In a previous post, we discussed the origins of security information and next-generation SIEM solutions for cybersecurity and how they have evolved with the expansion of machine learning and smarter systems.In Part 2, we’ll explore how security orchestration automation and response, or SOAR, solutions differ and can complement next-generation SIEM (NG SIEM) to build a powerful, holistic cybersecurity tool.
What is MTTR and MTTD?
Before we turn our attention to SOAR security, it’s important to first introduce the concepts of mean-time-to-resolution and mean-time-to-detection, also known as MTTR and MTTD.
MTTR first originated in deskside/IT support and signified the duration of when a problem ticket was first reported and subsequently resolved by a technician. Cybersecurity analysts have also adopted MTTR. Its meaning remains the same except that MTTR in cybersecurity defines the span of time between when a confirmed cybersecurity incident is first triaged to when it’s eventually resolved.
MTTD, refers to when cybercriminals first employ the tactics and techniques used to obtain a foothold on a target network to when they’re eventually detected by a network or endpoint security control.
NG SIEM and SOAR Security: A Powerful Partnership
SOAR technology was conceived to help address the SIEM challenge of event/alert fatigue and the global talent shortage in cybersecurity for organizations to effectively staff a SIEM deployment.
SOAR tools work to streamline what were once manual tasks as a way of removing human error from the MTTD and MTTR loop through automation and orchestration, powered by incident response playbooks. The goal is to reduce the tediousness and overtaxing nature of threat analysis.
Unlike NG SIEM, SOAR is an integration platform that glues an organization’s numerous SecOps (security operations) tools together and automates them using incident response playbooks that can be executed automatically or with a single click by an SOC analyst. SOAR cybersecurity technology also facilitates case management with a purpose-built issue tracking system for collecting security event analysis and response workflows.
The best way to differentiate NG SIEM from SOAR platforms is to think of SIEM solutions as systems of record and SOAR solutions as systems of action. This doesn’t remove the need for a SIEM.
Instead, when combined with SOAR tools, an NG SIEM is more effective in reducing MTTD and MTTR. It also addresses the challenge of inadequate staffing and lowers the high signal-to-noise ratio common in many security operations centers.
Keeping Alerts Manageable
NG SIEM and SOAR security systems can work together to stop cyber threats while keeping operations running smoothly.
As expected, the collision of NG SIEM and SOAR security is occurring as NG SIEM companies began acquiring SOAR companies with the objective of integrating SOAR capabilities into their SIEM platform or expanding the integration between the two.
NG SIEM platforms that integrate the capabilities of SOAR technology will not incorporate all of the capabilities of a dedicated SOAR platform due to their necessity to support NG SIEM functions. Adding playbooks and automated response to an NG SIEM will certainly improve automated response and orchestration offered by a dedicated SOAR solution.
SOAR tools integrate easily into existing workflows, helping to make network management more efficient and automated. NG SIEM is intelligent software, just like SOAR. But NG SIEM is prone to generating more alerts than a team can respond to. Whereas NG SIEM that incorporates SOAR technology will help reduce the number of alerts to make workflows more manageable.
Leveraging the Marriage of SIEM and SOAR Solutions
Cyberattacks can often only be detected through a holistic view and analysis of varying events occurring on your network.
It’s more important than ever to gain a comprehensive view of your entire institution. Aggregation and correlation of events across all systems and networks provides management with better visibility of potential cyber threats.
More visibility leads to a better assurance that your security controls are effective, which will lower your risk profile and reduce your total cost to mitigate cyber threats. Leveraging the advances in NG SIEM and SOAR technology will help identify and stop the presence of potentially malicious and harmful behavior, which can help prevent a data breach or service disruption.
Simply put, the best solution to industry-wide struggles with threat detection and response is to increase efficiency by leveraging the functionality of SOAR technology within today’s NG SIEM.
More Cybersecurity Resources
If you’re interested in learning more about where cybersecurity is headed, Jack Henrysm has a number of resources available for you. Plus, they are updated regularly to ensure that you always stay up to date on breaking cybersecurity news.
.svg)
