SIEM vs SOAR, What’s the Difference?
These two security tools are often lumped together, how do they stack up?
The Problem
Before we dig into the differences between these two tools, its important to build a condensed security lexicon and understanding of the shared problem that these two different, often overlapping, classes of tools are trying to solve.
Generally, both Security Information and Event Management (SIEM) and Security Orchestration, Automation, and Response (SOAR) tools aim to tackle the same problem, which is generally stated as handling the overabundance of security-related information and events that modern organizations generate.
The management and reaction to these events typically fall to the Security Operations (SecOps) team working in a Security Operations Center (SOC). While management of a few streams of data could conceivably be managed manually by a SecOps team, as data streams continue to grow, and InfoSec personal such as SOC Analysts grow in demand, the possibility to manage this data manually becomes more and more remote.
SIEM
SIEM technology itself is not new, dating back over a decade. SIEM applications collect and aggregate data from a variety of internal and external sources to identify anomalous behaviour that can be indicative of a cyber attack. This identification functionality is increasingly being driven by machine learning and other advanced pattern recognition technologies. SIEMs provide security teams with a single pane of glass for all of their security alerts. If you ever see elaborate dashboard screens in security stock photos or movies, you’re probably looking at a SIEM product.
A SIEM application’s primary functions are to collect, normalize, correlate, aggregate, and detect anomalies across a variety of data sources, then notify the appropriate parties when suspicious behaviour is detected or configurable alarms are triggered.
If you’re familiar with the enterprise security space you may have heard of some of the major SIEM vendors such as LogRhythm, QRadar, and Exabeam, but in the past few years more general log aggregation tools such as Splunk and open-source tooling built on the Elastic Stack have become regular players as well.
SOAR
The current incarnation of the term “SOAR” was coined in 2017 and stands for Security Orchestration, Automation, and Response. However, the term had actually been used as early 2015 by Gartner to describe “Security Operations, Analytics, and Reporting”, though Gartner revised to term to refer to its current definition in 2017 as it saw a convergence of existing technologies such as “Security Orchestration and Automation” (SOA), “Security Incident Response Platforms” (SIRPs), and “Threat Intelligence Platforms” (TIPs).
The actual definition of SOAR is a bit loose, but generally refers to any technology, solution, or collections of preexisting tools that allow organizations to streamline the handling of security processes in three key domains; threat and vulnerability management, incident response, and security operations automation.
While a number of different products are currently blurring the lines between SIEM and SOAR, some of the leaders in SOAR in 2020 are Demisto (now Cortex XSOAR following a Palo Alto Networks acquisition in 2019), Phantom (acquired by Splunk in 2018), Swimlane, and Resilient (owned by IBM). It’s difficult for me to see how some of these current incumbents will be easily displaced because so much of a SOAR solutions value comes not just from the tools inherent capabilities but also from the number of integrations it has with third-party tools.
How They Compare
Data Ingest
While both categories of products ingest data from a number of sources, SIEMs appear to have the upper hand when it comes to ingesting, classification, and correlation of large volumes of disparate information. In addition to their superiority in how they ingest data, their aggregation and threat detection capabilities are also generally superior. Put plainly, SIEMs excel at consuming massive amounts of information, understanding it, and providing organizations with a high-level view of their networks, as well as alerting on findings.
While many SOAR products also boast capable ingest options, they often excel at ingesting from third-party sources such as threat-intel services, and other external data source and aren’t as capable at ingesting and parsing large volumes of internal system logs as effectively.
Driving Action
Both SIEM and SOAR products are extremely valuable for improving SOC capabilities, but when it comes to driving action, they take different approaches.
Traditional SIEM products focus on finding events and triggering alerts, leaving deeper investigation, analysis, and remediation to be handled by humans. While measurably improving an organizations threat detection capabilities over manual detection, SIEMs necessarily introduce more work for SOC teams. Additionally, the boundary between automation and humans leaves remediation vulnerable to miscommunication and alert fatigue.
SOAR products go further than SIEM in terms of taking action. While many SOAR workflows (often called playbooks) still require humans to review, acknowledge, or even remediate - SOAR products go much further in the amount of pre-processing that is done before a human is alerted. For SOAR products the sky is the limit in terms of their automation capabilities — partner integrations can offer a wide variety of options for enrichment, and many SOAR tools allow for the introduction of custom apps, or even ad-hoc scripting.
Leveraging Disparate Tools
As mentioned earlier, one of the primary value propositions of SOAR technologies is their ability to leverage a vast library of other security and networking products. For organizations already paying for products like Vulnerability Management (VM), IT Service Management (ITSM), or Threat Intelligence, utilizing a SOAR provides organizations with the capability to operationalize these existing tools in new ways. I often like to think of SOARs as the duct-tape of the security space, outside of developing custom scripts and tooling, no other technology allows security teams to piece together their own solutions using a variety of different products and vendors.
Unlike SOAR, SIEM tools are much more limited in their ability to combine and truly utilize a wide variety of different tools. While many SIEM products can connect with tools like SaaS Threat Intel feeds, Cloud Service Providers (CSP), and even ITSM tools, their capabilities are typically limited to ingest and outputting tickets or alerts.
Usability
Usability is one category where these tools are much the same — they can be a real pain to set up and maintain.
SIEM technologies often require sizable setups that can be quite complex, resource-intensive, and pricey to license. Even with open-source options such as the Elastic Stack, if you ask anyone who has ever stood up a production Elastic Stack about the process, you’re unlikely to find happy responses.
Similar with SOAR, while these tools can be simple to install and set up very basic playbooks, the learning curve to use these tools to their full potential can be quite steep and require a skilled operator to configure effectively.
Wrapping Up
While both SIEM and SOAR products generally consume data feeds, SIEM tools are better positioned for larger volumes of data with disparate sources and formats. Both tools are meant to provide automation to detecting and managing security incidents, however, SOAR stands supreme in its automation capabilities, even being capable of taking the human out of the loop in some situations. Finally, while both tools can leverage the data and functionality of other security products, SOAR again takes the crown due to its flexibility and extensive library of integrations.
While these two tools may overlap in some regards, I believe we will see more organizations leveraging both tools together in the coming years. Gartner agrees with this sentiment, estimating that by 2022, 30% of security teams with more than five people will be leveraging SOAR products in some capacity.
