CISA and the Australian Signals Directorate (ASD) recently released updated guidance for implementing SIEM and SOAR solutions. The documents are thoughtful and grounded in technical reality. They lay out foundational principles that every security leader should understand.
They explain what these platforms are designed to do, why they are important, and why they require continuous oversight. For anyone planning or maintaining a SIEM or SOAR program, the guidance is worth reading.
That said, translating these recommendations into actual, sustainable operations is where most teams hit friction. Knowing what to do is one thing. Knowing how to do it within the limits of your architecture, your team, and your priorities is something else entirely.
We see that tension all the time. At NuHarbor, we work with organizations that are not lacking strategy or technology. What they need is practical execution that fits their environment. And that is the part most guidance does not cover.
What the guidance gets right
To be clear, the guidance highlights many of the real challenges organizations face.
Too many logs, too little value
As security teams expand visibility across cloud, endpoint, and third-party systems, SIEM deployments often grow rapidly in scope. With that expansion comes more telemetry, more integration points, and often more data than teams are prepared to manage effectively.
According to CSO Online, the SIEM market grew by 20% in 2024, driven by increased demand for broader log ingestion and platform flexibility. That growth reflects real momentum in the market. But it also places greater responsibility on security leaders to ensure that their ingestion strategies align with both risk and security value.
We often see organizations collecting large volumes of data without clear plans for how to use it, analyze it, or control the associated costs. Growth is positive, but it needs to be matched with a log strategy that is purpose-driven, cost-aware, and tightly connected to detection priorities.
Automation only works when process exists
SOAR tools offer real advantages: faster response, reduced manual load, and improved consistency. But these benefits only appear when the processes behind them are ready. Many organizations attempt to automate before their playbooks are mature, escalation paths are clear, or teams are trained to respond effectively.
According to the SANS 2023 SOC Survey (PDF), only 34.8% of respondents who use SOAR as a primary method for event correlation allow analysts to tune those systems on an ongoing basis. This suggests that for most teams, SOAR remains static, often rigid and out of sync with day-to-day operations.
Automation succeeds when it mirrors real workflows. That requires continuous tuning, cross-team coordination, and the ability to evolve processes as the environment changes.
The costs no one talks about
Buying the tool is just the beginning. Costs for skilled staff, integrations, training, detection engineering, and ongoing tuning often catch teams off guard. A 2024 Forrester study on Microsoft Sentinel showed a 234 percent ROI—but only when backed by thoughtful deployment and governance. Without that, even strong platforms struggle to pay off.
Tuning isn’t a phase. It’s a discipline.
Launching a SIEM or SOAR platform is step one. But keeping it effective is the hard part. Threats change. Your business changes. Tools need to be tuned and refined on a regular basis, or they start generating more noise than signal. This is where many programs lose steam, not because the tech failed, but because the process didn’t evolve with it.
We don’t just need better tools. We need better "how-to" content.
As a field, we are good at explaining why security matters. We are decent at listing what needs to be done. But we are not strong at showing teams how to do it in practice.
Security teams need more than frameworks. They need execution guidance they can actually use:
- Clear models to decide which logs to ingest
- Structured workflows for writing and testing detection logic
- Tuning playbooks aligned to both threat priorities and business context
- Automation plans built around how analysts actually work
- Communication strategies that connect security outcomes to business goals
Too often, the operational details that determine whether a program succeeds are missing. Teams are left to answer tough questions with little support:
- How do we decide what logs are valuable enough to ingest?
- What makes a detection signal-rich instead of noisy?
- How do we prioritize tuning when everything feels urgent?
- What does effective incident response actually look like in a real scenario?
Without clear answers, teams are left to improvise under pressure. And that is where even good platforms start to fail.
Getting practical help
Moving from strategic intent to operational success takes more than advice or tools. It takes experience, context, and a structured approach tailored to your environment.
The 2024 IBM Cost of a Data Breach Report found that organizations with extensive use of security AI and automation reduced breach costs by an average of $2.2 million compared to those without. This reinforces a point we see confirmed in the field: when technology is fully integrated into daily operations, the impact is measurable.
But most organizations are not there yet. Many platforms are underutilized, untuned, or only partially deployed because the “how” remains unclear.
Execution matters. Experience matters. And most teams benefit from a partner who has been through this before.
At NuHarbor, we help teams close the gap between platform implementation and measurable impact. We do it with less rework, stronger outcomes, and a focus on long-term success.
Ready to close the gap between guidance and results? Let’s talk.
Don't miss another article. Subscribe to our blog now.
