SIEM vs. SOAR: How they Differ and Why they Work Well Together
There has always been some confusion around the distinctions between SIEM (security information and event management) and SOAR (security orchestration, automation, and response).?
It has been made worse in the past few years as some SIEM vendors have purchased SOAR companies in order to incorporate their features or sell SOAR as an add-on.
So, unless you’re an expert on the ever-changing world of cybersecurity tools (and their corresponding acronyms), you might have wondered things like:?
In this article, we’ll try to answer all of those questions, because SIEM and SOAR aren’t at all redundant, despite some superficial similarities. In fact, SOAR works excellently alongside a SIEM, expanding the SIEM’s powerful capabilities to effectively analyze, investigate, and respond to alerts.
A SIEM is a great alert source, with its ability to aggregate and detect anomalous activity. The addition of a SOAR tool for escalation of notable alerts gives security teams with a SIEM the ability to add automation to their workflows and much more.
领英推荐
How SIEM and SOAR Work Together
As long as SOAR has been around, it’s been seen as a perfect complement to a SIEM. For example, Gartner uses the combination of SIEM+SOAR as an example of a common approach to detection and response—contrasted with other approaches like XDR.
Even though other tools have come along that provide alternatives to the SIEM-centric SOC, a SIEM is still an ideal alert source, with its ability to aggregate and flag anomalous activity. Those alerts can be then escalated to an integrated SOAR platform, either manually or automatically based on SIEM rules.
The SOAR platform can then be used to analyze the alert, determine if it is a genuine incident, and orchestrate the necessary response across other integrated systems. High-quality integrations between SOAR and SIEM are also bidirectional, allowing the SOAR platform to query the SIEM for more information, and update it when the incident is resolved.
What SOAR Can Do that a SIEM Cannot
So why does an organization with a SIEM still need SOAR? Because despite the powerful capabilities of a SIEM, it doesn’t have…