SIEM or SOAR? – Consider your business complexity first!  

Del Aden is a UK-based Enterprise Architect

InfoSec Advisory with Del Aden

With today’s high volume of security alerts, tools and data, security teams struggle to gain the visibility needed to quickly qualify threats and reduce workflows. Organizations require a solution that solves these challenges by consolidating the data and tools required for incident investigation, and by orchestrating and automating common workflows across the security environment. On-demand threat intel provides critical context for the quick triage of alerts and expedited qualification of incidents. With this consolidated approach to threat intel enrichment, threat intel platform management, and streamlined SOC workflows, analysts can handle more tickets in less time and focus on discovering emerging threats.

But what is the difference between SIEM and SOAR?

Whereas SIEM and SOAR have much in common, there are however key differences between the two which may influence the best fit for your organisation.  A SIEM (Security Information and Event Management) is an enterprise security tool used for gathering and correlating a wide range of event data in your IT systems environment. Examples of good SIEM products are QRadar, Splunk and LogRhythm.

In essence, the SIEM does event logs gathering, analysis and correlation, and presents that information via the specified medium to the specified persons or teams, whereas the SOAR (Security Orchestration Automation and Response) does Security Orchestration and Event management. The SOAR is the best product for undertaking a detailed analysis of SIEM-generated data and automatically initiating a range of corrective actions. It can undertake the analysis of SIEM-generated event data aggregated over a long period of time, which may uncover attempted covert security events.

So, which one is the best security toolset for an organisation?

The question of which is the best security toolset for an organisation is, in part, a moot point.

Yes, there is overlap between the tools and, according to which tools you are looking at, the overlap can be quite small – particularly where the SIEM product has adopted artificial intelligence (AI) into the design. The choice of product is not determined solely by the size of an organisation, but rather by the size and complexity of an organisation’s IT infrastructure and the value of the data held and processed by the infrastructure.

The larger and more complex the IT infrastructure is, and the greater the value of data held and processed, the greater the need to employ automation to undertake event correlation together with the short- and long-term analysis of alerts (security and others) generated within the infrastructure. Where possible, automation should be used to initiate corrective actions within the infrastructure, as such automation would allow the freeing-up of valuable IT and security staff to concentrate on the difficult-to-solve problems; and on maintaining the infrastructure and associated management and monitoring toolsets.

For the organisation with a smaller and less complex IT infrastructure, such as ones without e-commerce or customer portals, a SIEM deployment – possibly with some AI capabilities – would be a reasonable match. But, of course, the IT or security staff must be able to manage and use SIEM tools; such that SIEM output is not swamped with erroneous data, so allowing prioritised events to be quickly identified and investigated.

This approach would generally need to be supplemented by employing external security contractors to provide third-line support and undertake regular reviews of the SEIM configuration and, as necessary, retuning and adjusting the SIEM to better differentiate between anomalous and normal activity. A small SOAR system might also be an option where the monitoring capability of the SOAR is comprehensive enough to cope with all of the devices within an organisation’s infrastructure. Again, the statements regarding employing external security contractors will also hold for this scenario.

As the complexity of the infrastructure increases together with the value at stake, a SIEM with AI for IT Operations (AIOPS) could be a possible solution – as such a system would be able to track slow-moving events over time and automatically initiate some corrective actions in the infrastructure. Should the organisation’s IT department not have the required skills and/or not enough resources, external security contractors will need to be engaged to provide assistance when required and help with regular retuning of the SIEM.

For an organisation with a large and complex IT infrastructure, the amount of event data generated would be vast, so a high-end SIEM coupled with a SOAR product would be the solution of preference – with the SIEM being the best product for gathering and correlating a wide range of event data, while the SOAR is the best product for undertaking a detailed analysis of SIEM-generated data and automatically initiating a range of corrective actions. The SOAR would also be able to undertake analysis of SIEM-generated event data aggregated over a long period of time, which would uncover attempted covert security events. Even in large organisations with a SIEM and SOAR setup, there would likely be a role for external security consultancy (such as Delta3 International) assistance, particularly where there are resource constraints on the IT and/or security departments.

‘The urgent need for a Threat Intelligence Platform (TIP)’

Today’s cybersecurity landscape is marked by massive volumes of data, lack of qualified analysts, and increasingly complex adversarial attacks. It is true there is a whole plethora of tools to protect and defend an organisation; however, there is little integration between these tools! This translates to a frustrating amount of engineering effort to manage systems, and an inevitable waste of already limited resources and time.

To combat these issues, many organisations are choosing to implement a Threat Intelligence Platform (TIP) to integrate new and existing security tools such as SIEM, Endpoint, Firewall, IPS, IDS, API etc. In this regard, a TIP can be deployed as a SaaS or on-premise solution to facilitate the management of cyber threat intelligence and associated entities such as actors, campaigns, incidents, signatures, bulletins etc.

TIP is defined by its capability to perform the following key functions:

  1. Aggregation of intelligence from multiple sources
  2. Curation, normalisation, enrichment, and risk-scoring of data
  3. Integrations with existing security systems
  4. Analysis and sharing of threat intelligence

To Learn more about Threat Intelligence Platforms (TIPs) and how they could benefit your organisation, please contact Delta3 International today at [email protected]

Threat Intelligence Platforms (TIP)

In conclusion – ‘Time is of the essence’

‘Time is of the essence’ is a massive understatement in today’s digital environment. The time from initial infection to critical business impact is now measured in hours, and possibly even minutes. Marrying timely threat intelligence with SOAR platforms is integral for organisations to outpace the adversary. That is why it is important to deploy an effective Threat Intelligence Platform (TIP).  Always remember that Alerts are great; however, it’s what you do with them that matters

About the Author

Del Aden

Del Aden is a UK-based InfoSec & Business Continuity Consultant, with main focus on helping organisations to implement Digital Transformation, defend their digital infrastructure and plan their Business Continuity Strategies. Del is also a Freelance writer, international Conference speaker and a Global trainer.

Contact: [email protected]WhatsApp:+44 7973 623 624  |  Web:

Leave a Reply