Maksim Kabakou – Fotolia
Security information and event management (SIEM) solutions have been with us for some time and grew out of the need to consolidate logs in different formats from across the network, including security event feeds from other equipment such as intrusion detection systems (IDSs), firewalls and user endpoint software.
A SIEM will also provide a means of manually searching and analysing the data, typically using data analytics to generate alerts, present different views of the data to the analyst and to provide reports to stakeholders.
In addition, it will typically provide a capability allowing detection use cases to be developed, which look for specific sequences of events that may indicate an ongoing attack and can provide some integration into ticketing and other related systems.
Today, however, systems can generate thousands of events per second and attackers are becoming more sophisticated. Some advanced persistent threat (APT) groups can now take control of a workstation and break out into the network in an average time of less than 20 minutes from a user clicking on a link in a phishing email, and the average for all groups is less than two hours.
This has led to the notion of the 1/10/60 challenge: the need to detect an attack within one minute, understand it in 10 minutes and contain it within 60 minutes. This is not possible for the best analysts using a SIEM alone.
Security orchestration, automation and response (SOAR) solutions are intended to speed up the response to an attack by automating the incident detection and response process. They integrate with the SIEM, ticketing system, detection technologies, firewalls and proxies, as well as with threat intelligence platforms, to be able to automate the overall detection and response activity.
Security operations teams will have a playbook which details the decisions and actions to be taken from detection to containment. This may suggest actions to be taken on detection of a suspicious event through escalation and possible responses. SOAR can automate this, taking autonomous decisions that support the investigation, drawing in threat intelligence and presenting the results to the analyst with recommendations for further action.
The analyst can then select the appropriate action, which would be carried out automatically, or the whole process can be automated. For example, the detection of a possible command and control transmission could be followed up in accordance with the playbook to gather relevant threat intelligence and information on which hosts are involved and other related transmissions.
The analyst would then be notified and given the option to block the transmissions and isolate the hosts involved. Once selected, the actions would be carried out automatically. Throughout the process, ticketing and collaboration tools would keep the team and relevant stakeholders informed and generate reports as required.
SIEM providers have started to add some of these functions, and operational teams do use the built-in capabilities of the SIEM, or SIEM application programming interfaces (APIs) to automate processes, which could be seen as an overlap between SIEM and SOAR.
A SOAR solution will, however, sit above the SIEM and provide better integration with threat intelligence platforms and more advanced tools that provide more complex outputs than a simple stream of logs. Typically, a SOAR solution will also provide case management, analysis and reporting and support communication and collaboration.
While a SOAR solution can help achieve the 1/10/60 target and save scarce analyst’s time, they require significant configuration. Default configurations may provide a start, but playbook and defined workflows must be tuned to automate them in a SOAR solution as it will not generate these for you.
Also in order to respond, the SOAR solution must know how to reconfigure firewalls, DNS servers and proxies for example, as well as isolating hosts in your specific environment. In the long run though, SOAR will allow more to be done faster with less analyst input.
Although SIEM and SOAR are different, they are both necessary and they need to operate together. SOAR features will continue to be added by SIEM providers, while Gartner estimates that by the end of 2020, only 15% of security organisations with five or more security professionals will adopt SOAR. However, it is unlikely that standalone SIEM solutions will be disappearing soon.
In this e-guide, we will explore the links between ransomware attacks, data breaches and identity theft. First, Nicholas Fearn investigates the phenomenon of the double extortion attack, and shares some insider advice on how to stop them, while we’ll explore the top five ways data backups can protect against ransomware in the first place.
Organizations undergo digital initiatives with the customer in mind, but to deliver outstanding CX, CIOs and their teams must …
The antitrust lawsuits allege Facebook impeded competition by buying up rivals to control the market.
Although 5G is still years away from mainstream adoption, some enterprises have started rolling out use cases that can deliver …
The FBI and the Cybersecurity and Infrastructure Security Agency warned that cyber attacks targeting K-12 schools are expected to…
C-suite may not always understand ROI of security efforts, which is why Nabil Hannan suggests that CISOs work more closely with …
An effective security operations center framework combines monitoring and analysis platforms and threat intelligence services to …
Say hello to software-defined home, a ‘branch of one’ package that combines professional-grade Wi-Fi, security, SD-WAN and …
IP addressing and subnetting are important and basic elements of networks. In this article, learn how to calculate a subnet mask …
The Aruba Fabric Composer is best suited for a CX switching fabric within a small and midsize data center. The company also …
Even with structured pricing methods, there’s a lot to consider when making colocation infrastructure purchases. Account for …
It’s critical to business operations and your overall budget to know what a good colocation SLA covers, what it doesn’t and how …
Colocation companies offer a wide range of facilities and services that can help organizations reduce or eliminate the costs …
DataStax has integrated the open source Stargate API 1.0 release into its Astra DBaaS platform, bringing GraphQL to the Apache …
Enterprise data fabric adoption has been on the rise as a way to ensure access and data sharing in a distributed environment. …
The new Varada Data Platform combines data virtualization with the open source Presto SQL query engine to help enable rapid …
All Rights Reserved, Copyright 2000 – 2020, TechTarget
Privacy Policy
Cookie Preferences
Do Not Sell My Personal Info