Need of SIEM when You have SOAR - PowerPoint PPT Presentation

About This Presentation
Title:

Need of SIEM when You have SOAR

Description:

It’s a fair question and one that is compounded by the convergence we see happening across many categories within cybersecurity. Security operations teams have a broad spectrum of choices from pure-play security orchestration and automation platforms to traditional SIEMs that are adding orchestration capabilities. Visit - – PowerPoint PPT presentation

Number of Views:267

less

Transcript and Presenter's Notes

Title: Need of SIEM when You have SOAR


1
Security Orchestration, Automation Response
  • Need of SIEM when You have SOAR

2
Introduction (SIEM)
  • A SIEM (Security Information and Event
    Management) makes sense of all event-related data
    of network appliances and intrusion detection
    systems by collecting and aggregating and then
    identifying, categorizing and analyzing incidents
    and events. This is often done using machine
    learning, specialized analytics software and
    dedicated sensors.

3
Introduction (SOAR)
  • SOAR (Security Orchestration, Automation
    Response) is designed to help security teams
    manage and respond to endless alarms at machine
    speeds. SOAR takes things a step further by
    accumulating comprehensive data gathering, case
    management, standardization, workflow and
    analytics to provide organizations the ability to
    implement sophisticated defense-in-depth
    capabilities.

4
If I implement a SOAR solution, do I really need
a SIEM?
5
Do I Need SIEM If Have SOAR
  • Its a fair question and one that is compounded
    by the convergence we see happening across many
    categories within cybersecurity. Security
    operations teams have a broad spectrum of choices
    from pure-play security orchestration and
    automation platforms to traditional SIEMs that
    are adding orchestration capabilities.

6
SIEM SOAR Solutions Together
  • Security teams need log repository and analysis
    capabilities - that isnt going away and is not
    what SOAR platforms are built to do. For many
    enterprise SOCs, this is just one of many vital
    functions their SIEM serves.
  • Logging aside - we still see plenty of runway for
    SIEMs and SOAR solutions to work together
    symbiotically instead of serving as alternatives
    to one another for three key reasons.

7
Process and Playbooks
  • SIEMs are largely focused on processing vs.
    process. By that we mean, SIEMs do a great job of
    addressing the technical challenges associated
    with ingesting and correlating millions of logs
    to surface up the ones the security team should
    be alerted on. One of the major ways SOAR
    solutions do this is through the ability to
    document and codify processes into repeatable
    playbooks.

8
SIEM vs SOAR
9
Function of SIEMs
  • SIEMs serve a hugely important function by
    sounding the alarm when there appears to be
    malicious activity. But even the most skilled
    security analyst will need to use a variety of
    interfaces beyond their SIEM - EDR, threat
    intelligence, vulnerability management, user
    information and more - to put together the full
    story around a threat.

10
Function of SOAR
  • SOAR solutions remedy this by allowing security
    teams to automatically gather the context they
    need to investigate an alert (or better yet, a
    group of alerts) from across their security
    ecosystem. This arms your team with a threat
    storyline that can be used to conduct deeper
    investigation, speed up analysis and make more
    definitive remediation decisions.

11
Security Operation Management
  • While many SIEMs deliver a wide range of
    capabilities beyond what we traditionally expect
    - UEBA and automation, to name two - they havent
    been built with the intent of unifying people,
    process and technology within the SOC.
  • By enabling the integration and security
    orchestration of an ecosystem of security tools,
    SOAR platforms are able to deliver the birds eye
    view teams need for day-to-day SOC operations.

12
Conclusion
  • Is it possible that some highly forward-thinking
    SOCs can be successful using SOAR without a SIEM?
    Maybe so. But at least for now, most enterprise
    security operations teams will find the marriage
    of SIEM and SOAR to be the right formula for
    success. Both SIEM and SOAR intend to make the
    lives of the entire security team, from analyst
    to CISO, better through increased efficiency and
    efficacy.
Write a Comment
User Comments (0)
About PowerShow.com