SIEM, UEBA, and SOAR – What’s the Difference?

Acronyms can get tangled in the ever-growing security marketplace. For instance, many use SIEM and SOAR interchangeably. Although security information and event management (SIEM), and security orchestration, automation and response (SOAR), have capabilities which complement one another, they are not the same thing.
Acronyms can get tangled in the ever-growing security marketplace. For instance, many use SIEM and SOAR interchangeably. Although security information and event management (SIEM), and security orchestration, automation and response (SOAR), have capabilities which complement one another, they are not the same thing.

By Limor Wainstein

The term ‘Information Security’ refers to the protection of the information environment in its entirety.

Data is not the only aspect that needs to be secured, but the defensive system should also safeguard data media and the overall infrastructure.

InfoSec solutions are therefore built to secure the administrative, legal and technical aspects while also keeping an eye on user behavior to inhibit data leaks and accidental disclosure.

To ensure that an information security solution meets an organization’s security requirements appropriately, mechanisms involved in data security are usually segregated into technical (formal) and normative (informal) categories.

Given the fact that malicious attacks are becoming increasingly sophisticated as well as persistent, the established tools that focus largely on safeguarding the perimeter of applications will gradually be replaced by solutions that include detection and response capabilities.
Given the fact that malicious attacks are becoming increasingly sophisticated as well as persistent, the established tools that focus largely on safeguarding the perimeter of applications will gradually be replaced by solutions that include detection and response capabilities.

Informal techniques consist of administrative, ethical and moral aspects such as standards for workplace behavior, code of conduct, corporate culture, etc.

Formal techniques include software as well as different technical components such as hardware and similar equipment.

Protective systems that are based on software can be implemented using standalone applications as well as complex systems.

Examples of such complex systems include UBA, UEBA, SIEM and SOAR solutions. These have been integrated into businesses at scale to provide information security to organizations.

SIEM, UEBA & SOAR – What They Are & How They Work

SIEM

Security Information and Event Management (SIEM) solutions have been through relatively few changes over time. It initially began as a way to simply collate and store logs.

This then transitioned into correlating information using rules as well as an alert system for teams when suspicious activity occurs.

Today SIEM solutions provide advanced analytics as well as response automation.

SIEM Solutions Today

  1. Use purpose-built sensors to continually collect digital forensics data throughout an organization

  2. Make use of machine learning and artificial intelligence to identify extraordinary network behavior that may point to a possible data breach or malware.

Essentially, SIEM uses the principle – ‘Let Everybody In, and Nobody Out’

At its core, SIEM is a system used to collect and correlate events that relate to information security.

SIEM was initially planned as a tool to harvest and catalog information security related events and juxtapose them in a bid to identify possible threats.

A solution like this would also allow organizations to crosscheck their compliance with commonly used InfoSec standards including PCI-DSS, GDPR, etc. which would also help in reporting.

How to Get the Most Out of Your SIEM

Given the fact that malicious attacks are becoming increasingly sophisticated as well as persistent, the established tools that focus largely on safeguarding the perimeter of applications will gradually be replaced by solutions that include detection and response capabilities.

The focus will now increasingly be on endpoint devices.

SIEM Components

The nomenclature itself indicates that SIEM is a combination of two technologies – SIM (Security Information Management), and SEM (Security Event Management).

  1. SIM – Responsible for collecting all relevant information in a single location, thereby allowing it to be managed efficiently. It enables central logging management including the functions of log searching and reporting.

  2. SEM – SEM is intended to detect and manage any threats that may occur. SEM works by mirroring real-time threat analysis and using correlation rules to help in detecting incidents. SEM also works with features related to incident management allowing server administration and delivering security functions.

Security Information and Event Management
Security Information Management Security Event Management
Centralized Log Collection Real-time Threat Analysis
Log Storage Incident Detection & Response
Log Search & Reporting Basic Ticketing Capabilities
Security Operations

(Forcepoint UEBA information security protects sensitive client information, detects compromised accounts and enforces the continued improvement of an organization’s internal security culture. Courtesy of Forcepoint and YouTube. Posted on Feb 14, 2018.)

UEBA

UEBA is an extension of SIEM where, in addition to observing suspicious network behavior, they also trigger alerts when unusual entity or user behavior is observed.

Given than compromised credentials make up about 75% of all network intrusions, UEBA has taken on an importance of its own.

In the event that credentials are stolen, these credentials end up being used at times, places and in ways.

For example, in case a login takes place that is outside the usual pattern, this event is immediately recorded and a flag is raised to trigger an investigation.

In case a user ‘X’ usually logs in to ‘Workstation 1’, but suddenly logs in to ‘Server 2’, this is recorded as an unusual user behavior and is flagged as a matter for further investigation.

The Principles of UEBA Systems

User & Entity Behavior Analytics, or UEBA, can also be considered as an extended arm of UBA given that it has the ability to not only monitor a specific set of users or individuals but also certain machines within a designated network, for example – a complete IT perimeter.

UEBA systems constantly collect and store usage information with regards to applications, hosts, data storage frameworks and network traffic.

This allows them to conduct an analysis of interactions between hardware and operators or users ensuring a level of complete transparency.

This helps in identifying a broader range of threats concerning users as well as entities within an IT infrastructure.

(Get a quick primer on the purpose of using a UEBA solution vs. SIEM. Courtesy of Forcepoint and YouTube. Posted on Aug 16, 2018.)

SOAR

While SIEM and UEBA conduct the necessary tasks of identifying and flagging possible security threats, the end goal is always to take timely action on any suspicious behavior as effectively and efficiently as possible.

This is where the next stage in information security and protection systems comes in.

Introducing SOAR –Security Orchestration, Automation and Response.

An easy way to understand the key difference between the systems is that where traditional SIEM’s can merely ‘say’ or flag a behavior, SOAR enabled systems can actually ‘do’ something or take action against any detected malicious activity.

SOARs are able to connect data sources and use the combined information from different threat intelligence feeds to automate appropriate responses. This improves efficiency as well as the effectiveness of the threat protection system.

Ex – In case a corrupted USB is used in a laptop even when the laptop off a network and malware begins to be transferred from the USB to the laptop, a SOAR enabled system will be able to detect the malware, identify the suspicious communication and link it a low-reputation IP address.

The SOAR system will also be able to detect any suspicious process that begins execution and automatically prevent the communication and thereby avoiding a possible breach of data.

Different Versions of SOAR

Depending on the nature of a SOAR system, it can end up having different interpretations and use cases:

  1. Security Operations, Analytics, and Reporting (SOAR)

  2. Security Orchestration, Automation, and Response (SOAR)

Common Features of SOAR

As described above, SOAR is a solution crafted especially for aggregating threat data originating from a variety of different sources, followed by the analysis of this data for appropriate action.

Some fundamental features of SOAR include:

  1. The integration of tools and technologies that are needed for decision-making. This is based on the conditioning of security systems, reports and estimates of possible levels of risk.

  2. The automation of response processes

  3. Detailed incident management workflow that includes end-to-end approach – assigning priorities, logging incident response actions, and policy-compliant decision making)

  4. Proper visualization of data that includes employee reports, key metrics, and related documentation.

Benefits of SOAR, How is it Different from SIEM

Probably the most impactful benefit of utilizing a SOAR system is the ability to completely automate the information security management process – from assigning priorities to incident response.

As opposed to the log analysis provided by SIEM systems, solutions by SOAR are able to absorb a complete range of various technologies that are currently used to maintain the activities of service centers as well as monitoring services.

SOAR is able to threat-related data to security systems that are linked to different input sources.

SOAR is able to do using the following three modules:

  1. SOAR’s Security Incident Response module assists in the identification of incidents. It is also able to import relevant information from solutions that are currently in place and customize processes accordingly.

  2. SOAR enabled systems are able to engage the Vulnerability Response module. This allows it to prioritize difference vulnerabilities based on their threat levels. It is also able to determine the system’s susceptibility to threats and vulnerabilities.

  3. SOAR’s Threat Intelligence module is developed with the intention to identify signals of a possible threat or compromise and track these down to deeper levels. The main benefit of this module is the support it receives from various standards applicable for threat-related data exchange. Additionally, the Threat Intelligence module assists in the addition of custom sources as well as information exchange with external systems.

Conclusion

When selecting an information security solution that fits an organization, the company’s executives need to first have an understanding of the individual processes that need to be controlled.

SIEM, UEBA, SOAR or a similar system will probably not solve the organization’s InfoSec problems automatically.

However, they will definitely assist in automating routing procedures that may otherwise need to be manually performed.

Most major companies today have internal data protection systems of their own.

Therefore, it is worthwhile to begin by first analyzing the systems already being deployed so that any possible redundancy can be avoided.

About the Author

Limor Maayan
Limor Maayan

Limor Wainstein is a technical writer and editor at Agile SEO, a boutique digital marketing agency focused on technology and SaaS markets.

Limor has over 10 years’ experience writing technical articles and documentation for various audiences, including technical on-site content, software documentation, and dev guides.

She specializes in big data analytics, computer/network security, middleware, software development and APIs.

LinkedIn: https://www.linkedin.com/in/limormaayan/

Twitter: @LimiMaayan