Published on the 04/06/2025 | Written by Heather Wright

‘Proper’ SIEM and SOAR implementation urged…

Australian and New Zealand security agencies have joined forces with allies in an enterprise cybersecurity push, urging organisations to adopt security platforms they say can help organisations stay ‘one step ahead’.

The Australian Cyber Security Centre (ACSC) and New Zealand’s National Cyber Security Centre (NCSC) are among a number of agencies globally, including the United States’ Cybersecurity and Infrastructure Security Agency (CISA) to publish guidelines for Security Information and Event Management (SIEM) and Security Orchestration, Automation and Responses (SOAR) platforms.\

“Neither platform is a ‘set and forget’ tool.”

The joint advisory includes practitioner guidance for executive guidance on SIEM and SOAR platform implementation and SIEM and SOAR adoption and priority logging for SIEM ingestion and urges organisations to prioritise implementation of the platforms.

SIEM platforms collect, centralise and analyse data from firewalls, endpoints, applications and other sources and, when well-configured, apply a predefined baseline of business-as-usual network activity, rules and filters to analyse and correlate log data, detecting unusual activity.

SOAR platforms automate the responses to any unusual activity, applying predefined ‘playbooks’ which combine incident response and business continuity plans to dictate some of the actions and streamline responses.

“Implementing SIEM and/or SOAR platforms can greatly benefit your organisation by collecting, centralising and analysing important data that would otherwise be extremely complex and scattered,” the ACSC says.

The platforms also help detect cyber security events and incidents and prompt timely intervention through alerting and ensuring incident responders have access to the data that records what happens.

Use of the platforms is becoming increasingly important as organisations store and manage more data – and more sensitive data. Increasing infrastructure complexity is also creating blind spots and making it more difficult to detect threats, and endpoints and application numbers are proliferating.

The Australian Signals Directorate (ASD) says it received more than 36,700 calls to its Australian cybersecurity hotline in FY24 – up 12 percent on the previous financial year, and responded to more than 1,100 cybersecurity incidents, highlighting the continued exploitation of Australian systems.

SIEM and SOAR assist with implementing the ASD’s Essential Eight Maturity Model and CISA’s Cybersecurity Performance Goals, which both require log data to be collected and centralised.

However, as the guidance notes, neither tool is a ‘set and forget’ offering, and implementation is an ‘intensive, ongoing process that requires highly skilled human personnel’ – and ‘significant’ and ongoing funds.

“These platforms can only enhance visibility, detection and response capabilities if they are properly implemented and continually maintained by skilled personnel.”

Key technical challenges include ensuring the SIEM produces alerts when cybersecurity events are happening and no alerts when no events/incidents are occurring.

That requires identifying the right types and quantities of log data for the SIEM to ingest, as well as the right rules and filters to apply to the data.

“This includes developing a threat model that defines events of interest that can trigger alerts related to the threat model in order to promote accurate alerting.”

False alerts can quickly overwhelm security teams.

For SOAR, a key challenge is ensuring the platform only take appropriate action in response to actual cybersecurity/incidents, not regular network activity and that it doesn’t impede human incident responses, ACSC says.

The Australian Signals Directorate warns that for cybersecurity teams, SIEM and/or SOAR need to be continually tuned and monitored.

“Cyber security practitioners must carefully configure the SIEM and/or SOAR specifically for your organisation’s network. They must then continually adjust it and test its effectiveness, as the network, technology, and cyber threat landscape keep changing.”

Organisations need to plan for both upfront and continuous investment in not just the technology, but the people resources the guidance warns. However, it says the potential cost of a cyber security incident ‘far outweighs’ the costs involved with properly implementing a SIEM and/or SOAR platform.

The guidance for security practitioners outlines the role of SIEM and SOAR platforms, as well as the challenges of implementation and provides best practice principles for implementing the platforms, from procurement (where companies are urged to look for the hidden costs of different products) through establishment and on to maintenance.

There’s plenty of references throughout the documents to ‘proper’ implementation of the platforms.

For security teams, the guidelines advocate establishing a reference level for business-as-usual network traffic.

A third guidance document contains detailed logging guidance for specific categories of log sources, such as endpoint detection and response tools, Windows/Linux operating systems, network devices and cloud deployments.

Datacom’s State of Cybersecurity Index 2025 showed Australian security leaders, at least, believe they’re well up with the play when it comes to SIEM. Seventy-four percent of those surveyed said SIEM was the number one area for maturity.