• Understand what a SOAR is
• Understand the difference(s) between SOAR and SIEM
• Learn the use cases for a SOAR
• Learn the disadvantages of using a SOAR
If you're familiar with security tools, you've probably heard of Security Incident and Event Management (or SIEM) platforms. For years, SIEMs were the foundation of security operations.
But today, SIEMs alone often don't suffice. Modern organizations are increasingly adopting Security Orchestration, Automation, and Response (SOAR) platforms. SOARs extend and enhance the functionalities of SIEMs in ways that maximize teams' ability both to detect and respond quickly to security threats.
Keep reading for a primer on what a SOAR is, which benefits it offers, and why you might need one.
A SOAR is a software platform that performs security incident detection, analysis, and remediation. Although SOAR tools vary somewhat in terms of the specific functionality they offer, most SOARs handle the following types of tasks:
The functionality of a SOAR is similar to, but distinct from, that of a SIEM.
A SIEM's main job is to collect and help analyze security events. SIEMs do this by aggregating and analyzing logs, metrics, and other data types from across an IT environment, then generating alerts about potential security incidents or risks.
However, most SIEMs stop there. They don't tell engineers how to respond to security risks. Nor do they automatically mitigate threats themselves. Engineers must handle those tasks manually if their security operations rely on a SIEM alone.
In contrast, SOARs take security operations several steps further. They don't just manage security-related data and spew it out. They also provide guidance and coordination to help team members respond as efficiently as possible. In some cases, SOARs can even automatically mitigate some security risks without any human intervention.
To sum up, then, the main differences between SIEMs and SOARs are:
Note, however, that SIEMs and SOARs aren't mutually exclusive. Many organizations use both types of tools at the same time. An organization would typically deploy a SIEM to help collect security data, then feed alerts into a SOAR to help teams work with that data.
By adding a SOAR to your arsenal, you gain several key benefits:
Although SOARs are beneficial in many ways, they are subject to potential drawbacks.
Probably the biggest is that SOARs only excel at handling security incidents that teams anticipate ahead of time – and for which they, therefore, create playbooks. If you are faced with a brand-new type of breach and don't have a playbook, you'll most likely need to plan your response manually.
SOARs can also lead to an excessive – and unhealthy – level of reliance on automation. Although SOARs can effectively automate many aspects of security response, no SOAR is a complete replacement for a security operations team. SOARs will always require some manual effort to manage security operations. Organizations that fail to make human engineers available to support SOAR-based operations are at risk of being unable to handle the nuances that playbook-based automation doesn't address.
Finally, adopting a SOAR means adding another tool to your security toolbox. It's another system to pay for and manage. This investment is typically worth it, but it's essential to realize the financial and administrative costs associated with SOARs.
So, does your organization need a SOAR, or can you stick with just a SIEM?
The answer depends mainly on the complexity of your IT estate and security operations. If you have an elementary IT environment – if you don't use the cloud and your environment is small in scale – a SIEM may suffice.
But for environments of any complexity or size, SOARs go a long way toward streamlining security operations. They won't address every security need on their own, but they will help your engineers work faster and more effectively in responding to security threats.