February 21, 2019 / by J Burks / In siem , security-analytics /

What is The Difference Between SIEM & SOAR?

If you work in or around an IT security environment, you’ve probably heard of SIEM and SOAR before — but what are they? What do they do? Do you need both, or is one enough? If any of these questions have crossed your mind recently, keep reading and we’ll answer them.

What is SIEM?

SIEM is short for security information and event management. This phrase refers to technologies for efficiently collecting and storing security data. Examples of data that might be collected by a SIEM platform include firewall logs, antivirus logs, hashes of downloaded files and user activity records (e.g., the times users log in and out of their accounts). The process of gathering this information, parsing it and storing it in a useful format is called information management.

After collecting the data, it is ready to be analyzed. The software may be able to perform some of the analysis itself, while security analysts take care of the rest. When something suspicious turns up, like a connection to a known malicious domain, the software raises an alert for further investigation. The process of identifying suspicious events and investigating them is called event management.

To learn more about the kinds of suspicious events you can detect with a SIEM solution, read:

Five Effective SIEM Use Cases, a free e-book from DNIF.

In modern security operations centers, or SOCs, event management can be challenging. The sheer volume of data pouring in from many sources at once often results in alerts being generated faster than the SOC staff can investigate them. As the backlog of alerts grows, the chances of a legitimate threat going unnoticed increase.

What is SOAR?

SOAR is short for security orchestration, automation and response. To understand what that means, we can break the phrase down into three components:

  • Security orchestration makes it possible for different security solutions from different vendors to talk to each other. By translating security data from proprietary formats into common formats that are easier to parse and store, it makes information management more powerful and efficient.
  • Security automation uses sets of rules called playbooks to take action without manual intervention from an analyst. By setting up rules for the most frequent kinds of alerts, for example, SOC teams can spend less time on repetitive false positive investigations.
  • Security response is about dealing with confirmed security issues. In more traditional environments, analysts investigate and respond to incidents entirely by hand — but bringing automation into play takes some pressure off of analysts’ shoulders. Actions like quarantining suspicious files and disabling access to compromised accounts can be taken without human intervention, so incidents that would once have been disastrous to ignore can now be safely left for hours while security teams direct their attention to more critical issues.

To learn more about the kinds of threats you can detect and manage automatically with playbooks, take a look at DNIF’s Five Most Effective Security Automation Playbooks, a free, short e-book.

Do I need SIEM, SOAR, or both?

Like ice cream and cake, SIEM and SOAR are great on their own, but better together. SIEM excels at collecting and storing data in a useful form, while SOAR’s strengths lie in making use of that data, saving analysts the trouble of manually investigating and responding to each and every suspicious event they find.

While legacy SIEM solutions are mostly limited to collecting and storing data, modern solutions come with SOAR functionality and more built right in. DNIF, a next-generation SIEM platform, even pairs SOAR with cutting-edge technologies like user and entity behavior analysis (UEBA). Unlike some other vendors’ offerings, DNIF is a complete solution right out of the box — so you don’t need to pay separately for SIEM, SOAR, UEBA, and any other combination of four letters you might want.

Further reading

five effective siem use cases