By Dario Forte
Once considered the exclusive domain of mature enterprise IT groups, security information and event management (SIEM) is now moving down-market into small and medium-sized businesses (SMBs) as well. The fact is, organizations of all sizes are vulnerable to cybersecurity threats, and they need to be able to detect indicators of compromise in order to address risks and respond to attacks.
SIEM pulls event and log data from a wide range of internal source to provide a holistic view of an organization’s information security posture. It mainly acts as a security monitoring system by correlating relevant data from multiple sources and generating alerts when the events appear to be worthy of further investigation.
At the most basic level, SIEM implementations can be rules-based or can employ a statistical correlation engine to establish relationships between event log entries, while advanced SIEMs have can be used for user and entity behavior analytics (UEBA) and some orchestration and automation processes.
Greater Visibility Can Be Overwhelming
The primary benefit of implementing a formal and automated SIEM process is it dramatically increases visibility into the overall computing environment. However, some organizations can become overwhelmed by this visibility if large numbers of alerts are presented for investigation—especially if many of them turn out to be “false positives” after additional investigation.
As a result, enterprises must be prepared to handle the extra workload and plan accordingly. One option is to hire more security analysts to conduct investigations into SIEM alerts. Of course, this might not be viable or cost-effective, and the organization could be forced to accept that there are sufficient resources to only respond to the highest priority alerts.
A better option – one that doesn’t leave the organization vulnerable to the risks of ignored alerts – is to complement the SIEM with security orchestration, automation and response (SOAR).
Bringing Order to the Chaos
Gartner coined the term SOAR to describe an approach to security operations and incident response that aims to improve security operations' efficiency, efficacy and consistency. SOAR allows organizations to collect security data and alerts from different sources (including a SIEM) and perform incident analysis and triage using a combination of human and machine power. This helps to define, prioritize and drive incident response activities to a standard workflow.
Acting as a force multiplier, SOAR allows security teams to do more with less resources. It provides capabilities to automate, orchestrate and measure the full incident response lifecycle, including detection, security incident qualification, triage and escalation, enrichment, containment and remediation.
The key aims of SOAR are to reduce the time from incident discovery to event resolution and to minimize the risk resulting from security incidents—all while increasing the return on investment for existing security technologies.
Making Alerts Actionable
SIEM ingests and processes large volumes of security events from various sources, then collates and analyzes the information to identify issues and raise the initial security alerts. This functionality is often limited to unidirectional communication with the data collection sources. In most cases, SIEM implementations do not carry out actions beyond the initial alerts.
This is where SOAR can add significant additional value, by using a SIEM alert to orchestrate and automate responses by multiple security and IT tools from different vendors.
Once a SIEM alert is generated, an incident is triggered within SOAR, which then combines automation and human interaction to carry out a number of enrichment and response actions. A set of activities based on previously defined incident workflows, combined with machine learning to recommend actions based on previously observed incidents, can be used to automate and guide the entire response process.
For example, a specific set of playbooks and runbooks for incident types such as phishing or ransomware would determine how to enrich the data, contain the threat and remediate the incident.
Integrating SIEM and SOAR combines the power of each to create a more robust, efficient and responsive security program. This can ultimately enable security teams to maximize analyst efficiency, minimize incident resolution time and avoid alert fatigue that plagues so many organizations.
About Dario Forte
Dario Forte is founder and CEO of DFLabs and a security incident response expert who has worked in Italian law enforcement and intelligence, and collaborated with US agencies on fraud and cybercrime investigations. He has co-authored several ISO Standards on incident investigation, digital forensic risk, and security incident management and response. He is also an Adjunct Professor at the University of Milan.