Security information and event management (SIEM) technologies have long been powerful tools for cyber security professionals. They enable security teams to gather and analyze event-based data from many sources, such as IT security systems, networks, servers, applications, and more, to help identify and mitigate incoming cyber attacks.
However, in recent years, security orchestration, automation, and response (SOAR) products have become a viable alternative to more traditional SIEM systems. While SOAR technologies also help organizations manage multiple data sources across their IT real estate, they go further than SIEMs by automating various aspects of the cyber threat discovery and mitigation process.
But with the rapid transition to a remote working world and cybercriminals continuing to take advantage of the Covid-19 pandemic, the threat landscape has evolved significantly in the past year – and businesses face many new cyber security challenges as a consequence. So, are SIEM and SOAR services still powerful tools for security teams? And how have they evolved in 2021?
According to Nicola Whiting, chief strategy officer at Titania, the challenges faced by network security teams have changed significantly because of the coronavirus pandemic and the subsequent rise of remote working.
“The shift to remote working, including the introduction of new devices and applications, as well as the adoption of cloud technology, means that teams have an ever-increasing amount of network data to collect and analyze,” she says.
“Add to that the growing sophistication of threat actors, who require a decreasing amount of time to get established on a target network, and the importance of continually monitoring the configuration state of a network is clear.”
But for security professionals looking to successfully navigate an increasingly complex cyber threat landscape, SIEMs can be powerful tools. Whiting says they offer a centralized, real-time view of a network’s actual state through the collection and analysis of data from different security tools. This allows security professionals to observe when data drifts from the desired state.
“Through aggregating and enriching frequent, if not continuous, vulnerability assessment data, network security teams can achieve configuration confidence – knowing that one’s network is correctly configured to prevent an attack,” says Whiting.
“So, especially in today’s new, complex and evolving IT networking environment, SIEMs are more critical than ever in minimizing the attack surface and reducing the meantime to the detection of misconfigurations.”
However, Whiting believes that identifying anomalies and threats in a SIEM forms only one part of configuration confidence. Another critical element of this process is being able to remediate issues once they have been discovered automatically. Her view is that the triage automation capabilities of SOAR technologies are becoming increasingly essential.
“This is leading to a shift towards integrating SIEMs with security orchestration, automation, and response capabilities – i.e., managed detection and response [MDR] functionality, reducing the meantime to triage security vulnerabilities,” she says. “However, confidence in the automation underpinning MDR are high-fidelity data.
“So network security teams – though keen to adopt automation-based technology to reduce workloads and expedite remediation – are increasingly focusing on the accuracy of tools feeding data into their MDR tools. Automation is redundant if it is based on inaccurate information. Meeting and confronting today’s security threats and challenges, therefore, starts at the vulnerability assessment level.”