(SOAR is) taking SIEM further by combining data collection, threat and vulnerability management, incident response and case management, workflow, and analytics
Agreed, will SIEM have to adapt? Is it as easy to shoehorn SOAR into SIEM as it is SIEM into SOAR?
FireEye polled C-level security executives at large enterprises worldwide and found that 36% of respondents receive more than 10,000 alerts each month from their SIEM, of those alerts, 52% were false positives and 64% were redundant#
I’d not come across the 64% statistic before, though I believe it completely. Too many tools alert the same alert over and over. The ability to check incoming alert for duplicates is something I’ve written about before
SIEM required daily, round-the-clock tuning by a seasoned staff
So nice to see someone else say this. Almost every time I hear “our SIEM dashboard is amazing and gives us everything” I dig deeper and finally they admit “well yes we have a full time consultant dedicated”. I’m not knocking SIEM but that is a reality.