How RevealX Evolves the SOAR SIEMbiosis

Over the last decade, security information and event management (SIEM) and security orchestration, automation, and response (SOAR) deployments have become essential components of enterprise cyber defense frameworks. This blog explains these technologies and how modern network detection and response (NDR) tooling has evolved to complement them and enhance their effectiveness.

What Is SIEM?

Considered legacy security technology, SIEM solutions merge security information management (SIM) and security event management (SEM) into one platform. SIEMs aggregate and analyze security data from disparate sources, including endpoints, network traffic, servers, applications, and databases to detect and respond to high-risk activity in real-time. By fusing all of this telemetry in a unified platform, the SIEM functions as an organization’s central detection and alert engine for suspicious activity.

A typical example of a SIEM response scenario is an unusually high number of login attempts by an employee. After detecting numerous failed logins, the SIEM alerts the security operations center (SOC) team about the incident, prompting them to investigate the potential compromise of the authorized user’s credentials or breach of the organization’s network.

The downside of legacy SIEMs is that they have introduced a sprawling morass of process inefficiencies for SOC teams. SIEMs can generate tens of thousands of alerts per day—many of which are inconclusive at best and false positives at worst. This flood of low-quality notifications precipitates alert fatigue among SOC analysts, along with a withering backlog of unexamined alerts and potentially unaddressed risks.

For SOC teams at large enterprises, the alert deluge is so overwhelming that analysts are only able to respond to 49% of the suspicious activity notifications in their SIEM feeds per day on average, according to a global IBM survey conducted in 2023. The survey also found that 17% of SOC team members cited too many low-priority or false-positive alerts as being the primary factor slowing down their threat response time.

SOAR Picks Up Where SIEM Leaves Off

SOAR tools are designed to complement SIEM detection and alert feeds by automating, managing, and triaging security workflows, data collection, and incident response. Prioritizing security alert importance and filtering out low-quality notifications is where the deployment of a high-performance SOAR solution demonstrates its utility.

Once the SIEM analyzes threat intelligence data, it transmits relevant alerts and other telemetry signals to the SOAR platform, which autonomously decides how to rank and report this information to SOC analysts by order of importance. High-performance SOAR solutions will, for example, clear low-level threats automatically while escalating mission-critical alerts for manual review and response.

For high-risk alerts that require SOC intervention, SOARs guide analyst teams through the incident response process, arming them with detailed contextual information and recommended actions each step of the way. Security solutions of this nature typically make the most sense for large organizations with attack surfaces of scale, and which are most susceptible to alert fatigue in their overloaded SOCs.

The key benefit of SOAR deployment is that it intelligently coordinates tool sets and data from disparate sources, while reducing the burden on SOC teams by minimizing the disorienting signal noise caused by alert overload. Put another way, SOAR deployments empower security teams with a backend infrastructure to work more efficiently while focusing on the most relevant incident notifications.

Advancements in AI and machine learning have further enhanced SOAR performance. Specifically, AI helps automate repetitive tasks that used to be much more manually intensive. For example, AI-powered SOARs autonomously process, standardize, and enrich threat intelligence data. They also simplify complex security workflows and inform better SOC decision-making, arming analysts with contextualized insights based on previously observed and resolved security incidents.

As noted by Cyrebro’s discussion of modern SOAR applications, “continuous learning from data and feedback reduces false positives and negatives, resulting in improved performance and efficiency. Additionally, AI aids in the creation of playbooks by analyzing historical security incidents, suggesting customizable templates, and guaranteeing effective playbooks are available for different scenarios.”

SIEM vs. SOAR vs. Next-Gen SIEM

Funneling SIEM telemetry and detections through an AI-powered SOAR engine is central to the next-gen SIEM framework touted by security leaders including CrowdStrike. Next-gen SIEM encompasses a set of capabilities that supplement established SIEM functions and integrate modern technologies like AI along with enhanced investigative methods for detecting cyber threats.

Next-gen SIEM is designed to address another significant shortcoming of legacy SIEM solutions: the seemingly endless amount of time security teams devote to configuring, managing, maintaining, and tuning them. Specifically, next-gen SIEM platforms leverage AI and unstructured machine learning analytics to autonomously adapt to shifts in the threat perimeter. Additionally, these modern security tools are engineered to scale seamlessly throughout corporate IT environments and process enterprise volumes of data with ease.

Additionally, AI-assistants like CrowdStrike Charlotte help teams analyze incidents faster by providing a clear picture of attacks with investigative context and incident reports to save analysts valuable time. Furthermore, key SIEM enhancements engineered by CrowdStrike help transform SOAR platforms into active participants during investigations–features like Detection Coverage that map “active detection rules to MITRE ATT&CK® techniques to provide a clear view” of observable attack surface pathways, according to CrowdStrike.

Another significant innovation is AI-generated parsing. “By analyzing sample logs with multiple large language models, Falcon® Next-Gen SIEM can classify log structure and contents on the fly to build parsers, saving hours of busywork,” according to CrowdStrike.

How RevealX Enhances SOAR-SIEM Effectiveness and Relevance

RevealX™ from ExtraHop® is a network detection and response (NDR) platform that makes SIEM and SOAR solutions work better by leveraging granular network telemetry to improve overall detection fidelity.

RevealX passively monitors an organization’s network traffic–both north-south and east-west, even encrypted network traffic–in real time. And it sits out of band, so it won’t degrade network performance.

RevealX captures transaction logs, NetFlow data, and full packets across more layers of the network (OSI layers 2-7) than competing NDR solutions, and it stores this data for up to 365 days to facilitate investigations and root cause analysis.

Full packet capture (PCAP) and AI-powered analysis reduces false positives, fuels more accurate detections, and guides higher-relevance SIEM and SOAR alert displays by providing richer context and metadata about what’s happening on an organization’s network. With RevealX, you can tell what every packet is doing anywhere on your network at any given time: where it’s going, where it came from, and what is being said across both sides of the conversation. This definitive level of detail is particularly helpful to organizations that need to comply with rigorous incident reporting and compliance obligations.

RevealX also applies machine learning to network data to distinguish suspicious network behavior from normal, benign traffic. In addition to behavior-based machine learning detections, RevealX provides four other layers of network-based detection, including network indicator detections, routinely exploited vulnerability detections, and emerging exploit and signature-based network malware detections through its IDS module (see image below).

The five layers of network-based detection provided by RevealX.

When it comes to next-gen SIEM applications, RevealX can enhance SIEM-SOAR synergies in three key ways. First, RevealX refines correlations between real-time endpoint and log data with contextual telemetry from the network. Second, RevealX combines detection and enrichment in a single console. And third, RevealX accelerates queries using cloud-scale compute across correlations, incident response, and threat hunting, drastically reducing SOC analysts’ mean time to respond (MTTR) to suspicious activity.

Ultimately, improved threat intelligence correlations and context powered by RevealX network telemetry empowers autonomous SOAR applications to guide SOC teams with higher quality alerts displayed in more relevant triage arrangements. Armed with irrefutable wire data, more robust incident response playbooks, and AI-enhanced guidance, SOC teams can overcome alert fatigue, focus on the most critical threats, and secure their organizations more effectively.

Learn more about RevealX - Try our self-guided demo.