Andrea Danti - Fotolia
Ask cybersecurity administrators whether they prefer SIEM or SOAR software, and odds are the answer is "both." While some IT shops could get away with using one or the other, they are best deployed as complementary products.
Security information and event management (SIEM) is great at ingesting traditional log and event data sourced from local infrastructure equipment, including firewalls, intrusion prevention systems (IPS), network gear, servers and applications. All data is aggregated, and analysis is applied to correlate logs and events into alerts to be investigated. The problem is that SIEM can produce far more alerts than can be handled by the cybersecurity team. On the other hand, security orchestration automation and response (SOAR) software can ingest not only local log and event data, but also external threat data coming from endpoint security software and third-party threat intelligence feeds. A SOAR software platform also uses advanced artificial intelligence and external integrations that automate the creation of actionable investigation workflows that IT follows when tracking down security events. This significantly reduces the time required to remediate or clear events.
SIEM is still good at pulling in local security log and event information. While SOAR software could be used in its place, it wasn't designed to replace SIEM. SIEM can be used in conjunction with SOAR to help create investigation workflow based on data pulled in from both SIEM and SOAR sources. SOAR can also go one step further to integrate third-party security tools to automate specific actions after events are analyzed and determined to include vulnerabilities.
Dig Deeper on Network threat detection
Related Q&A from Andrew Froehlich
A zero-day vulnerability isn't the same as a zero-day exploit. Learn the difference between these two zero-day terms, as well as why they should be ... Continue Reading
Borderless networks present new challenges for security pros. Andrew Froehlich explains how this trend makes patch management even more important. Continue Reading
Simulating an attack against your network is one of the best ways to remediate security holes before the bad guys find them. Here, learn penetration ... Continue Reading
Have a question for an expert?
Please add a title for your question
Get answers from a TechTarget expert on whatever's puzzling you.