directly from within the platform including interaction with third-party products for comprehensive integration.


Put simply, SOAR—sometimes also known as security automation and orchestration (SAO)—integrates all of the tools, systems and applications within an organization’s security toolset and then enables the SecOps team to automate incident response workflows.


SOAR’s main benefit to a SOC is that it automates and orchestrates time-consuming, manual tasks, including opening a ticket in a tracking system, such as Jira, without requiring any human intervention—which allows engineers and analysts to better use their specialized skills.


Using SIEM and SOAR for improved SecOps


Both SIEM and SOAR intend to improve the lives of the entire security team, from the analyst to the CISO, by increasing the efficacy of the SOC and mitigating vulnerability to the organization. While the collection of data is incredibly meaningful, SIEM solutions tend to produce more alerts than SecOps teams can expect to respond to while still remaining effective. SOAR enables the security team to handle the alert load quickly and efficiently, leaving time for important, skills-based tasks which results in a higher-performing SOC.

Search for a product comparison in Security Information and Event Management (SIEM)
Real User
Top 5
2022-12-21T03:45:54Z
Dec 21, 2022

SIEM (Security Information and Event Management) and SOAR (Security Orchestration, Automation, and Response) are both tools used in cybersecurity to monitor and respond to security threats. However, they have different primary functions and use cases.


SIEM is primarily used for real-time monitoring and analysis of security events and logs from various devices and systems in an organization's network. It aggregates and correlates this data to identify potential security threats and provide alerts to security analysts. SIEM also typically includes some degree of incident response capabilities, such as the ability to quarantine infected devices or block malicious network traffic.


SOAR, on the other hand, is focused on automating and streamlining incident response processes. Some examples of SOAR companies include Palo Alto Demisto, Swimlane, Splunk SOAR, and DTonomy. SOAR typically includes a set of pre-defined playbooks that outline the steps to take in response to different types of security incidents. SOAR can also incorporate artificial intelligence and machine learning to help prioritize and triage incidents, and it often includes a customizable user interface for analysts to interact with and manage the incident response process.


In summary, SIEM is primarily used for monitoring and alerting about security events, while SOAR is focused on automating and streamlining the incident response process. Both tools can be used together as part of a comprehensive security strategy, but they serve different primary functions.

Ashraf Abbas - PeerSpot reviewer
Real User
Top 20
2021-08-31T17:06:59Z
Aug 31, 2021

SIEM involves in collection, correlation and aggregation of security logs and data from the various log sources integrated into the SIEM solution. The log sources - Servers, Network devices, Firewalls, IDS and IPS, WAF, etc. This correlation is achieved and analysis is carried out either by the analyst monitoring the SIEM solution or automation is involved and the analyst receives alerts from the said SIEM solution.


On the other hand, SOAR helps in the automation of response to alerts generated and received from the SIEM solution and all other integrated platforms in the environment. This helps the analyst in the prioritization of threats and incidents and reduces the total time of detection to the time of recovery.  

Hasan Zuberi ( HZ ) - PeerSpot reviewer
Real User
2021-08-30T05:39:18Z
Aug 30, 2021

It's not easy to understand the key differences when looking at SOAR vs. SIEM because they have many components in common. 


Security information and event management (or SIEM) tools are a way to centrally collect pertinent log and event data from various security, network, server, application and database sources. o be able to differentiate between normal and suspicious activities, the SIEM tool needs regular upgrades and tuning, and this should be done by analysts and engineers. Once a SIEM is properly tuned, responding to the alerts generated by a SIEM still remains a manual process. 


Each alert must be reviewed and investigated by an analyst to determine if the event is a false positive, or an actual incident that warrants further investigation and remediation. 


During an actual incident, the investigation and remediation activities will also be a manual process. 


The SOAR terminology (adopted by Gartner) is an approach to security operations and incident response used today to improve security operations efficiency, efficacy, and consistency. To better understand what this means, let’s look at its components separately...

EB
Community Manager
Aug 30, 2021

@Hasan Zuberi ( HZ ) thanks for your detailed answer.
It seems you haven't completed your response about SOAR.

PeerSpot user
DL
Reseller
2020-06-18T13:55:00Z
Jun 18, 2020

TLDR:


SIEM:


Security information management: Long-term storage as well as analysis and reporting of log data.


Security event manager: Real-time monitoring, correlation of events, notifications, and console views.


SOAR:


SIEM + Threat Intelligence (IoC's, AI, etc), Vulnerability and Threat Management (Analysis, Reporting, Management views, Dashboards, real-time analysis) Automation and orchestration for incident response (Something like "Ability to Block dst_ip that we get from for example proxy log, on our firewall).

GW
Real User
2020-06-17T21:22:29Z
Jun 17, 2020

The SIEM is the detection/surveillance engine whereas the SOAR is the remediation/response engine

Find out what your peers are saying about Microsoft, Splunk, Wazuh and others in Security Information and Event Management (SIEM). Updated: March 2024.
765,234 professionals have used our research since 2012.
SS
User
2020-06-17T13:23:49Z
Jun 17, 2020

SIEM is the log file collection of IT assets and various intel feeds that aggregate and correlate big data. 


The SOAR component mostly enhances how the detected anomalies are handled with minimal to no human interaction by coordinating corrective action from one or more systems.

Hasan Zuberi ( HZ ) - PeerSpot reviewer
Real User
2021-08-30T06:34:16Z
Aug 30, 2021


  • The coordination ( Security orchestration ) of various disparate security tools and technologies being used within the tool stack (typically from various vendors) to seamlessly integrate and communicate with each other to establish repeatable, enforceable, measurable, and effective incident response processes and workflows. People and processes must also be orchestrated properly to ensure maximum efficiency.

  • The method of automatically ( Security Automation ) handling tasks and processes without the need for manual human intervention, reducing the time these take by automating repeatable processes and applying machine learning to appropriate tasks. Automation usually takes place through the use of playbooks (the former containing linear tasks, and the latter containing decision-based conditional actions) to reduce or eliminate the mundane actions that must be performed.

  • SOAR allows security teams to do more with fewer resources, while providing features to automate, orchestrate, respond and measure the full incident response lifecycle, including detection, security incident qualification, triage, and escalation, enrichment, containment, and remediation. Some of the key benefits of utilizing SOAR technology include reducing the time from breach discovery to resolution, minimizing the risk resulting from security incidents, improving the overall effectiveness and efficiency of SOC operations acting as a force multiplier.

it_user1204914 - PeerSpot reviewer
Real User
2020-06-18T08:39:00Z
Jun 18, 2020

What is SIEM?


Firewalls, network appliances and intrusion detection systems generate an immense amount of event-related data—more data than security teams can reasonably expect to interpret. A SIEM makes sense of all of this data by collecting and aggregating and then identifying, categorizing and analyzing incidents and events. This is often done using machine learning, specialized analytics software and dedicated sensors.


A SIEM solution examines log data for patterns that could indicate a cyberattack, then correlates event information between devices to identify potentially anomalous activity and finally, issues alerts accordingly.


So why isn’t a SIEM solution effective on its own?


SIEM tools usually need regular tuning to continually understand and differentiate between anomalous and normal activity. The need for regular tuning leads to security analysts and engineers wasting precious time on making the tool work for them instead of triaging the constant influx of data.


What is SOAR?


Like SIEM, SOAR is designed to help security teams manage and respond to endless alarms at machine speeds. SOAR platforms take things a step further by combining comprehensive data gathering, case management, standardization, workflow and analytics to provide organizations the ability to implement sophisticated defense-in-depth capabilities.


Here’s how:



  • SOAR solutions gather alarm data from each integrated platform and place them in a single location for additional investigation.

  • SOAR’s approach to case management allows users to research, assess and perform additional relevant investigations from within a single case.

  • SOAR establishes integration as a means to accommodate highly automated, complex incident response workflows, delivering faster results and facilitating an adaptive defense.

  • SOAR solutions include multiple playbooks in response to specific threats: Each step in a playbook can be fully automated or set up for one-click execution directly from within the platform including interaction with third-party products for comprehensive integration.


Put simply, SOAR—sometimes also known as security automation and orchestration (SAO)—integrates all of the tools, systems and applications within an organization’s security toolset and then enables the SecOps team to automate incident response workflows.


SOAR’s main benefit to a SOC is that it automates and orchestrates time-consuming, manual tasks, including opening a ticket in a tracking system, such as Jira, without requiring any human intervention—which allows engineers and analysts to better use their specialized skills.

Security Information and Event Management (SIEM)
A Security Information and Event Management (SIEM) system gives security managers a holistic overview of multiple security systems.
Download Security Information and Event Management (SIEM) ReportRead more

Related Q&As