Security teams building a security operations center face several common challenges:
All three of these challenges are addressed by a stack of security tools, with the central component being a security information and event management (SIEM) system. The SIEM powers daily operations in modern SOCs.
The foundational technology of a SOC is a SIEM, which aggregates device, application logs, and events from security tools from across the entire organization. The SIEM uses correlation and statistical models to identify events that might constitute a security incident, alert SOC staff about them, and provide contextual information to assist investigation. A SIEM functions as a “single pane of glass” which enables the SOC to monitor enterprise systems.
The SIEM can help security staff combine data about malware detected across the organization, correlate it with threat intelligence and help understand the systems and data affected. Next-gen SIEMs provide security orchestration capabilities, a visualization of incident timelines, and can even automatically “detonate” malware in a threat intelligence sandbox.
Phishing Prevention and Detection
The SIEM can use correlations and behavioral analysis to determine that a user clicked a phishing link, distributed via email or other means. When an alert is raised, analysts can search for similar patterns across the organization and across timelines to identify the full scope of the attack.
When an employee is suspected of direct involvement in a security incident, a SIEM can help by drawing in all data about the employee’s interaction with IT systems, over long periods of time. A SIEM can uncover anomalies like logins into corporate systems at unusual hours, escalation of privileges, or moving large quantities of data.
Departed Employees Risk Mitigation
According to an Intermedia study, 89% of employees who leave their jobs retain access to at least some corporate systems, and use those credentials to log in. A SIEM can map out the problem in a large organization, identifying which systems have unused credentials, which former employees are accessing systems, and which sensitive data is affected.
While SOCs are undergoing transformation and assuming additional roles, their core activity remains incident response. The SOC is the organizational unit that is expected to detect, contain, and mitigate cyber attacks against the organization. The people responsible for incident response are Tier 1, Tier 2 and Tier 3 analysts, and the software they primarily rely on is the SOC’s Security Information and Event Management (SIEM) system.
TIER 1 – Event Classification
Tier 1 Analysts monitor user activity, network events, and signals from security tools to identify events that merit attention.
Alert Generation and Ticketing
A SIEM collects security data from organizational systems and security tools, correlates it with other events or threat data, and generates alerts for suspicious or anomalous events.
Next-generation SIEMs leverage machine learning and behavioral analytics to reduce false positives and alert fatigue, and discover hard-to-detect complex events like lateral movement, insider threats and data exfiltration.
TIER 2 – Prioritization and Investigation
Tier 1 Analysts prioritize, select the most important alerts, and investigate them further. Real security incidents are passed to Tier 2 Analysts.
Searching and Exploring Data
A SIEM can help Tier 1 and Tier 2 analysts search, filter, slice and dice, and visualize years of security data. Analysts can easily pull and compare relevant data to better understand an incident
Next-generation SIEMs are based on data lake technology that allows organizations to store unlimited data at low cost. They also leverage machine learning and User Event Behavioral Analytics (UEBA) to easily identify high risk events and surface them to analysts.
TIER 3 – Containment and Recovery
Once a security incident has been identified, the race is on to gather more data, identify the source of the attack, contain it, recover data and restore system operations.
Context on Incidents and Security Orchestration
When a real security incident is identified, a SIEM provides context around the incident—for example, which other systems were accessed by the same IPs or user credentials.
Next-generation SIEMs provide Security Orchestration and Automation (SOAR) capabilities. They integrate with other security systems and can automatically perform containment actions. For example, quarantine an email infected by Malware, download and test the Malware in a threat intel sandbox.
TIER 4 – Remediation and Mitigation
SOC staff work to identify broad security gaps related to the attack and plan mitigation steps to prevent additional attacks.
Reporting and Dashboarding
Remediation and mitigation are an ongoing activity, and they require visibility of the status and activity of critical security and IT systems. SIEMs have a cross-organization view which can provide this visibility.
Next-generation SIEMs leverage machine learning and data science capabilities that establish smart baselines for groups of users and devices. This allows faster and more accurate detection of insecure systems or suspicious activity.
TIER 5 – Assessment and Audit
SOC staff assess the attack and mitigation steps, gather additional forensic data, draw final conclusions and recommendations, and finalize auditing and documentation.
One of the core functions of a SIEM is to produce reports and audits for regulatory requirements and standards like PCI DSS, HIPAA and SOX—both on an ongoing basis and following an incident or breach.provide this visibility.
Beyond SIEM, there are many more tools used in the SOC:
Advanced SOCs leverage next generation tools, specifically next-generation SIEMs, which provide machine learning and advanced behavioral analytics, threat hunting capabilities, and built-in automated incident response. Modern security operations center technology allows the SOC team to find and deal with threats quickly and efficiently.
Beyond SIEM, here are several tools that are an essential component of the security stack for most modern security operations centers.
Firewalls are a standard part of any cybersecurity arsenal. Two new technologies are complementing or replacing the traditional firewall:
These technologies are leveraged in the modern SOC to reduce the attack profile of websites and web applications, and gather higher quality data about legitimate and malicious traffic hitting critical web properties.
EDR is a new category of tools that helps SOC teams respond to attacks on endpoints, like user workstations, mobile phones, servers or IoT devices. These tools are built around the assumption that attacks will happen, and that the SOC team usually has very limited visibility and control into what’s happening on a remote endpoint. EDR solutions are deployed on endpoints, provide instant, accurate data about malicious activity, and give SOC teams remote control over endpoints to perform immediate mitigation.
For example, the SOC team can use EDR to identify 50 endpoints infected with Ransomware, isolate them from the network, wipe and re-image the machines. All this can be done in seconds to identify attacks as they happen, prevent them from spreading and support eradication.
Monitoring is a key function of tools used in the SOC. The SOC is responsible for enterprise-wide monitoring of IT systems and user accounts, and also monitoring of the security tools themselves—for example, ensuring antivirus is installed and updated on all organizational systems. The main tool that orchestrates monitoring is the SIEM. Organizations use many dedicated monitoring tools, such as network monitoring and Application Performance Monitoring (APM). However, for security purposes only the SIEM, with its cross-organizational view of IT and security data, can provide a complete monitoring solution.
These stages of tool adoption were proposed by Gartner.
We showed how SIEM is a foundational technology of the SOC, and how next-generation SIEMs, which include new capabilities like behavioral analytics, machine learning and SOC automation, open up new possibilities for security analysts.
Next-generation SIEM solutions can have a significant impact on your SOC:
Reduce alert fatigue – Via user and entity behavior analytics (UEBA) that goes beyond correlation rules, helps reduce false positives and discover hidden threats.
Improve MTTD – By helping analysts discover incidents faster and gather all relevant data.
Improve MTTR – By integrating with security systems and leveraging Security Orchestration, Automation and Response (SOAR) technology.
Enable threat hunting – By giving analysts fast and easy access and powerful exploration of unlimited volumes of security data.