Understanding SOCs and SIEM SoftwareAlthough IT professionals will know all about SOCs and SIEM tools, business executives might need bringing up to speed. SOC stands for "Security Operations Center." Dealing with cyber security on a passive basis alone (e.g. through firewalls, intrusion detection systems (IDSs)) is like building a wall around a castle and just hoping the enemy doesn't find a way through or over it. Although there are different definitions, in most cases an SOC centralizes the security function of a business or organization. Setting up an SOC involves employing a team of people and setting up processes to monitor a host system or IT network and respond to any security incidents. Occasionally, one-person SOCs are found, but this is the exception. Every SOC needs some kind of SIEM tool. SIEM stands for Security Information and Event Management, and so SIEM software is a set of tools for providing the information needed to detect and manage security events. More specifically, SIEM tools aggregate and normalize data from various sources. This data can come from message logs (syslog), OS logs, end point devices, firewall/IDS output and network flow logs. Rather than simply logging all the data, SIEM tools then strip out anything irrelevant. This is called normalization. SIEM software then uses intelligent correlation rules to highlight links between events ready for analysis by a human IT support team. Analysts can then carry out NetFlow analysis and other techniques to investigate the reasons for any anomalies and, where necessary, take action to protect the business's IT infrastructure. Although every SOC will have some kind of SIEM software, this tool is also used by Cyber Incident Response Teams (CIRTs) and as part of other security-related IT services. LA, for example, has set up SIEM technology within its centralized cyber intrusion command center.
Going Beyond SIEM
While SIEM software is critical, is it sufficient?One of the limitations of an SIEM tool is its focus purely on system-generated signals. When a cyber-attack is manually implemented, rather than carried out by malware, it can go unnoticed. Nevertheless, there may have been user-specific anomalies that could have indicated an impending threat. For example, a user in one department may have been logging into a system they rarely use on a number of occasions as they planned their moves. Or in another scenario, the login credentials of one employee may have been stolen in a phishing attack and used by an external attacker to try and access the system at an unusual time or simultaneously with the legitimate employee. These scenarios are the domain of user behavior analytics (UBA). By integrating UBA software with your SIEM tool, you now have a system capable of extending its pattern-matching capabilities from systems to users – both internal and external. Although setting up and running an SOC is, in itself, an active stance for a company to take, most are still quite reactive, spending a lot of time sifting through alerts. Even those that employ intrusion prevention technology may be slow to respond due to the size and complexity of the networks they are responsible for. Part of the problem is that most SIEM/UBA tools are still inadequate on their own. However, it is possible to integrate these with other specialized security tools. For example:
- Endpoint detection and response devices (EDR) for anything outside of the firewall
- Threat intelligence feeds
- Intruder traps (e.g. honeypots, honey files, honey users and honey credentials)
- Pre-built detections
- Central log management technology
Imagining the SOC of the FutureAs the IoT grows, the current SOC model is going to become increasingly obsolete. On the other hand, AI and machine learning is likely to make security software smarter. Although it is impossible to guess exactly what the SOC of the future will look like, by integrating SIEM, UBA and other tools with a triage platform, orchestration software and case management features, companies can at least begin the process of building a future-proof security center.