Vulnerability Management, SIEMs, and SOARs …oh my!
If you’ve been in the general security space for any length of time, you’re likely familiar with the terms SIEM and SOAR and the problems they can alleviate. Here’s a quick refresher from our friends at Gartner:
- SIEM: Security Information & Event Management. Tools that support threat detection, compliance and security incident management through the collection and analysis (both near real time and historical) of security events, as well as a wide variety of other event and contextual data sources. (Gartner)
- SOAR: Security Orchestration, Automation, & Response. Refers to technologies that enable organizations to collect inputs monitored by the security operations team. SOAR tools allow an organization to define incident analysis and response procedures in a digital workflow format. (Gartner)
At Nucleus, we’re routinely asked how our vulnerability management automation platform is different from <insert competing vendor/platform/technology here>. In most cases, the differentiators are clear and easy to explain – but in a few fringe cases, it requires a more nuanced discussion and a deeper knowledge of the vulnerability management space. How Nucleus compares to SIEM and SOAR solutions is one of those cases. So, let’s highlight the not-so-obvious differences between risk-based vulnerability management platforms like Nucleus, and the leading SIEM/SOAR solutions that offer vulnerability management capabilities.
We won’t name names here, but you know who you are 😉
SIEMs and SOARs in Vulnerability Management
VM using SIEMs/SOARs: Square Peg, Round Hole
Most enterprises already have a SIEM (and often a SOAR) in place, naturally assuming the SIEM is a potential solution for meeting their enterprise vulnerability management objectives. Afterall, SIEMs are platforms designed specifically to aggregate data from many sources, while SOARs provide a platform for orchestrating and automating workflows. On the surface, that makes a lot of sense and kinda sounds like Nucleus… but the devil is in the details – and there are a lot of details.
We’ve worked with many organizations who have gone down this path and invested heavily in a SIEM/SOAR based vulnerability management solution only to discover the myriad limitations, challenges, and pitfalls as the program matured and dependencies grew. In many cases, Nucleus was implemented as the replacement for such a solution. Along the way we’ve captured the most common reasons why SIEMs/SOARs rarely meet the vulnerability management objectives of large enterprises. Here’s a few popular ones:
- Limited vulnerability scanner support: A handful of SIEMs and SOARs come with built-in support/integrations for some of the most common scanning tools – but most large enterprises have 15+ vulnerability scanning tools in use across their enterprise. Support for application security (AppSec) tools are virtually non-existent (go ahead, check if your favorite SIEM/SOAR supports your favorite SAST, DAST, RASP and IAST tools. I’ll wait here). If you want a true enterprise vulnerability management solution, you will need to build and maintain data models and parsers for several sources of vulnerability data that aren’t supported in today’s SIEMs/SOARs. Welcome to the time-suck.
- Lack of risk-based prioritization: If you manage to aggregate all vulnerability data from the enterprise into your SIEM, you now have a massive list of vulnerabilities to prioritize. Prioritizing by vendor-provided severity information and CVSS scores do not scale when you have tens or hundreds of millions of vulnerabilities (which is not uncommon in large enterprises). Network exposure, asset/business criticality, vulnerability intelligence, and other sources of vulnerability context must be factored in to identify the short list of vulnerabilities that represent the highest risk to your organization. Advanced prioritization schemes that factor in these external sources of vulnerability context do not exist in SIEMs and SOARs today.
- Insufficient Role-based Views: One of the keys to a successful enterprise vulnerability management platform is the ability to provide a broad spectrum of IT and security personnel with insights into the vulnerability information that they care about. Whether it’s the CISO or an application developer, if the information doesn’t answer the questions that are important to that person’s role, the information isn’t actionable. A product team needs the vulnerability information for the applications their product is composed of, and that’s it. The regional IT admin needs vulnerability information pertaining to assets in his area of responsibility. SIEMs and SOARs do not provide the ability to easily define workspaces, asset groupings, or create the custom role-based views and reports needed to support the wide range of roles and stakeholders in the vulnerability management program.
- Ever-increasing Development Costs: It’s easy to underestimate the scope and magnitude of the development effort involved to turn your SIEM/SOAR into a vulnerability management platform that will meet your objectives and be useful. In addition to support for new/unsupported scanners, custom dashboards, reports, query functionality, prioritization algorithms, playbooks and more will all require software development efforts. Plan on product management, software engineers, data scientists, QA, and all of the other overhead associated with building and maintaining a custom enterprise vulnerability management platform.
- Exorbitant SIEM License Costs: Vulnerability management tools produce a mountain of data, and SIEMS are notoriously expensive. Many large organizations we work with are scanning 10’s or 100’s of thousands of devices each week, with multiple tools, and have CI/CD pipelines instrumented with multiple application scanning tools that run continuously as developers check in code. It isn’t uncommon for a large enterprise to generate terabytes of vulnerability scan output per year, making SIEMs cost-prohibitive for vulnerability management.
SIEMs and SOARS are generic event processing platforms that have been fitted to offer some basic vulnerability management functionality. Nucleus has been under development for over 5 years specifically to deliver the functionality needed to automate vulnerability management programs for large enterprises, providing the tools and context to do the job efficiently. There are literally hundreds of features that Nucleus provides out of the box that would require custom development using a SIEM/SOAR based solution.
For smaller enterprises, with a small number of vulnerability data sources, limited use cases, and a less mature vulnerability management plan, a SIEM/SOAR based vulnerability management solution might make sense (at least temporarily), especially if the organization has already invested in and implemented said SIEM/SOAR. However, larger enterprises will find that a purpose-built risk based vulnerability management platform is the most cost efficient, expedient, and low-risk path to deliver the functionality they need to meet the organization’s vulnerability management objectives and continue to mature the vulnerability management program over time.