01 02 03 04 05 06 07 08 09 10
THE MODERN SOC, SECOPS AND SIEM:
HOW THEY WORK TOGETHER
A Basic Incident Response Model
While SOCs are undergoing transformation and assuming additional roles, their core activity remains incident response. The SOC is the organizational unit that is expected to
detect, contain, and mitigate cyber attacks against the organization. The people responsible for incident response are Tier 1, Tier 2 and Tier 3 analysts, and the software they
primarily rely on is the SOC’s security information and event management (SIEM) system.
Event Classification
Tier 1 analysts monitor user
activity, network events, and
signals from security tools
to identify events that merit
attention.
Prioritization and
Investigation
Tier 1 analysts prioritize, select
the most important alerts, and
investigate them further. Real
security incidents are passed to
Tier 2 analysts.
Containment and Recovery
Once a security incident has been
identified, the race is on to gather
more data, identify the source of
the attack, contain it, recover data
and restore system operations.
Remediation and
Mitigation
SOC sta work to identify broad
security gaps related to the attack
and plan mitigation steps to
prevent additional attacks.
Assessment and Audit
SOC sta assess the attack
and mitigation steps, gather
additional forensic data,
draw final conclusions and
recommendations, and finalize
auditing and documentation.
A SIEM is a foundational technology in a SOC—here is how a SIEM can help with each incident response stage:
Alert generation and ticketing
A SIEM collects security data
from organizational systems and
security tools, correlates it with
other events or threat data, and
generates alerts for suspicious or
anomalous events.
Searching and exploring data
A SIEM can help Tier 1 and Tier
2 analysts search, filter, slice
and dice, and visualize years of
security data. Analysts can easily
pull and compare relevant data to
better understand an incident.
Context on incidents and
security orchestration
When a real security incident is
identified, a SIEM provides context
around the incident—for example,
which other systems were
accessed by the same IPs or user
credentials.
Reporting and dashboarding
Remediation and mitigation are an
ongoing activity, and they require
visibility of the status and activity
of critical security and IT systems.
SIEMs have a cross-organization
view which can provide this
visibility.
Compliance reporting
One of the core functions of
a SIEM is to produce reports
and audits for regulatory
requirements and standards like
PCI DSS, HIPAA and SOX—both on
an ongoing basis and following an
incident or breach.
Next-gen SIEM
Next-generation SIEMs leverage
machine learning and behavioral
analytics to reduce false positives
and alert fatigue, and discover
hard-to-detect complex events
like lateral movement, insider
threats and data exfiltration.
Next-gen SIEM
Next-generation SIEMs are based
on data lake technology that
allows organizations to store
unlimited data at low cost. They
also leverage machine learning
and user and entity behavior
analytics (UEBA) to easily identify
high risk events and surface them
to analysts.
Next-gen SIEM
Next-generation SIEMs provide
security orchestration, automation
and response (SOAR) capabilities.
They integrate with other security
systems and can automatically
perform containment actions.
Next-gen SIEM
Next-generation SIEMs leverage
machine learning and data
science capabilities that establish
smart baselines for groups of
users and devices. This allows
faster and more accurate
detection of insecure systems or
suspicious activity.
1 2 3 4 5
exabeam.com // The Essential Guide to SIEM
89