The U.S. Cybersecurity and Infrastructure Security Agency (CISA), working in coordination with the Australian Signals Directorate’s Australian Cyber Security Centre and a coalition of international and U.S. cybersecurity partners, published a new set of resources aimed at guiding organizations through the process of procuring and implementing Security Information and Event Management (SIEM) and Security Orchestration, Automation, and Response (SOAR) technologies.
The release includes executive-level recommendations that explore how senior leaders can strategically integrate SIEM and SOAR capabilities into their broader cybersecurity posture. The guidance stresses the value of increasing visibility across network environments and outlines how enhanced detection and response mechanisms can reduce the window of opportunity for adversaries to inflict damage.
A second resource addresses the operational needs of cybersecurity practitioners, offering concrete direction on how to detect threats in near real-time and respond through automated playbooks. By detailing practical workflows and automation strategies, the guidance positions SIEM and SOAR as tools to reduce manual workload while improving the speed and consistency of incident response.
The third document zeroes in on how to prioritize log ingestion into SIEM platforms. It provides a methodical approach for determining which logs deliver the most actionable intelligence, helping organizations allocate storage and analytical capacity toward data sources most critical to detecting suspicious or malicious activity. Together, these resources offer a layered and pragmatic blueprint for organizations at various stages of cyber maturity seeking to strengthen their threat monitoring and response infrastructure.
Implementing SIEM and SOAR platforms presents a range of ongoing and complex challenges that require highly skilled personnel and sustained effort. These systems are not tools that can be deployed and left unattended. Instead, they demand constant tuning, oversight, and adaptation to remain effective in a rapidly evolving threat environment.
One of the primary technical challenges lies in configuring the SIEM to generate alerts only when genuine cybersecurity events occur. This depends on selecting the right mix of log data, applying precise rules and filters, and developing a well-defined threat model. Without accurate tuning, a SIEM may either drown analysts in false positives or fail to flag critical threats, leading to missed incidents and overwhelmed response teams.
The second challenge concerns the SOAR platform’s ability to act appropriately in response to detected threats. If the system takes action based on incorrect or unclear signals, it can disrupt normal network operations or interfere with human responders. This not only compromises the effectiveness of the incident response process but can also cause significant operational disruptions.
To meet these challenges, cybersecurity teams must tailor each platform to the specific characteristics of their network and organization. They must also continuously test and reconfigure these systems as both the technology environment and the threat landscape shift. This is not a one-time task but a cycle of ongoing maintenance, refinement, and training.
The financial demands of implementation are considerable. Organizations face significant upfront and recurring costs that include licensing, data use, the recruitment and retention of personnel with scarce technical expertise, and ongoing training for staff to keep pace with changes. For those that outsource this work, service costs add another layer of expenditure.
Despite these hurdles, the alternative is far more damaging. A failure to detect or properly respond to a cyber incident can result in operational outages, data breaches, destroyed assets, and severe reputational harm. For most organizations, the investment in doing SIEM and SOAR right is not optional, but essential.
Organizations weighing SIEM and SOAR implementation must recognize that these platforms are powerful but resource-intensive. They are not the only tools for log collection and threat detection, so it is important to evaluate whether they are the right fit for the organization’s needs and capabilities.
For organizations handling sensitive data or delivering critical services, in-house deployment may offer better control and deeper network insight. However, it requires skilled personnel, long-term staffing, and ongoing training, all of which come at a high cost. Outsourcing is an option, but it introduces risks tied to visibility, service quality, and provider accountability. Contracts must clearly define responsibilities, compliance, and performance standards.
Cost management is essential. SIEM pricing often scales with data volume, so careless log ingestion can drive up expenses. Executives should explore options to limit unnecessary data collection and consult vendor documentation for more efficient alternatives. Strong training programs are crucial. The platforms demand continuous tuning as networks and threats evolve. Proper implementation of SIEM should come before SOAR, since automation is only as effective as the alerts driving it.
Regular testing is necessary to ensure the system is functioning properly. As the platform matures, third-party assessments can provide additional confidence. Choosing the right vendor means aligning capabilities with the organization’s structure, risks, and regulatory needs.
The practitioner’s guide identifies that the SIEM and SOAR platforms require constant tuning, skilled personnel, and a deep understanding of the organization’s environment. A SIEM must be fed the right log data and configured to detect real threats without overwhelming teams with false alerts. If poorly set up, it can miss incidents or flood teams with noise, undermining its purpose. SOAR platforms depend on reliable SIEM inputs. If alerts are inaccurate, automated responses can disrupt normal operations. This makes SOAR unsuitable for immature environments without a well-functioning SIEM or an experienced security team.
Log data must be normalized across different formats and sources. Incomplete log coverage leads to blind spots, while overloading the SIEM with irrelevant logs wastes resources and impairs detection. Organizations must select logs based on risk and security value, not just volume.
Implementing and maintaining these platforms involves high ongoing costs, including licensing, staffing, training, and possible outsourcing. In-house teams typically offer better network insight and control but require full-time support and expertise. Outsourcing may ease the load, but it can reduce visibility and complicate response coordination. To gain real value from SIEM and SOAR, organizations need clear priorities, sustained investment, and the maturity to manage the complexity these tools bring.
Practitioners have been provided with 11 best practice principles to follow throughout the procurement, establishment, and maintenance of a SIEM and/or SOAR platform. During procurement, it is essential to clearly define the scope of implementation, evaluate products that support data lake architectures, and prioritize those that can correlate data from multiple sources. Organizations should also identify any hidden costs associated with different products and ensure that adequate investment is made in training staff, not just acquiring the technology.
In the establishment phase, it is important to establish a baseline of normal network activity, create a standard for consistent log collection, and integrate the SIEM into the broader enterprise architecture.
When it comes to ongoing maintenance, organizations should regularly evaluate the effectiveness of threat detection, reduce unnecessary log ingestion through preprocessing techniques, and continuously test the performance of both SIEM and SOAR platforms to ensure they remain effective as the environment and threat landscape evolve.
Earlier this month, the CISA, Federal Bureau of Investigation (FBI), Environmental Protection Agency (EPA), and Department of Energy (DOE) identified cyber incidents targeting operational technology (OT) and industrial control systems (ICS) within U.S. critical infrastructure. They urge these entities to review and act immediately to improve their cybersecurity posture against cyber threat activities specifically and intentionally targeting internet-connected OT and ICS.
