SIEM-in-a-SOC
3
Jun

The benefits of using SIEM in a SOC

What is SIEM and how does it work? 

A SIEM (Security Information Event Management) is a security log management system that collects log files, security alerts, and security events into one centralized location, which enables security analysts and teams to efficiently analyze data. Hence, SIEM technology aids security incident and event management through logging of realtime and historical data of security events. In addition, a SIEM generally creates reports via a main dashboard. 

2 Types of SIEM Technologies 

Gartner, in 2017, updated the definition of a SIEM to include two other technologies: 

  • UEBA: User Entity Behavior Analytics, which is an analytics technology layer, tracks normal and abnormal user behavior for users and entities such as servers, databases, and devices. UEBA helps in analyzing abnormal device behavior such as computers uploading huge amounts of data for the first time or logins from unusual points in the network. Such incidents get flagged for further investigation. 
  • SOAR: Security Orchestration Animation Response automates procedures undertaken by security analysts in incident response, improving efficiency in the SOC and reducing overall risk.   

What is the Benefit of a SIEM in a SOC? 

The central collection of incident data from all devices on the network provides one dataset for security analysts to conduct their investigation instead of going through each individual system. In the event of a security incident, SIEMs make for a foundational entity in the Security Operations Centers (SOC) in conducting forensic analysis. A SOC compliments the SIEM system by providing the resources needed, such as security operational analysts who perform forensic investigations, which entail analyzing realtime network events, investigation of security incidents, response to security events and prevention, and updating post the cybersecurity incidents. 

When logging data from network devices, it is important to synchronize the time on all devices in case the need arises to investigate the occurrence of an event at a certain time. For instance, a forensic investigation on the events which occurred between the router and the webserver at a specific period can provide accurate insight on how an attack was carried out. The Network Time Protocol (NTP) is a widely used standardized protocol that enables the synchronization of all devices on the network to a single clock source, which provides an accurate time synchronization as well as flexibility. 

After the collection of log data, a SIEM requires a way to transfer that data from devices and a way to store the data. The most common way of transferring log data to SIEMs is through the Syslog standard transfer method. The SIEM will use a central receiver to receive logs and store them; therefore, SIEMs also need large storage capabilities. 

SolarWinds is an example of a SIEM tool that strengthens an organization’s security posture by providing automated incident response and threat detection. It provides an easytouse dashboard that visualizes event data for analysis and pattern recognition. SolarWinds also provides active response actions such as blocking of untrustworthy IPs, automatically logging off users, and terminating inactive sessions. SolarWinds will also provide customizable reporting templates for easy demonstration of compliance to standardization bodies such as ISO 27001 and SOX. 

How to Become a SOC Analyst 

Being a SOC analyst can be an intense job, but it is certainly a very rewarding career. Imagine being in a SOC at a healthcare organization and you start to see indicators that an attack is happening on the network. You follow the proper procedure and eventually thwart the attack. After an analysis, you find that the attack you thwarted would have caused enough damage to cripple the entire hospital. Some might call that being a modern-day hero; others might call it just doing their job. Either way, getting the EC-Council CSA Certification is the first step to take.

FAQs

What is the difference between SIEM and SOC?
Setting up a SOC involves employing a team of people and setting up processes to monitor a host system or IT network and respond to any security incidents. SIEM software then uses intelligent correlation rules to highlight links between events ready for analysis by a human IT support team. 
What does a SOC analyst do?

Security analysts are, in many ways, the foot soldiers of the organization. Their job is to detect, investigate, and respond to incidents. They may also be involved in planning and implementing preventative security measures and in building disaster recovery plans.

What is the difference between a SOC and a NOC?
The SOC and NOC are responsible for identifying, investigating, prioritizing, escalating, and resolving issues, but the types of issues and impact they have are considerably different. The SOC focuses on “intelligent adversaries” while the NOC deals with naturally occurring system events.
What are SOC services?

Security Incident and Event Management (SIEM) & Security Operations (SOC) provide a real-time analysis of security alerts from within an organization’s network to maintain a secure environment while ensuring continuity of business operations.
Learn more: https://egs.eccouncil.org/services/security-incident-and-event-management-siem-security-operations-soc/

get certified from ec-council
Write for Us