SIEM vs. SOAR: What’s the Difference?

SIEM and SOAR products exist to solve many of the same problems that security teams face today: to collect, normalize, aggregate, correlate, detect, alert on, and remediate across an ever-increasing number of disparate information vectors in order to manage security events in their networks. While these two classes of tools do have some similarities, they go about solving these problems in fundamentally different ways.

Security Information and Event Management (SIEM) applications collect and aggregate data from a variety of internal and external sources to identify anomalous behavior that can be indicative of a cyberattack. This identification functionality is increasingly being driven by machine learning and other advanced pattern recognition technologies. 

A SIEM application’s primary function is the collection and detection of anomalies across a variety of data sources. It provides a single pane of glass for Security Operations Center (SOC) teams to view all of their security alerts. Compared to Security Orchestration, Automation, and Response (SOAR) platforms, SIEM tools excel in the collection, classification, and aggregation of massive amounts of log and event data from many different sources. Traditionally these sources have been a range of different network products such as firewalls, switches, routers, NIPs, and more, though modern SIEM solutions are fully capable of ingesting logs from a variety of outside sources such as Cloud Service Providers (CSPs), Trusted Authentication providers, and Endpoint Protection Platforms.

The acronym “SOAR” was first used by Gartner in 2015 to describe Security Operations, Analytics, and Reporting. Gartner revised to term to refer to its current definition in 2017 as it saw a convergence of existing technologies such as Security Orchestration and Automation (SOA), Security Incident Response Platforms (SIRPs), and Threat Intelligence Platforms (TIPs). 

The term SOAR is generally used today to refer to any technology, solution, or collections of preexisting tools that allow organizations to streamline the handling of security processes in three key domains: threat and vulnerability management, incident response, and security operations automation. SOAR products are unique in the security space for their unparalleled ability to be combined with other tools to facilitate mature, automated workflows. 

While many SOAR workflows, often called playbooks, still require humans to review, acknowledge, or even remediate, SOAR products go much further than SIEM products in the amount of pre-processing that is done before a human is involved. For SOAR products, the sky’s the limit in terms of their automation capabilities — third-party integrations can offer a wide variety of options for enrichment and actions, and many SOAR tools allow for the introduction of custom apps or even ad-hoc scripting.

SOAR platforms, as a newer class of product than SIEMs, are still growing in adoption. Gartner predicts that 30% of organizations with security teams larger than five people will have a SOAR tool by 2022.

Regardless of which tool organizations settle on (or if they use both), SOC teams can leverage integrations with Expanse to feed and enrich security events. For SIEM users, Expanse recently partnered with Splunk and IBM to create rich integrations for both Splunk (on-prem and cloud) as well as IBM QRadar. These integrations act as a conduit for Expanse’s events and behavior feeds as well as Expanse’s aggregated asset inventory which can be used to create custom dashboards that capture a holistic view of an organization’s public attack surface. Expanse also recently delivered integrations for Phantom, a Splunk product, and Cortex XSOAR, formerly Demisto, both prominent players in the SOAR space.  

For current Expanse customers looking to immediately take advantage of the integrations above or utilize Expanse with your own SIEM or SOAR product, please contact your Engagement Manager. Expanse is ready to help deploy these solutions in your environment or work to support the tools you value.

And if you’re not a current customer, please schedule a demo today to learn more about how Expanse can improve your SIEM or SOAR experience and reduce risk for your organization.