2. Security Information and Event Management
Components of SIEM
SEM (Security Event
Management)
The segment of security
management that deals with
real-time monitoring, correlation
of events, notifications ,and
console views is commonly
known as SEM.
Security Information
Management
The second area provides long-
term storage, analysis, and
reporting of log data and is
known as SIM.
It is a term for software products and services combining security
information management (SIM) and security event management (SEM).
SIEM technology provides real-time analysis of security alerts generated
by network hardware and applications.
Step 4
Pinpoint security breaches and enable organization to investigate alerts
Step 3
Analyze the data to discover and detect threats
Step 2
Normalized and aggregate collected data
Step 1
Collect Data from various sources( Network Devices, servers, Domain
controllers and more
SIEM Process
4. SIEM Functionality
Log management aggregates
data from many sources,
including network, security,
servers, databases, and
applications, providing the
ability to consolidate
monitored data to help
avoid missing crucial events.
Data aggregation This involves looking for
common attributes and
linking events into
meaningful bundles. This
technology provides the
ability to perform a variety
of correlation techniques to
integrate different sources to
turn data into useful
information.
Correlation:
This is the automated
analysis of correlated events
and production of alerts to
notify recipients of
immediate issues.
Alerting:
Tools can take event data
and turn it into
informational charts to assist
in seeing patterns or
identifying activity that is
not forming a standard
pattern.
Dashboards
Applications can be
employed to automate
the gathering of
compliance data,
producing reports that
adapt to existing security,
governance, and auditing
processes.
Compliance This involves employing
long-term storage of
historical data to facilitate
correlation of data over
time and to provide the
retention necessary for
compliance requirements
Retention
This is the ability to
search across logs on
different nodes and time
periods based on specific
criteria.
Forensic
analysis Some SIEMs include
automated alert and
response capabilities that
can be programmed to
suit your policies and
environment.
Automated
Response
5. Why SOAR is required
Why
SOAR?
• SIEM tools usually needs regular tuning to continually
understand and differentiate between anomalous and normal
activity.
• SIEM applications require consistent fine-tuning and
development for security teams to maximize their value while
avoiding getting bombarded with countless alerts.
• SIEM applications require dedicated development staff to
manage rules and use cases to ensure that normal activities
are not mixed up with suspicious ones.
• It is difficult to ingest data from external feeds like SSL
certificate chain data , domain reputation scores etc. and it
normally works with only logs and event data from whole lot
0f traditional infrastructure
6. What is SOAR( Security Orchestration , Automation and Response)
Security
Orchestration,
Automation
and
Response
(SOAR)
• It is a term used to describe the convergence of
three distinct technology markets:
• Security orchestration and automation
• Security incident response platforms (SIRP)
• Threat intelligence platforms (TIP).
• SOAR technologies enable organizations to collect
and aggregate vast amounts of security data and
alerts from a wide range of sources.
• This helps to build automated processes to respond
to low-level security events and standardize threat
detection and remediation procedures.
• .
Three core
capabilities
of SOAR
technologies:
Threat and
vulnerability
management
Security
incident
response
Security
operations
automation
7. Components of SOAR
Threat Intelligence
• Ingest and Analyzes data
Automation
• Automates low level
manual process
Orchestration
• Connects and integrates disparate tools
Response
• Offers a single-view
dashboard to plan,
manage, monitor and
report incident
response.
8. SOAR Platform Components
Security orchestration
•Security orchestration connects and integrates disparate
internal and external tools via built-in or custom
integrations and application programming interfaces
(APIs).
•Connected systems may include vulnerability scanners,
endpoint protection products, end-user behavior
analytics, firewalls, intrusion detection and intrusion
prevention systems (IDSes/IPSes), and security
information and event management (SIEM) platforms, as
well as external threat intelligence feeds.
•Where security orchestration consolidates data to initiate
response functions, security automation takes action.
Security Automation
•Security automation, fed by the data and alerts collected
from security orchestration, ingests and analyzes data and
creates repeated, automated processes to replace manual
processes.
•Using artificial intelligence (AI) and machine learning to
decipher and adapt insights from analysts, SOAR
automation can make recommendations and automate
future responses.
•Playbooks are essential to SOAR success. Prebuilt or
customized playbooks are predefined automated actions.
Multiple SOAR playbooks can be connected to complete
complex actions.
Security response
•Security response offers a single view for analysts into the
planning, managing, monitoring and reporting of actions
carried out once a threat is detected.
•It also includes post-incident response activities, such as
case management, reporting and threat intelligence
sharing.
•Security incident response technologies that support how
an organization plans, manages, tracks and coordinates
the response to a security incident
9. Benefits of SOAR
• SOAR's improved data context,
combined with automation, can
bring lower mean time to detect
(MTTD) and mean time to
respond (MTTR).
Faster incident
detection and
reaction times.
• By integrating more data from a
wider array of tools and
systems, SOAR platforms can
offer more context, better
analysis and up-to-date threat
information.
Better threat
context.
• SOAR platforms consolidate
various security systems'
dashboards into a single
interface.
Simplified
management.
• SOAR's orchestration,
automation and workflows can
meet scalability demands more
easily.
Scalability.
• Automating lower-level threats
augments SecOps and security
operations center (SOC) teams'
responsibilities, enabling them
to prioritize tasks more
effectively and respond to
threats that require human
intervention more quickly.
Boosting
analysts'
productivity.
• Standardized procedures and
playbooks that automate lower-
level tasks enable SecOps teams
to respond to more threats in
the same time period
Streamlining
operations.
• SOAR platforms' reporting and
analysis consolidate information
quickly, enabling better data
management processes and
better response efforts to
update existing security policies
and programs for more effective
security
Reporting and
collaboration.
• In many instances, augmenting
security analysts with SOAR
tools can lower costs, as
opposed to manually
performing all threat analysis,
detection and response efforts.
Lowered costs.
10. Benefits and Drawbacks of SOAR tools
Benefits
• Improves Productivity
• Builds Risk Resilience
• Faster incident response
• Centralized Management
of multivendor tools
• Streamlined process and
operations
Drawbacks
• Cannot fix strategy or
culture
• Overinflated expectations
• Limited success metrics
• Undervalue human
Analysts
• Complexity
11. SEIM and SOAR
SEIM
• Aggregate Logs
• Generate alerts
• Analyses data to identify potential
threats
• Limited response work flows
• Notifies users and analysts of suspicious
activity.
• SIEM Tools :
• Splunk enterprise SIEM
• Microsoft Azure Sentinel
• Archsight
• SolarWinds SIEM Security and
Monitoring
SOAR
• Aggregates security alerts and threat
intelligence
• Ingests alerts from SIEM and other tools
• Enriches and correlates to determine
risk
• End to End automation powered
response work flows
• Orchestrates actions across integrated
tools
• SOAR Tools
• Splunk Phantom.
• IBM Resilient.
• DFLabs IncMan.
• Insightconnect.
