Will Investing in Security Orchestration Make Your SIEM Obsolete?
As more companies continue to adopt security orchestration, many are now wondering if their security information and event management (SIEM) systems will soon become obsolete. Security teams use SIEMs to manage and correlate alerts from detection tools with other data and logs. While SIEMS help to corral alerts and log data into a single unified platform, they often don’t do much in the way of reducing alerts or investigatory tasks after an alert comes in.
Security teams have many options today when it comes to managing security operations. A big question teams are now asking revolves around their technology, and specifically their SIEMs. In the face of the changing technical landscape, will orchestration make SIEMs obsolete? While this topic is complex, the simple answer is no.
Look at security orchestration as an enhancement to your SIEM — it can help to optimize SIEM functions. Leveraging orchestration, your SIEM can remain focused on collecting data and correlating alerts, while orchestration works to streamline the alerting -> investigation and remediation process.
Furthermore, security orchestration can complement your existing SIEM architecture in three specific ways.
Reduce SIEM Alert Fatigue
SIEMs do many great things, but what they often don’t do is optimize the number and accuracy of alerts. This is a top issue security teams face with many tools, but especially SIEMs. There’s no question you need to be alerted about incidents, but if your SIEM is sending your hundreds or thousands of false alarms every day, it becomes impossible to keep up, find the ones that matter, and respond in a timely manner.
Layering in security orchestration, you can both reduce the volume of alerts and improve the accuracy of alerts. Security orchestration integrates all of your security systems with your SIEM to automate tasks like log queries, IP lookups, and user provisioning, enabling you to instantly verify whether an alert is just a false positive or one that requires further human investigation. That means fewer false alerts and more time to focus on real threats.
Automatically Orchestrate Process From Your SIEM
Once your SIEM fires an alert, there are a series of tasks that must be executed to effectively respond. Due to limitations in most SIEMs, teams have to work outside their SIEM consoles to perform additional investigations, notifications, and response actions.
Especially if many of the same types of alerts come in on a daily or hourly basis, these tasks become frustratingly routine and draining. So what if you could not only automate the alert verification process, but the response process as well?
Security orchestration can automate the handling of tasks that come up as a result of an alert so that you and your team no longer have to do them manually — or at all.
Platforms such as Komand can help address the most common and repetitive processes (e.g. phishing investigations, user provisioning/deprovisioning, malware containment, and more) that security teams deal with on a regular basis. By hooking up your SIEM to all of your other security and operations tools, those tasks and processes can automatically be executed the moment your SIEM alerts on anomalous activity. In this way, orchestration won’t make your SIEM obsolete, but rather makes it more powerful and effective.
Using our Splunk plugin, for example, getting Splunk alerts to trigger Komand workflows is as simple as selecting the name of the alert to instrument. You can also use our plugin to automatically perform queries or index events based on certain criteria. When an email comes in that you want to index in Splunk, Komand can automatically log it.
By freeing up your team from these tedious and less-than-enjoyable tasks, you can better optimize their time and keep them happy at work. This can be especially good news in light of today’s major security talent gap.
Security Orchestration Scales SIEM Capabilities
Security orchestration can enhance much of what you’ve been using your SIEM for, giving it more power to stay relevant and useful to your organization. As we’ve explained before, a thorough network security monitoring (NSM) approach requires:
- Full packet capture
- Host forensics
- ETDR logs
- App server logs
- Network analytics data
- And other context to do security monitoring effectively.
Using orchestration, you can connect your SIEM with all of these systems so that you can automatically query for this data when it’s needed. This can keep your SIEM more relevant and useful while also optimizing your use of other data and systems. With tools better connected and processes automated tightly between them, you can extract the full value of each of your tools — your SIEM included.
Give Your SIEM a Compliment
Chances are, you’ve invested heavily in your SIEM and it’s tightly embedded in your current security and operations infrastructure. To keep your SIEM relevant, scalable, and integrated, you can add a security orchestration layer to:
- Better connect your SIEM with the rest of your organization
- Take advantage of intelligent alerting and response capabilities
- Enhance your security personnel and tools by letting them focus on what they do best, and letting orchestration take care of the rest
See a SIEM + security orchestration use case in action in our blog post on How to Automate Response to Endpoint Threats with Sysdig Falco, Splunk, Duo, and Komand.
About Jen Andre
Jen is the founder and CEO of Komand. Before Komand, she co-founded Threat Stack, a leading innovative cloud security monitoring company based out of Boston. She has spent a career in security working at companies Mandiant and Symantec and has a background in engineering and security operations.