Why SOAR is the perfect partner for SIEM
Thursday 25th February 2021 | 3 minute read
Where security information and event management (SIEM) blazed a trail, your security team are likely to have encountered a significant problem – the sheer volume of data that needs to be collated, sorted, analysed and actioned. Newer SIEM tools (particularly those hosted in the cloud) do a great job of the collation and initial analysis – but there’s still a heavy burden on the security professionals charged with actioning insights.
The logical next step for any organisation looking to further improve their security posture is to add security orchestration, automation and response (SOAR) to their security function. SOAR complements SIEM by helping to standardise, automate and accelerate your response to security incidents.
So what does SOAR actually offer your security team?
The standardisation factor
Standardisation has become one of the cornerstones of IT operations. In the security arena, standardisation allows you to quickly and effectively structure your response to an identified threat.
SOAR tools are designed to help you to standardise and automate common security operations tasks and processes, throughout an investigation. They also assist with evidence gathering and documentation, entity enrichment through 3rd party platforms and managing the response stages of an alert.
Analysis of data collected by the SIEM is enriched by the SOAR to ensure alerts are weighted and assessed correctly. Utilising SOAR for entity enrichment can help determine malicious indicators and make decisions as a result to raise the severity level of the alert or even begin the remediation process.
Obviously, you are free to adjust the standardisation processes at any time so that the alert format continues to meet your needs. Once in place however, your security team can leverage enhanced integration with other IT Service Management (ITSM) platforms like ServiceNow and FreshService to follow each identified issue through to a successful resolution. Using ITSM systems, the rest of the security team can track progress of each issue, taking over tasks at will, confident that each analyst knows what needs to be done next.
Improving performance by reducing alert fatigue
As mentioned at the start of this article, finding events and alerts is simple. Triaging the alerts that require further investigation is much harder, and much more resource intensive.
Where your security analysts once had to manually search for alert logs and evidence within the SIEM platform, the SOAR platform can have this accomplished and documented within seconds of the alert being triggered. This removes the burdensome and time-consuming task of evidence gathering for each and every alert that has triggered.
This automated investigation and triaging is extremely important, helping to reduce the risk of ‘alert fatigue’ where your analysts are so overloaded by logs that they miss anomalies that may indicate a security breach. Alert fatigue is a very real issue too. According to Microsoft research, alert fatigue increases response times, and incidents of missed threats. Over time, this manifests in low morale and high employee turnover.
Anything that SIEM and SOAR can do to reduce alert fatigue will create benefits for the business and your security team.
The real value of SOAR lies in what it can do with your standardised risk intelligence alerts. When passed through from SIEM, a SOAR service can begin to action the alerts automatically.
A SOAR platform like Azure Sentinel can be configured to complete early mitigation activities autonomously. From logging a reference in the ITSM platform, to locking out compromised user accounts, Azure Sentinel is designed to accelerate your response and to control risk as soon as an issue is detected.
This automated behaviour relies on playbooks, a pre-configured list of actions that is triggered when specific criteria are met. Alternatively, playbooks can be triggered with a single click, which is useful when carrying out common remediation tasks quickly.
As you would expect, playbooks require constant adjustment and refinement as threat intelligence reveals new trends and risks. However, they do dramatically simplify the early stages of incident management.
The first step on a journey towards improved security
Adding SOAR to your security operation processes is a long-term project of continuous improvement. Although it can reduce workloads for your security team, it requires a significant time investment to configure and tune the frameworks and playbooks that automate responses. You must make sure that SOAR implementation does not pull too many people away from day-to-day tasks like resolving security issues.
The most effective way to add SOAR capabilities to your SOC function is via a third-party managed service provider. They can help you deploy a SOAR (and SIEM) and run it on your behalf, ensuring you achieve maximum return on investment, and that you are properly protected against cybersecurity risk.
To learn more about Maple’s hybrid SIEM service and our automation-first approach, please get in touch.