SIEM & SOAR Tools: A Gentle Guide to Selecting the Right Solution
SIEM tools have emerged out of the need to consolidate security telemetry, originating from multiple destinations — networks, intrusion detection systems, firewalls, edge devices, and user endpoint software among others.
A robust SIEM solution provides real-time analysis of generated logs and alerts of abnormal and suspicious activity to SOC teams or individual security analysts. Think of SIEM software as an alarm system — you get a ping whenever something sketchy happens at your premises.
Benefits of SIEM:
- End-to-end visibility into IT infrastructure
- Fast and accurate threat recognition
- Automatic alert prioritization and escalation
- Granular access to data for compliance audits
- Assistance in forensic investigation
The 2021 data from Pulse suggests that 65% of organizations have a SIEM tool in place. Among them, 96% agree that their threat detection abilities have improved since deployment. This sentiment is understandable since the volume and sophistication of cyber threats have expanded tremendously over the past year. Thus, legacy solutions (or lackthereof) no longer suffice for accurate reporting.
Stuart Gregg, Cyber Security Operations Lead at ASOS, notes that as an ecommerce platform they have to monitor for “insider threats, account compromise, threats to our website and customer data, even physical security threats. We’re constantly trying to defend ourselves and be more proactive in everything we do”.
To increase the effectiveness and levels of protection, ASOS recently adopted Azure Security Center and Azure Sentinel. The two tools now provide them with a unified view into approximately 150 subscriptions and over 80,000 digital assets. Such levels of visibility have allowed the team to identify repeating patterns across security alert types and devise better incident response plans. Some of these are executed automatically. Cloud SIEM implementation has allowed the team to eliminate about 20% of recurring issues at once.
While SIEM solutions tell about the threat origins — through better data visibility and alerting capabilities, SOAR tools cover the follow-up steps — rapid incident investigation and remediation.
The two main components of SOAR software are:
- Security orchestration modules that enable teams to document, execute, collaborate on, and continuously improve operational playbooks for responding to different types of security incidents.
- Security automation module, in turn, allows automating some of the pre-set workflows based on specific triggers or KPIs. For example, auto-updating a corporate security policy or access permissions configuration after a certain event.
The two main SOAR benefits are a faster and more coordinated response to security events, plus reduced dependency on human staff. SOAR tools can also majorly augment SOC teams’ capabilities when it comes to incident response and threat hunting as such solutions exist on the convergence of three technologies.
SOAR Convergence of Three Technologies (SIRP, SOA, and TIP)
That being said, SOAR solutions cannot function without a certain degree of technological and operational maturity. They are heavily reliant on comprehensive data — such that SIEM technologies aggregate. At the same time, low levels of operational SOC maturity such as the prevalence of ad hoc processes, incomplete operational manuals, and non-existent cross-functional integration diminish the benefits of SOAR.
In short, organizations can attain decent security coverage with a SIEM solution, but you cannot “leapfrog” to SOAR without a strong security incident management framework in place.
The Middle-Ground: a Cloud-Native SIEM & SOAR Solution
Among the leaders surveyed by the World Economic Forum, cybersecurity failure is viewed as an imminent danger to their operations by 39%. Another 49% believe that cybersecurity risks will become the most threatening to their organization within the next 3-5 years. It follows that many are looking for “express” ways to cover existing gaps.
Security software vendors respond to this demand in two ways:
- By launching cloud-native SIEM solutions (and progressively retiring on-premises tools) to provide users with a faster deployment scenario.
- By augmenting their SIEM offerings with SOAR capabilities to offer end-to-end security coverage.
Azure Sentinel is a solution, built on the above premises. Launched for general availability in 2019, Sentinel is a “lightweight”, scalable tool, operating across four security axes — security data collection, threat detection, threat investigation, and response orchestration.
Organizations that have already adopted Azure Sentinel report a range of highly attractive benefits:
- A 201% return-on-investment in three years
- Payback period of less than 6 months on average
- Significant cost reduction, compared to legacy tools
- Drastic boost in security management efficiency
- Fast deployment time, thanks to out-of-the-box functionality
An Infopulse client, a large agro company, was also seeking improvement to its security posture. Our cybersecurity consultants recommended Azure Sentinel SIEM/SOAR as a comprehensive, yet flexible solution, to cover the company’s entire technical estate and get integrated with their ITSM processes.
We have developed a reference architecture for implementation to cover four specific use cases:
- Threat detection in Microsoft Teams
- Corporate data leakage identification through corporate emails
- File scanning and isolation of potentially malicious documents uploaded to the corporate cloud
- Automatic identification of potentially compromised accounts
Benefits of a Cloud-Native SIEM/SOAR Solution
Whether you plan to adopt Azure Sentinel or another cloud-based SIEM/SOAR solution, the benefits compared to an on-premises stack are significant. IDC estimated that cloud SIEM software costs at least 11% less to maintain annually (with licensing, infrastructure, and labor costs factored in).
At the same time, teams using cloud SIEM tend to experience less alert fatigue which leads to missed threats. Only 43% of cloud SIEM users are concerned about missing an important alert versus 66% of traditional SIEM users. This can be explained with a combination of factors — from more convenient UIs and alert prioritization to “self-healing” capabilities many cloud SIEM tools offer.
Our cybersecurity team also noted that cloud-native solutions for SIEM management also have extra advantages such as:
- Non-existent downtime equalling 24/7 security protection. Even the best-in-class on-prem systems require at least several hours of annual maintenance.
- Instant, endless scalability that is not constrained by the need for extra storage or computing hardware.
- Faster installation. Individual cloud SIEM use cases can be enabled within hours — company-wide protection can be rolled out within weeks. For comparison, on-premises SIEM installations can span over months.
- Competitive pricing. You can switch between fixed-price and pay-per-use plans. In every case, the costs are predictable and easy to budget for.
- Higher levels of protection, courtesy of machine learning and AI components most cloud SIEM systems now have.
- Fail-proof disaster recovery — your data and pre-configured policies will not vanish due to an unfortunate hardware failure or lack of data duplication.
When it comes to Azure Sentinel, the two extra SIEM benefits are:
- Seamless integration with other Microsoft services and solutions used across your organization. Obviously, no other cloud SIEM tool can top that.
- Comes with a low learning curve — specialists, familiar with other Azure products, will find many familiar features and interfaces to configure this product.
Finally, let’s not forget that migrating to a cloud SIEM allows you to re-allocate specialists, who were responsible for local infrastructure maintenance to more value-added tasks.
Should You Select Cloud SIEM/SOAR? A Quick Self-Assessment
To help you determine which type of SIEM solution will work best for your business, we have created a short self-questionnaire. The questions are designed in a way that directs you towards the optimal choice.
1. Where are most of the organization’s business assets located — cloud, hybrid, or on-premises environment? If it is the cloud, which vendor(s) do you rely on the most?
Cloud-native SIEMs can be extended across both cloud and on-premises assets. Yet far fewer on-prem solutions are conducive with the cloud by design. Using separate SIEM tools across hybrid environments will magnify the operating costs.
2. Which tech stack — applications, subscriptions, licenses software, and hardware — is mostly used in the company?
Conduct an inventory and then compare if your shortlist of SIEM candidates integrates with all (most) assets. Add a double-point if a premade integration is available.
3. Is your industry bound by security compliance requirements? If yes, what type of regulations should be taken into account? Also, what type of data do you need to collect and provide for reporting?
Many cloud SIEM systems allow implementing “checkbox” compliance with common security rules automatically, plus offer convenient analytics dashboards.
4. How much is your company willing to spend on the integration with other systems?
Cloud SIEM is the easiest to implement from the integration perspective. However, the more systems you add, the higher the operational bill goes.
5. Does the speed of retrieving security data matter to you?
Cloud solutions have near-instantaneous data gathering and processing capabilities, resulting in real-time reporting. On-prem systems rarely compare speed-wise.
6. How fast do you need your security up?
If the answer is “for yesterday”, then cloud is a better choice since cloud solutions start offering protection almost immediately after deployment, whereas on-prem systems require extra tinkering.
7. Do you plan to provide any third party (e.g., a managed services provider) with access to your SIEM analytics?
Provisioning secure, permissioned access to SIEM analytics or functionality is a matter of moments in the cloud versus on-premises.
8. Would you like the SIEM solution to have AI/ML and big data analytics capabilities?
With the cloud, these are already priced into your monthly plan. On-premises, you would need to hire a separate team to help you develop such features.
The scope, sophistication, and severity of cybersecurity risks once again prompt business leaders to question their levels of protection. Cloud-based SIEM/SOAR tools do not only shed light on the previously overlooked areas of security but also help automatically enforce unified security policies and automate response scenarios.
Therefore, SIEM solution selection, and subsequent adoption, is a complex choice for many organizations, especially those with limited cybersecurity expertise and knowledge of the cloud environment. This factor often impedes the solution implementation.
Contact Infopulse if you would like to receive personalized consultation on SIEM/SOAR solution adoption.