InfoSec Opinion Column #3 (June 2, 2025)

What: CISA Guidance for SIEM and SOAR Implementation

Why it matters: CISA guides like this one are often influential for Federal and SMB buyers.

tl;dr:

• This guide is broken down into two parts, one for executives considering SIEM/SOAR solutions, and one for practitioners implementing them. Both guides lay out various considerations, recommendations, and pitfalls to avoid.
• "Achieving uplift in visibility, detection, and response through SIEM and/or SOAR platforms requires especially skilled and dedicated human resources. [...] Any organisation that intends to procure a SIEM and/or SOAR platform and needs to develop an in-house capability should plan to dedicate significant resources to training staff in implementing the platform."
• "[A] key technical challenge is ensuring that the SOAR only takes appropriate action in response to actual cybersecurity/incidents, and does not take action against regular network activity or that impedes human incident responders. If accurate actioning is not achieved, the SOAR may significantly disrupt service delivery."
• "SOAR platforms are usually not suitable for immature environments – that is, environments that lack an existing SIEM, have only a newly established SIEM capability, or lack an experienced security team. In general, investing in the proper implementation of a SIEM platform and achieving effective log analysis is a higher priority than implementing a SOAR."

Matt's view: This guide provides some really good advice... if the year was still 2018. To be fair to CISA, this guide is meant to help Federal agencies and also SMBs (CISA tries to provide guidance to companies that can't really afford good cybersecurity practices) so I get that they're really speaking to an audience with minimal experience in these fields. That said, it's disappointing to see them perpetuate the philosophical approach that caused first-gen SIEM and SOAR to be so frustrating and failure-prone in the first place.