Last week we discussed the origins of security information and event management (SIEM) cybersecurity solutions and where they have evolved with the expansion of machine learning and smarter systems.
This week, we’ll explore how security orchestration automation and response (SOAR) solutions differ and can complement next-generation SIEM (NG SIEM) and build a powerful holistic cybersecurity tool.
Mean-Time-to-Resolution and Mean-Time-to-Detection
Before we turn our attention to SOAR however, it’s important to first introduce the concepts mean-time-to-resolution (MTTR) and mean-time-to-detection (MTTD).
MTTR first originated in deskside support/IT support and signified the duration of when a problem ticket was first reported and subsequently resolved by a technician. Cybersecurity analysts have also adopted MTTR. Its meaning remains the same except that MTTR in cybersecurity defines the span of time between when a confirmed cybersecurity incident is first triaged to when it’s eventually resolved.
MTTD, refers to when cybercriminals first employ the tactics and techniques used to obtain a foothold on a target network to when they’re eventually detected by a network or endpoint security control.
SOAR and NG SIEM: A Powerful Partnership
SOAR was conceived to help address the SIEM challenge of event/alert fatigue and the global talent shortage in cybersecurity for organizations to effectively staff a SIEM deployment.
SOAR streamlines what were once manual tasks as a way of removing human error from the MTTR/MTTD loop through automation and orchestration, powered by incident response playbooks. The goal is to reduce the tediousness and overtaxing nature of threat analysis.
In summary, unlike NG SIEM, SOAR is an integration platform that glues an organization’s numerous SecOps (security operations) tools together and automates them using incident response playbooks that can be executed automatically or with a single click by an SOC analyst. SOAR also facilitates case management with a purpose-built issue tracking system for collecting security event analysis and response workflows.
The best way to differentiate NG SIEM from SOAR platforms is to think of SIEM solutions as systems of record and SOAR platforms as systems of action. This doesn’t remove the need for a SIEM.
Instead, when combined with SOAR, an NG SIEM is more effective in reducing MTTD/MTTR; addresses the challenge of inadequate staffing; and lowers the high signal-to-noise ratio common in many security operations centers.
Keeping Alerts Manageable
SOAR and NG SIEM can work together to stop threats while keeping operations running smoothly.
As expected, the collision of the SOAR and NG SIEM worlds is occurring as NG SIEM companies began acquiring SOAR companies with the objective of integrating SOAR capabilities into their SIEM platform or expanding the integration between the two.
NG SIEM platforms that integrate SOAR capabilities because of the necessity to support NG SIEM functions will not incorporate all of the capabilities of a dedicated SOAR platform. Adding playbooks and automated response to a NG SIEM will certainly improve automated response and orchestration offered by a dedicated SOAR solution.
SOAR integrates into existing workflows, helping to make network management more efficient and automated. NG SIEM is intelligent software, just like SOAR. But NG SIEM is prone to generating more alerts than a team can respond to. NG SIEM that incorporates SOAR will help to reduce the number of alerts and make workflows more manageable.
Leveraging the Marriage of SIEM and SOAR
Cyber-attacks can often only be detected through a holistic view and analysis of varying events occurring on your network.
It’s more important than ever to gain a comprehensive view of your entire institution. Aggregation and correlation of events across all systems and networks provides management with better visibility of potential cyber threats.
More visibility leads to a better assurance that your security controls are effective, which will lower your risk profile and reduce your total cost to mitigate cyber threats. Leveraging the advances in NG SIEM and SOAR technology will help identify and stop the presence of potentially malicious and harmful behavior, which can help prevent a data breach or service disruption.
Simply put, the best solution to industry-wide struggles with threat detection and response is to increase efficiency using NG SIEM and SOAR together.
More Cybersecurity Resources
If you’re interested in learning more about where cybersecurity is headed, Jack Henry has a number of resources available for you. And they are updated regularly, so you can stay up to date on breaking cybersecurity news.
Learn the latest on keeping your bank or credit union safe from cyberattacks with these free resources: