Security information and event management (SIEM) systems remain a key component of security operations centers (SOCs). Security orchestration, automation, and response (SOAR) frameworks, meanwhile, have emerged to fill the gap in these capabilities left by many SIEM systems.

But as many companies have begun reaching the limits of SIEM and SOAR systems over the last few years, they have started turning to other solutions such as extended detection and response (XDR). But does this shift spell the end of SIEM and SOAR? Or is the future one of component-based cooperation?

Here’s what SOAR and SIEM look like in 2023 and what’s on the horizon for enterprise security.

SIEM and SOAR: What’s changed since 2020?

In 2020, a Security Intelligence piece spoke to the increase in fast, flexible and customizable cloud-based SIEM solutions. The piece also highlighted the need for SOAR deployments to help companies automate key operations and respond to emerging threats.

Three years on, the market has evolved. While most SOCs still rely on SIEM tools, IT professionals are painfully aware of their limitations. Much like legacy technologies that may frustrate moves to the cloud, aging SIEM solutions can hamper effective incident response.

The reason is simple. While logging and event management are necessary to understand one’s current security posture, they’re not enough in isolation to address issues as they occur. Combining them with SOAR helps extend their usable life but doesn’t eliminate the main issue. At their core, these tools are reactive, not proactive, meaning their security benefits are finite.

Explore IBM Security QRadar: Request a demo

Current trends in SIEM and SOAR

Despite their limitations, SIEM and SOAR are both seeing significant market growth. It makes sense: While companies recognize the need for new approaches to evolving security threats, SIEM and SOAR solutions have become fundamental aspects of cybersecurity frameworks. In 2022, the SIEM market was worth $5.2 billion and is now on track to reach $8.5 billion in the next five years. SOAR, meanwhile, saw a market value of $1.32 billion last year with a predicted compound annual growth rate of 16.4%.

While the scale of SIEM and SOAR adoption contributes to this increasing valuation, market trends also play a role. Key trends in 2023 include:

Shifting Attack Patterns

Attackers are changing their approach. Informed by the move to remote and hybrid work, malicious actors have shifted both forward and back: Forward, in that they’ve found new ways to exploit third-party and zero-day vulnerabilities. Back, in that they’ve ramped up phishing attack efforts on remote workers because these attacks still work.

In response, SIEM and SOAR tools are both getting back to basics to help companies detect potential phishing efforts, and integrating new threat data to help pinpoint possible points of compromise.

Process Automation

Automation now plays a key role in effective defense. According to a recent IBM survey, 87% of SOC team members say that automation would save some or a lot of time during threat response. But just 55% of teams use automation for threat hunting, and only 53% use automation to improve logic and alerts.

As a result, 2023 comes with an ongoing effort to move SIEM and SOAR solutions into the cloud where scalable resources can better support automation options.

Breathing new life into SIEM

Read a few articles on SIEM, and you’ll find a common theme: Security information and event management is “dead.”

Is it true? Not quite. Is it wrong? Not exactly. Here’s why: SIEM is great at what it does, which is collecting security data and informing IT teams. But what began as regular reports on the state of security have rapidly escalated into what’s known as “alert fatigue” — the sheer number of potential incidents and possible problems tied to desktop, mobile and personal devices has inundated teams with alerts. Despite best efforts, these alerts eventually begin to blend together, and they start to lose meaning. Add in a few false positives, and it’s often easier for teams to ignore repeated warnings.

Consider recent survey data, which found that SOC team members are only getting to half of the alerts they’re supposed to review every day. Even worse? Team members spend one-third of their workday validating incidents that aren’t a real threat. It’s no surprise, then, that alert fatigue is setting in.

The result is a landscape where both SIEM and SOAR are now starting to benefit from artificial intelligence. In both cases, the adoption of AI tools can narrow alert windows and automate security responses so IT staff aren’t inundated with alerts. Instead of getting hundreds of easily addressed alerts each day, teams only get alerts that require responses ASAP. All other issues can be handled by self-service portals for staff encountering login or credential issues or session termination by AI if suspicious behavior is detected.

What’s next for security solutions?

While most companies have no plans to abandon SIEM or SOAR — after all, why fix what’s (mostly) not broken — they recognize the need for solutions that help fill in the gaps.

This is the role of extended detection and response (XDR). A combination of network and endpoint detection and response (NDR and EDR) tools, XDR makes it possible for companies to both identify threats and respond to them in real-time. This is critical in a world driven by hybrid and remote work. The sheer number of endpoints across increasingly complex network environments makes visibility a top priority for organizations but makes achieving this visibility a challenge. XDR targets the behavior of applications and services across complex networks to help companies pinpoint where potential problems exist and take action to remediate these threats.

Now considered the most effective tool for threat hunting, XDR solutions are an expected investment for two-thirds of companies over the next six to 12 months. Much like SOAR and SIEM, however, even XDR tools aren’t a magic bullet for security. Instead, they form part of a connected, holistic approach to cybersecurity that provides the proactive processes currently missing from most enterprise SOCs.

Put simply? In 2023, SOAR and SIEM are part of a larger threat management landscape where companies will shift to proactive models by layering real-time detection and response solutions onto existing security frameworks.

Enhance your security posture with a modern-day SIEM solution that makes threat detection smarter so analysts can remediate faster – all while maintaining your business’s bottom line. Get a hands-on demo of the award-winning IBM Security QRadar SIEM here.

More from Incident Response

Alert fatigue: A 911 cyber call center that never sleeps

4 min read - Imagine running a 911 call center where the switchboard is constantly lit up with incoming calls. The initial question, “What’s your emergency, please?” aims to funnel the event to the right responder for triage and assessment. Over the course of your shift, requests could range from soft-spoken “I’m having a heart attack” pleas to “Where’s my pizza?” freak-outs eating up important resources. Now add into the mix a volume of calls that burnout kicks in and important threats are missed.…

X-Force releases detection & response framework for managed file transfer software

5 min read - How AI can help defenders scale detection guidance for enterprise software tools If we look back at mass exploitation events that shook the security industry like Log4j, Atlassian, and Microsoft Exchange when these solutions were actively being exploited by attackers, the exploits may have been associated with a different CVE, but the detection and response guidance being released by the various security vendors had many similarities (e.g., Log4shell vs. Log4j2 vs. MOVEit vs. Spring4Shell vs. Microsoft Exchange vs. ProxyShell vs.…

Unmasking hypnotized AI: The hidden risks of large language models

11 min read - The emergence of Large Language Models (LLMs) is redefining how cybersecurity teams and cybercriminals operate. As security teams leverage the capabilities of generative AI to bring more simplicity and speed into their operations, it's important we recognize that cybercriminals are seeking the same benefits. LLMs are a new type of attack surface poised to make certain types of attacks easier, more cost-effective, and even more persistent. In a bid to explore security risks posed by these innovations, we attempted to…

Bringing threat intelligence and adversary insights to the forefront: X-Force Research Hub

3 min read - Today defenders are dealing with both a threat landscape that’s constantly changing and attacks that have stood the test of time. Innovation and best practices co-exist in the criminal world, and one mustn’t distract us from the other. IBM X-Force is continuously observing new attack vectors and novel malware in the wild, as adversaries seek to evade detection innovations. But we also know that tried and true tactics — from phishing and exploiting known vulnerabilities to using compromised credentials and…