SIEM Security Explainers:
SOC and SIEM: The Role of SIEM Solutions in the SOC
The Need for Tools: Challenges When Building a Security Operations Center
Security teams building a security operations center face several common challenges:
- Limited Visibility – A centralized SOC does not always have access to all organizational systems. These could include endpoints, encrypted data, or systems controlled by third parties which have an impact on security.
- White Noise – A SOC receives immense volumes of data and much of it is insignificant for security. Security Information and Event Management (SIEM) and other tools used in the SOC are getting better at filtering out the noise, by leveraging machine learning and advanced analytics.
- False Positives and Alert Fatigue – SOC systems generate large quantities of alerts, many of which turn out not to be real security incidents. False positives can consume a large part of security analysts’ time, and make it more difficult to notice when real alerts occur.
All three of these challenges are addressed by a stack of security tools, with the central component being a security information and event management (SIEM) system. The SIEM powers daily operations in modern SOCs.
The SOC and Security Information and Event Management (SIEM)
The foundational technology of a SOC is a SIEM, which aggregates device, application logs, and events from security tools from across the entire organization. The SIEM uses correlation and statistical models to identify events that might constitute a security incident, alert SOC staff about them, and provide contextual information to assist investigation. A SIEM functions as a “single pane of glass” which enables the SOC to monitor enterprise systems.
SOC Processes Facilitated by a SIEM: Key Examples
Malware Investigation
The SIEM can help security staff combine data about malware detected across the organization, correlate it with threat intelligence and help understand the systems and data affected. Next-gen SIEMs provide security orchestration capabilities, a visualization of incident timelines, and can even automatically “detonate” malware in a threat intelligence sandbox.
Phishing Prevention and Detection
The SIEM can use correlations and behavioral analysis to determine that a user clicked a phishing link, distributed via email or other means. When an alert is raised, analysts can search for similar patterns across the organization and across timelines to identify the full scope of the attack.
HR Investigation
When an employee is suspected of direct involvement in a security incident, a SIEM can help by drawing in all data about the employee’s interaction with IT systems, over long periods of time. A SIEM can uncover anomalies like logins into corporate systems at unusual hours, escalation of privileges, or moving large quantities of data.
Departed Employees Risk Mitigation
According to an Intermedia study, 89% of employees who leave their jobs retain access to at least some corporate systems, and use those credentials to log in. A SIEM can map out the problem in a large organization, identifying which systems have unused credentials, which former employees are accessing systems, and which sensitive data is affected.
A Basic Incident Response Model and How SIEM Helps
While SOCs are undergoing transformation and assuming additional roles, their core activity remains incident response. The SOC is the organizational unit that is expected to detect, contain, and mitigate cyber attacks against the organization. The people responsible for incident response are Tier 1, Tier 2 and Tier 3 analysts, and the software they primarily rely on is the SOC’s Security Information and Event Management (SIEM) system.
TIER 1 – Event Classification
Tier 1 Analysts monitor user activity, network events, and signals from security tools to identify events that merit attention.
Alert Generation and Ticketing
Traditional SIEM
A SIEM collects security data from organizational systems and security tools, correlates it with other events or threat data, and generates alerts for suspicious or anomalous events.
Next-gen SIEM
Next-generation SIEMs leverage machine learning and behavioral analytics to reduce false positives and alert fatigue, and discover hard-to-detect complex events like lateral movement, insider threats and data exfiltration.
TIER 2 – Prioritization and Investigation
Tier 1 Analysts prioritize, select the most important alerts, and investigate them further. Real security incidents are passed to Tier 2 Analysts.
Searching and Exploring Data
Traditional SIEM
A SIEM can help Tier 1 and Tier 2 analysts search, filter, slice and dice, and visualize years of security data. Analysts can easily pull and compare relevant data to better understand an incident
Next-gen SIEM
Next-generation SIEMs are based on data lake technology that allows organizations to store unlimited data at low cost. They also leverage machine learning and User Event Behavioral Analytics (UEBA) to easily identify high risk events and surface them to analysts.
TIER 3 – Containment and Recovery
Once a security incident has been identified, the race is on to gather more data, identify the source of the attack, contain it, recover data and restore system operations.
Context on Incidents and Security Orchestration
Traditional SIEM
When a real security incident is identified, a SIEM provides context around the incident—for example, which other systems were accessed by the same IPs or user credentials.
Next-gen SIEM
Next-generation SIEMs provide Security Orchestration and Automation (SOAR) capabilities. They integrate with other security systems and can automatically perform containment actions. For example, quarantine an email infected by Malware, download and test the Malware in a threat intel sandbox.
TIER 4 – Remediation and Mitigation
SOC staff work to identify broad security gaps related to the attack and plan mitigation steps to prevent additional attacks.
Reporting and Dashboarding
Traditional SIEM
Remediation and mitigation are an ongoing activity, and they require visibility of the status and activity of critical security and IT systems. SIEMs have a cross-organization view which can provide this visibility.
Next-gen SIEM
Next-generation SIEMs leverage machine learning and data science capabilities that establish smart baselines for groups of users and devices. This allows faster and more accurate detection of insecure systems or suspicious activity.
TIER 5 – Assessment and Audit
SOC staff assess the attack and mitigation steps, gather additional forensic data, draw final conclusions and recommendations, and finalize auditing and documentation.
Compliance Reporting
One of the core functions of a SIEM is to produce reports and audits for regulatory requirements and standards like PCI DSS, HIPAA and SOX—both on an ongoing basis and following an incident or breach.provide this visibility.
A Broader Look at SOC Tools and Technologies
Beyond SIEM, there are many more tools used in the SOC:
- Governance, risk and compliance (GRC) systems
- Vulnerability scanners and penetration testing tools
- Intrusion detection systems (IDS), intrusion prevention systems (IPS), and wireless intrusion prevention
- Firewalls and next-generation firewalls (NGFW) which can function as an IPS
- Log management systems (commonly as part of the SIEM)
- Cyber threat intelligence feeds and databases
Traditional vs. Next Gen SOC Technology
Advanced SOCs leverage next generation tools, specifically next-generation SIEMs, which provide machine learning and advanced behavioral analytics, threat hunting capabilities, and built-in automated incident response. Modern security operations center technology allows the SOC team to find and deal with threats quickly and efficiently.
Traditional Tools
- Security Information and Event Management (SIEM)
- Governance, risk and compliance (GRC) systems
- Vulnerability scanners and penetration testing tools
- Intrusion Detection Systems (IDS), Intrusion Prevention Systems (IPS), and wireless intrusion prevention
- Firewalls, Next-Generation Firewalls (NGFW) which can function as an IPS, and Web Application Firewalls (WAF)
- Log management systems (commonly as part of the SIEM)
- Cyber threat intelligence feeds and databases
Next-Gen Tools
- Next-generation SIEMs which are built on big data platform and includes machine learning and advanced behavioral analytics, threat hunting, built-in incident response and SOC automation
- Network Traffic Analysis (NTA) and Application Performance Monitoring (APM) tools
- Endpoint Detection and Response (EDR), which helps detect and mitigate suspicious activities on hosts and user devices
- User and Entity Behavior Analytics (UEBA), which uses machine learning to identify suspicious behavioral patterns
Motivation for Using Next-Generation SOC Tooling
- Next-generation SIEM – Helps lower alert fatigue, lets analysts focus on the alerts that matter. New analytics capabilities, combined with a huge breadth of security data, allow next-gen SIEMs to discover incidents that no individual security tool can see.
- NTA – Easy to implement, great at detecting abnormal network behaviors. Useful when the SOC has access to the traffic under investigation and is interested in investigating lateral movement by attackers already inside the perimeter.
- UEBA – Uses machine learning and data science techniques to detect malicious insiders, or bypass security controls. Makes it much easier to identify account compromise, whether by outside attackers or insiders.
- EDR – Provides a strong defense against compromise of workstations or servers, helps manage the mobile workforce. Provides the data needed to carry out historic investigations and track root causes.
Spotlight on 3 Essential SOC Tools
Beyond SIEM, here are several tools that are an essential component of the security stack for most modern security operations centers.
Firewalls, Next-Generation Firewalls (NFGW) and Web Application Firewalls (WAF)
Firewalls are a standard part of any cybersecurity arsenal. Two new technologies are complementing or replacing the traditional firewall:
- NGFW – Extends the firewall by providing intrusion prevention and intrusion detection with deep packet inspection capabilities. NGFWs can block threats at the network edge using techniques like URL filtering, behavioral analysis and geolocation filtering. They use a reverse proxy to terminate connections and inspect content before it reaches a web server.
- WAF – A WAF is deployed in front of web applications, inspects traffic and identifies traffic patterns that may represent malicious activity. A WAF can detect attacks while minimizing false positives, by learning acceptable URLs, parameters and user inputs, and uses this data to identify traffic or inputs that deviate from the norm.
These technologies are leveraged in the modern SOC to reduce the attack profile of websites and web applications, and gather higher quality data about legitimate and malicious traffic hitting critical web properties.
Endpoint Detection and Response (EDR)
EDR is a new category of tools that helps SOC teams respond to attacks on endpoints, like user workstations, mobile phones, servers or IoT devices. These tools are built around the assumption that attacks will happen, and that the SOC team usually has very limited visibility and control into what’s happening on a remote endpoint. EDR solutions are deployed on endpoints, provide instant, accurate data about malicious activity, and give SOC teams remote control over endpoints to perform immediate mitigation.
For example, the SOC team can use EDR to identify 50 endpoints infected with Ransomware, isolate them from the network, wipe and re-image the machines. All this can be done in seconds to identify attacks as they happen, prevent them from spreading and support eradication.
SOC Monitoring Tools
Monitoring is a key function of tools used in the SOC. The SOC is responsible for enterprise-wide monitoring of IT systems and user accounts, and also monitoring of the security tools themselves—for example, ensuring antivirus is installed and updated on all organizational systems. The main tool that orchestrates monitoring is the SIEM. Organizations use many dedicated monitoring tools, such as network monitoring and Application Performance Monitoring (APM). However, for security purposes only the SIEM, with its cross-organizational view of IT and security data, can provide a complete monitoring solution.
Which Tools Should You Start With?
These stages of tool adoption were proposed by Gartner.
- Greenfield SOCs→SIEM only
- Established SOC→Add automated threat intelligence sandboxing, NTA and EDR.
- Forward Leaning→Add UEBA and a full in-house Threat Intelligence Platform—provided as a part of next-generation SIEMs
We showed how SIEM is a foundational technology of the SOC, and how next-generation SIEMs, which include new capabilities like behavioral analytics, machine learning and SOC automation, open up new possibilities for security analysts.
The Impact of a Next-Gen SIEM on the SOC
Next-generation SIEM solutions can have a significant impact on your SOC:
- Reduce alert fatigue – Via user and entity behavior analytics (UEBA) that goes beyond correlation rules, helps reduce false positives and discover hidden threats.
- Improve MTTD – By helping analysts discover incidents faster and gather all relevant data.
- Improve MTTR – By integrating with security systems and leveraging Security Orchestration, Automation and Response (SOAR) technology.
- Enable threat hunting – By giving analysts fast and easy access and powerful exploration of unlimited volumes of security data.
Exabeam is an example of a next-generation SIEM which combines data lake technology, visibility into cloud infrastructure, behavioral analytics, SOAR capabilities, and a threat hunting module with powerful data querying and visualization.
Related content:
See Exabeam in action: Request a demo