DAILY LIFE AND REALITIES OF SECURITY OPERATIONS CENTER (SOC). XDR or SOAR?

Our SOC will soon turn 2 years old and, since we have accumulated considerable experience and passed the difficult path of building an SOC almost from scratch, we decided to start publishing a series of articles in which we will share our experience and tell you how we built our SOC and how it currently works.
In these articles, we will talk about technologies, interesting cases of detecting and repelling cyberattacks, the details of individual investigations, the nuances of building the architecture of the technology stack of SOC solutions, and much more. Hope, that our publications will be useful and interesting both for our customers and our business colleagues.

So, let’s begin. Anyone familiar with the topic of SOC knows a simple formula:

SOC = PEOPLE + PROCEDURES + TECHNOLOGIES.

Starting to build an SOC, we understood that there are a lot of technological solutions that use modern SOCs and, that for us an important parameter for a successful SOC organization will be the formation of a balanced and effective stack of these solutions. With the existing temptation to use the largest possible number of different systems, we were faced with the task of reducing this diversity to a set of solutions necessary and sufficient for successful operation.

The question of whether Security Information and Event Management system (SIEM), End-Point Detection and Response system (EDR), Vulnerability Management Platform (VMP), Network Traffic Analyzer (NTA), Incident Response Platform (IRP), Threat Intelligence Platform (TIP) should be part of the solution stack was not raised at all. Of course, they are. Only we have slightly revised the priority of their use. We will talk about this in future articles. But we had to think about using SOAR/XDR. What to choose – SOAR or XDR? Or should we use them together? First, let’s talk a little about what these systems are.

SOAR is the next step in the evolution of SIEM systems. SOAR provides orchestration and automation of processes for managing heterogeneous IT-security and IT- systems from different vendors and responding to cybersecurity incidents through pre-prepared response plans (playbooks). By the way, in order to have a relevant number of playbooks, SOAR requires a lot of involvement of IT-security experts in the work of creating playbooks or modifying them.

XDR is the next step in the development of EDR systems. XDR combines several security products from a single vendor into a single platform for detecting and responding to security incidents (at the level of endpoints, at the level of network, mail traffic, clouds, etc.), provides maximum automation of tasks for collecting data, identifying, prioritizing, investigating and neutralize complex threats from a single tool. In addition, modern XDR systems are able to integrate with security products from different vendors (not only from the vendor of the XDR itself).

After studying several SOAR/XDR systems, we came up with the following comparison results:

  • XDR has built-in detection technologies, while SOAR does not.
  • XDR provides «raw» data correlation, SOAR does not.
  • IOC scanning in SOAR is only possible using SIEM. XDR has no such restrictions.
  • Proactive threat hunting in SOAR (Threat Hunting) is only possible using SIEM. XDR has no such restrictions.
  • XDR does not require additional configuration from the user, but SOAR does.
  • SOAR cannot include XDR functionality.
  • XDR can include SOAR functionality (interaction with third-party systems, work with playbooks).

What conclusion can be drawn from this? SOAR technology will never be able to incorporate XDR functionality unless by merging with XDR from the same vendor or acquiring XDR from another vendor. Plus, the level of native automation of XDR is much higher than SOAR, which allows SOC analysts to focus on analyzing cyber incidents and cyberattacks, rather than constantly modifying or creating playbooks.

XDR automatically correlates security events, prioritizes, and validates alerts, allowing the analytics team to work effectively on the most relevant threats. XDR also offers built-in security investigation workflows and automated scripts to help streamline investigations and speed up responses. XDR is a simpler and more intuitive solution to reduce the burden of manual work and save analysts valuable time so they can work and focus on something more important.

As a result, we chose XDR as one of the main tools for our SOC.