Security information and event management (SIEM) technologies have long been powerful tools for cybersecurity professionals. They enable security teams to gather and analyze event-based data from many sources, such as IT security systems, networks, servers, applications, and more, to help identify and mitigate incoming cyber attacks.
However, security orchestration, automation, and response (SOAR) products have become a viable alternative to more traditional SIEM systems in recent years. While SOAR technologies also help organizations manage multiple data sources across their IT real estate, they go further than SIEMs by automating various cyber threat discovery and mitigation processes.
But with the rapid transition to a remote working world and cybercriminals continuing to take advantage of the Covid-19 pandemic, the threat landscape has evolved significantly in the past year – and businesses face many new cybersecurity challenges. So, are SIEM and SOAR services still powerful tools for security teams? And how have they evolved in 2021?
According to Nicola Whiting, chief strategy officer at Titania, the challenges faced by network security teams have changed significantly because of the coronavirus pandemic and the subsequent rise of remote working.
“The shift to remote working, including the introduction of new devices and applications, as well as the adoption of cloud technology, means that teams have an ever-increasing amount of network data to collect and analyze,” she says.
“Add to that the growing sophistication of threat actors, who require a decreasing amount of time to get established on a target network, and the importance of continually monitoring the configuration state of a network is clear.”
But for security professionals looking to navigate an increasingly complex cyber threat landscape successfully, SIEMs can be powerful tools. Whiting says they offer a centralized, real-time view of a network’s actual state through the collection and analysis of data from different security tools. This allows security professionals to observe when data drifts from the desired state.
“Through aggregating and enriching frequent, if not continuous, vulnerability assessment data, network security teams can achieve configuration confidence – knowing that one’s network is correctly configured to prevent an attack,” says Whiting.
“So, especially in today’s new, complex, and evolving IT networking environment, SIEMs are more critical than ever in minimizing the attack surface and reducing the meantime to detecting misconfigurations.”
However, Whiting believes identifying anomalies and threats in a SIEM forms only one part of configuration confidence. Her view is that the triage automation capabilities of SOAR technologies are becoming increasingly essential. Another critical element of this process is remaking issues once they have been discovered automatically.
“This is leading to a shift towards integrating SIEMs with security orchestration, automation, and response capabilities – i.e., managed detection and response [MDR] functionality, reducing the meantime to triage security vulnerabilities,” she says. “However, confidence in the automation underpinning MDR is high-fidelity data.
“So network security teams – though keen to adopt automation-based technology to reduce workloads and expedite remediation – are increasingly focusing on the accuracy of tools feeding data into their MDR tools. Automation is redundant if it is based on inaccurate information. Therefore, meeting and confronting today’s security threats and challenges start at the vulnerability assessment level.”