SIEM and SOC are important concepts in Cyber Security and these were one of the first things I learnt about. Over time in my day to day job I spend a lot of time looking at the SIEM systems and the SOC solutions being used.
What is the difference between SIEM vs SOC? SIEM stands for Security Incident Event Management and is different from SOC, as it is a system that collects and analyzes aggregated log data. SOC stands for Security Operations Center and consists of people, processes and technology designed to deal with security events picked up from the SIEM log analysis.
Both sets of technology complement each other with the SIEM analyzing log data to look for events requiring the attention of the SOC team to deal with. The SOC teams analysts will look at the alerts from the SIEM systems and work out whether they need escalating further. Or they are just false positives, where the SIEM alert is not as dangerous as expected and has been reported incorrectly by the SIEM system.
What is a SIEM solution?
A SIEM solution consists of a number of components involved in Security Information Management (SIM) and Security Event Management (SEM) including the following:
- Data Aggregation
- Threat Intelligence
- Security Event Correlation
- Advanced Analytics
- SOC Automation
- Threat Hunting
Let’s explore these SIEM solution components in more detail to see how they work and fit together to analyze the incidents and provide the security events to the SOC teams.
SIEM solutions need data from multiple sources as part of data aggregation, moving data into a single place. The SIEM systems either collect the data themselves or use forwarders to send logs from other systems to the SIEM system. These logs the SIEM collects are a series of events recorded in files, providing a history of activity.
Once the SIEM system has the logs, it uses a process to analyze the events in the logs and categorize the events based on the severity of the event. The SIEM systems have specialized software able to analyze the events using threat intelligence and historical analysis to work out which events need action taken and which ones can be ignored as they pose little threat.
SIEM Collectors can be configured to obtain log data from systems by being able to connect directly to the system and obtain the logs.
SIEM Forwarders can send log data to the SIEM solution from the system, as they involve an installation of software, known as an agent which can forward events to the SIEM solution.
SIEM technology has advanced over the years to deal with the advanced of threats in cyber space, with the increased use of threat intelligence.
What is threat intelligence in cyber security? Threat intelligence in cyber security involves collecting information about past, current and potential future cyber threats then analyzing this information to see if it is relevant and how it could impact the organization.
The information about the past, current and potential future cyber threats is just data, more specifically, you could call it threat data. Without understanding the relevance of the information in the threat data, this threat data serves no purpose. However, when the threat data is analyzed and the information extracted that is relevant, then it can be said the threat data is now useful.
This process of analyzing and determining the relevant information about particular cyber threats, is the intelligence part of threat intelligence. Without this intelligence, that is analysis, the threat data is just data that will sit dormant somewhere.
Threat Intelligence is a list of up to date threats shared from many different organizations including security companies. Threat Intelligence allows the SIEM systems to check for patterns to see whether there is a compromise from the latest threats.
The different attacks changes daily with new attacks surfacing all the time and knowing what the latest attacks are is important, as it allows early visibility of when these attacks happen. The worst case scenario would be learning of a new type of cyber attack after the cyber attack had taken place and done it’s damage.
SIEM systems have developed complex analysis methods combined with artificial intelligence’s (AI) machine learning (ML) to analyze threat data and determine which aspects of this data are intelligence to be acted upon and which parts are questionable.
Security Event Correlation
Security Event Correlation involving trying to spot patterns in the data collected by the SIEM systems to see if there are any indicators that could threaten security. If suspicious patterns are discovered these are then flagged up, allowing security analysts to investigate further and take any remedial action.
Advanced Analytics can involve behavior analysis by analyzing the data collected by the SIEM solution to see if there are any changes to expected behavior. As an example, the expected behavior of an employee may be to only log into their computer during work hours but recently they have been logging in during the middle of the night.
This could be investigated further to see whether the employee is legitimately doing this, or they are doing this to get access to information they shouldn’t be accessing.
SOC Automation capabilities of a SIEM system can act upon security events by doing the analysis as SOC analyst would do, thereby able to give an outcome. For example, a security event is analyzed by the SIEM solution and based on criteria, the SIEM solution determines this event to be a serious incident and accordingly raises an incident on the incident management system with a critical priority.
Dashboards & Reporting
All SIEM solutions have dashboards for easy viewing of the threat landscape to give them indicators of what is happening across the systems the SIEM system is gathering data from. These dashboards also allow for reporting to be able to see the number of threats identified over a defined period, allowing organizations to determine the level of threats they have faced over time.
Threat hunting is important as new threats emerge all the time and it is imperative to be able to analyze the data collected by a SIEM solution over time to determine whether a new threat that is out in the open has not previously inflicted the organization.
By using search analysis tools provided by the SIEM, the security analysts can query the SIEM data and determine the impact on the organization over the past few months or even years.
When organizations discover they have been breached, they need to quickly determine when the breach occurred, what was taken and whether those responsible for the breach are still in situ, that is, still inside the organizations systems.
Forensics allows analysis to be done on the data collected over a period of time and try to work out the serious of events leading to the breach, including the initial attacks, the time of the first breach, along with the activities done post getting inside the organizations systems.
Forensics is an analysis of the crime scene, as what a breach would be and like in those police TV shows where the forensic people try to work out what happened, likewise in Cyber Security, the forensic analysts try to piece together the details of an incursion and breach of an organizations system.
Which is the best SIEM tool?
The best SIEM tool according to Gartner are Splunk, IBM QRadar, Exabeam, LogRythm, Securonix, Rapid7 and Dell Technologies (RSA) to name a few. These SIEM tools tend to be classed as leaders in the Gartner Magic Quadrant released each year.
Considered by some to be the leader of the pack, Splunk provides enterprise level SIEM functionality and is a popular choice amongst many larger organizations.
IBM QRadar is popular with larger organizations and provides SIEM capabilities to detect and prioritize threats encountered, allowing organizational security teams to deal with these events.
Exabeam is one of the newer SIEM system providers who have embraced artificial intelligence’s machine learning to detect and try to stop cyber threats.
LogRythm is a leading SIEM systems provider from the US, experienced in providing SIEM systems to corporates around the world.
Securonix markets it’s SIEM system as a next generation SIEM systems providing advanced capabilities to deal with the ever-evolving threat landscape.
Rapid7 SIEM system is another one of the newer breeds of SIEM systems entering the market to take on the established SIEM system providers.
Dell Technologies (RSA)
RSA SIEM systems have been around for a long time and with it’s acquisition by Dell Technologies, this SIEM is still a popular choice for corporates.
It has also become easier for medium to smaller sized organizations to be able to use SIEM especially if they’ve embraced the cloud, with Microsoft’s Azure Cloud providing Sentinel and Amazon’s AWS providing Guard Duty. With both systems being able to provide analysis of threats using threat intelligence.
Those organizations who have not embraced the cloud, find it expensive to implement SIEM solutions especially if they are smaller organizations. The licensing costs can be prohibitive as they generally form annual subscription costs.
Then there is the issue of what to do with the outputs of the SIEM systems, how can the threat intelligence be actioned? This will require someone with experience of understanding which of the SIEM outputs require action and which ones can reviewed later or ignored.
The threat intelligence used by the SIEM systems does not quite meet the one size fits all and requires human analysis to make decisions which will undoubtedly require tailoring to the organization using the SIEM system. What will be the right course of action for one organization might not necessarily hold true for another.
SIEM expertise does not come cheap and many organizations may find this a high cost to bear, with other organizations only using SIEM as they have been pushed into it by regulatory demands.
The SIEM aspects can be outsourced to other organizations, specialists in managing SIEM solutions, who for a price will analyze the SIEM data. This can be beneficial for organizations who can ill afford the high costs of SIEM combined with the in-house expertise to manage it.
That being said, this also throws in issues around privacy as the data passing into the SIEM is always going to be quite sensitive. It could contain not only details of individuals in the organizations but also details of systems feeding into the SIEM and secret information related to a company’s activities.
With some level of expertise, the data being pumped into the SIEM could be controlled, so if developers are creating software with hardcoded passwords in them, then the password data could be stopped from entering the SIEM by educating the developers to not hard code passwords in their code and to use secrets management software.
What is a Security Operations Center (SOC)?
A Security Operations Center (SOC) is part of the security team of an organization that is responsible for analyzing and protecting the organization from cyber-attacks. Although SOC employees work with other teams and departments, they are usually their own independent department.
The SOC is responsibilities are at the operational aspects of an organization to ensure the continued operation of the organization’s information security protections are not being compromised. This is different to the other security aspects of an organization where the responsibilities lie with developing security strategy, designing security architecture to implementing protective security measures.
In essence the SOC is responsible for ensuring the security implemented by other teams in the organization is steadfast and if this is not the case, to make sure effective damage limitation takes place.
A Security operations center staff consists mainly of security analysts with specialist staff also including those with skills in forensic analysis, cryptography to malware reverse engineering. SOC positions tend to be held by employees who have access to the most sensitive information and data across the organization’s systems.
Typically, security operations center provide round the clock 24/7 monitoring to protect the systems, using specialist security tools and expert personnel known as SOC analysts.
Most of the information the SOC relies for security analysis, is assessed using automated systems, capable of filtering and flagging the most serious security events. This allows the SOC analysts to be able to quickly deal with security incidents with higher priority very quickly, instead of having to manual sift through security events and determine the priorities.
Services are provided by Security Operations Centers
Security Operations Centers provide two types of services, monitoring and incident management. Both of these services are an important part of how SOCs run in their day to day activities.
The Security Operations Center (SOC) consists of highly qualified personnel whose are actively involved in monitoring, detecting and improving the security posture of the organization they work for. Through their prevention, detection, analysis work, they can respond to cyber security threats using well established and tested processes.
The SOC is headed by a SOC Manager whose responsibility is to oversee the security operations and manage the SOC staff including analysts, engineers and security specialists.
Monitoring involves checking systems for cyber security threats and usually involves using specialized cyber security tools to pick up suspicious patterns. These cyber security tools link into a centralized management system with dashboards that provide any alerts to suspicious activities and patterns.
Incident management is dealing with the alerts to suspicious activities and patterns, involving trying to determine firstly the criticality of the threat and then running through various incident management processes to try to neuter the threat. The processes generally involve people to manage them and technology to help pinpoint more information about the threats and try to stop it in it’s wake.
What should a Security Operations Center monitor? Security monitoring is involved in watching and analyzing an organizations systems and environments for security events. An organizations network, servers, databases, to it’s websites, endpoints like computers and more are in scope for security monitoring.
Specialist security tools like breach detection tools are used to protect systems, with some tools providing immediate responses (in real-time) to breaches, such as intrusion prevention systems (IPS) and intrusion detection systems (IDS).
With other tools providing delayed responses, like the SIEM tool, as these tools work by ingesting logs and then analyzing these logs, with the delay in getting these logs, being responsible for these tools not to be able to work in real-time.
The SOC’s primary goal is to ensure any potential security incidents are identified correctly, analyzed accordingly through a thorough investigation, with any steps to reduce any immediate impact if possible implemented. The reporting of incidents is vitally important, as incorrect reporting could end up making a security incident worse.
The analysis will try to determine how systems were breached by trying to find out the entry point of where hackers managed to get in. Once this has been established, the next stage of analysis will look at the depth of the breach by trying to work out what other systems were compromised, what was potentially stolen (or altered or added if it’s spyware) and try to come up a detailed map of hacker activities.
The SOC analysts have a plethora of security tools at their disposal to aid their analysis work and give them detailed information quickly. Their goal is to identify and analyze cybersecurity incidents and respond to them with a variety of tools, such as threat detection methods, intrusion detection and response (IDR), intrusion prevention and control (IPC) and the prevention of cybercrime.
The analysis will also look to try to stay ahead of potential threats by analyzing active feeds, establishing rules, identifying exceptions, improving responses, and keeping a close eye on defenses already in place. SOCs are designed to improve threat detection so that they can respond faster and more effectively to reduce or even minimize their risk.
Some SOC teams responsibilities also include the management of security tools from Security Incident Event Management (SIEM) tools to firewalls. The management responsibilities require updating these tools with the latest patches and fixes.
Once a threat has been analyzed the next step involves in trying to contain the threat, it’s like getting injured and starting to bleed, with the first steps involving trying to stop the bleeding, so the blood can clot and stop any nasties getting into the body.
Likewise, with containment in security, the hole in the system where the threat has entered, it’s entry point needs to be closed off and patched in some way to stop any more damage being done.
If a hole has been created such as a vulnerability in a website has allowed hackers to run SQL injection attacks, then the first step is to either bring the website down or put some protection in front of the website. Bringing the website down might not make commercial sense especially if an organization has thousands of customers relying on the website.
So, putting in protective measures like a Web Application Firewall (WAF) may make more economic sense, as this will stop any further SQL injection attacks taking place. Giving the organization time to fix the problem it’s website as this will require additional development time along with testing and the other quality gates required to bring a system into a ‘live’ state. This fixing of the problem is the eradication stage whereas the name implies the threat is removed.
In the real world fixes generally are not as simple as the example above, as the threat normally propagate from one system to another, especially if the security controls to limit lateral movement are weak.
This leads to a more complicated process of eradication, trying to fix many problems which might not be impacted by the fix individually but collectively they might not work as expected when the threat has been eradicated. But if the organization has bought itself some time, by containing the threat then it can spend time eradicating the threat and the damage it has caused.
In a worse case scenario systems may stop being operational after a threat and once containment has been done and if possible, eradication, the recovery of the system is the next step. Organizations want to get into a business as usual state and recover systems quickly as possible. If the damage done was severe then backups could be used to try to bring systems back up.
In today’s cloud environment where automation is king, any systems failing can simply be spun up again by running an automation script. Recovery would require Disaster Recovery teams to get involved to make sure the plan agreed prior which has been tested on regular basis can be put into place.
How do you implement a Security Operations Center?
The way implement a Security Operations Center involves the following steps:
- Creating a SOC strategy
- Designing and building a SOC solution
- Defining SOC processes and training
The SOC strategy is an important part of the overall SOC capabilities where the expectations of the SOC service are determined along with the capabilities and SOC security tooling to be used.
The overall strategy of the Security Operations Center is about collecting and analyzing data to make the entire organization safer. The raw data monitored by the SOC team is security-relevant and typically comes from a variety of sources, such as internal and external security monitoring systems. Afterwards an alarm is triggered, which immediately informs all team members that the data is not normal.
The decision on whether the SOC needs to be managed by the organization itself or a hybrid SOC is used, where the initial analysis of security events is done by a third party before passing them onto the organization. Or, to go the whole hog and use a managed security service provider (MSSP) who manages the whole of the SOC service.
The design of the SOC solution is critical, as it will need to include how the SOC security tooling integrates along with use cases on how and where it will be used.
The last part of the SOC implementation is defining the processes and people involved, where the incident management, the SOC security teams, break-fix teams and so on are established. The SOC team will also work to define and draft an action plan for the next step in the Security Strategy of the Security Operations Center, such as the introduction of new security measures.
What is difference between NOC and SOC?
Network Operation Center (NOC) main focus is to ensure availability and performance of systems by monitoring the network infrastructure, whilst the Security Operations Center (SOC) main focus is to protect all the systems including applications, infrastructure, networks within the organization.
If an organization gets hit by a denial of service (DDoS) attack, the NOC will be the first to become aware of this from their monitoring and alerting. The DDoS attack has the potential to affect the performance of the network, including it’s overall availability thereby stopping any legitimate network traffic from entering or leaving the organization.
The NOC will work with the SOC to ensure the network performance issues from the DDoS attack are managed as an incident through the SOC incident management process.
The Security Operations Center (SOC) provides a central location for an organization to solve a variety of security issues on both an organizational and technical level. It is a central unit within a building or facility that may be supervised by on-site staff.
The Security Operations Center SOC is an IT security team used by the IT and security teams to monitor and analyze the organization’s security posture and operations. SOCs are centralized units within buildings or facilities that have the ability to monitor employees on and off site and access information and data from multiple sources.
The goal of the SOC team is to identify, analyze and respond to anomalies and potential cybersecurity incidents through a combination of technologies and processes. Employees work closely with the organizing team to ensure that security issues are resolved quickly after they are detected. Risk assessment, coordination and communication are essential to ensure that all support groups have accurate information on the current risk status.
Why do you need a security operations center?
The need for a Security Operations Center is based on regulatory requirements in many instances, as organizations need to satisfy, they are capable of protecting their information as required by regulations around card data (PCI DSS) for example.
Companies that rely on large amounts of highly sensitive data and have sufficient financial resources should consider developing an SOC. Companies can choose whether they want to set up an in-house Security Operations Center or partner with an MSSP (Managed Security Service Provider) that offers SOC services.
For small and medium-sized enterprises that lack the resources to develop their own SOC, outsourcing the SOC to a service provider could be the most cost-effective and effective option.
In the world of the Security Operation Center (SOC), all signs of security incidents are continuously examined for signs of a potential security incident using security tools and from analysis from SOC analysts.
It might be helpful to consider the SOC as an IT department that focuses on security as opposed to network maintenance or other IT tasks. By constantly logging activities and reducing threats, employees can work more efficiently and efficiently.
With SIEM solutions, in essence there are two parts, the SIM, that is the Security Information Management where the information like the logs is collected and the SEM, the Security Event Management, where the logs are analyzed and categorized for severity. SIEM systems have become commonplace with large organizations as they have been seen to be an essential part of ensuring regulatory compliance.