A Security Operations Center (SOC) and a Security Information and Event Management (SIEM) are two completely different species. The following information about SIEMs is taken from our SIEM FAQ page.
SIEM SOC – What’s the difference?
A SIEM platform centrally collects data from multiple devices on your network, including your existing security appliances. Through an advanced correlation engine, it can proactively identify security events not otherwise detected by standalone security technology.
Why do people use a SIEM?
A SIEM is used differently based on the perceived outcomes and benefits of the tool. The top reasons organizations purchase a SIEM is as follows:
- Compliance with reporting obligations
- Log management and retention
- Continuous monitoring and incident response
- Case management or ticketing systems
- Policy enforcement validation and policy violations
Why should you use a SIEM?
Do you need to:
- Streamline compliance reporting?
- Detect security incidents that would not otherwise be detected.
- Save time and resources for your IT or security team?
We think a SIEM is a must-have because the benefits of SIEM products enable an organization to get the “big picture” view of its security events throughout the enterprise. By bringing together security log data from enterprise security controls, host operating systems, applications, and other software components, a SIEM can analyze large volumes of security log data to identify the attacks and compromises hidden within it. A SIEM is often able to identify malicious activity that no other single host could identify because the SIEM is the only security control with true enterprise-wide visibility.
A SIEM system centralizes logging capabilities on security events for enterprises and is principally used to analyze and/or report on the log entries received. The analysis capabilities of SIEM systems can detect attacks not discovered through other means and can direct the reconfiguration of other enterprise security controls to plug holes in enterprise security. Some of the top SIEM products — assuming an attack is still in progress — can even stop detected security breaches.
What is a SOC?
A SOC – Security Operations Center – is a monitoring center. A SOC is typically comprised of skilled and knowledgeable security analysts that will examine the data coming in from your SIEM and determine if any critical or unusual is happening.
Highly skilled security analysts will be able to tell you if an alert that comes in from your SIEM is critical or not and will advise you on how to fix the problem.
Many large organizations with huge security budgets will build a SOC internally to manage their SIEM and other aspects of their security. Most companies that do not have a large budget to spend on their SIEM SOC but want to get the most value out of their SIEM will outsource to a company that manages it for them.
A SOC can offer many other services than just SIEM management. They may offer configuration management, and change management of security devices like Firewalls, IDS/IPS, VPN, SIEM, AV, etc. They also perform Security Incident response and Monitor the near real-time logs with the help of SIEM tools. There may be dedicated teams within a SOC with different reporting hierarchies for Device Management and Monitoring to avoid conflict of interest depending upon contract/ legal requirements etc.
A SOC can manage your Endpoint Detection and Response, Vulnerability and Patch management, and more.
What is Firewall Logging and Why is it Important?
SEIM SOC – Do You Need Both?
A SOC should have a SIEM to help pull together all the logs and build correlation rules around them.
Many organizations purchase a SIEM and use in-house resources that may not be prepared to handle all the data that comes along with a SIEM.
Based on a recent study on the State of the SOC, security practitioners from enterprise organizations are overwhelmed by the sheer volume of alerts and investigations that require their attention. The results of the study indicate:
- 60% of Security Operations Center analysts can only handle between 7-8 incident investigations per day. — Fidelis Cybersecurity, 2018
- Only 17% of organizations have a dedicated threat-hunting team. — Fidelis Cybersecurity, 2018
Alert fatigue syndrome is a real issue, one of the many bad habits of cybersecurity professionals, and one that they must break to protect their organization. This syndrome means that security analysts may not respond to the security alerts because they are flooded with so many.
Read more here, “Are You Experiencing Notification Overload?”
While picking the right technology is important, trained personnel and the right processes to leverage the technology are equally essential. I have a saying I use with my team: “Tiger Woods could play scratch golf with my golf clubs, but I cannot play scratch golf with his clubs.”
The point is, that you have to focus on leveraging the security tools and applying a methodical approach to analyzing the results from those tools. If you unpack every major breach from the past couple of years, you’ll see that often the technology detected the indications of compromise, but the right people and processes weren’t in place to address them.
Don’t make training and process development the trade-off for buying new technology; it’s a losing strategy.
SIEM SOC – Work Together Better
A SIEM is the best tool for collecting and correlating information from your organization. But what happens when you get an alert? You need a set of skilled security analysts to help you understand what those alerts mean.
Beware when outsourcing your SIEM to another SOC. Many providers today will read your alert and forward EVERY alert back to your company. What’s the benefit of this to you? None, unless you want to spend a lot of time doing what the outsourced organization should already be doing. In other words, you are completely wasting your money unless that outsourced security company provides value.
When you work with Cybriant for your SOC, you will receive threat detection and response. This is unique because our analysts will send you critical alerts and offer guidance on how to remediate those alerts. We offer additional services, so we can fix the problem for you. Most clients appreciate the step-by-step guides we send on how to remediate any critical cyber threat alerts.
SIEM SOC – Additional Benefit
The #1 benefit that a SIEM and SOC together produce? Reporting. With the right experts in your SIEM SOC like at Cybriant, we produce high-quality results that will work for executive summaries, as well as any compliance, needs your organization may have.