What is a SIEM? What is a SOC? And what should I know about them as a decision maker in my business?

Current events such as the Colonial Pipeline attack are driving businesses across the country to reassess their cyber-security posture and risk management processes.

This is for the best, because while many have taken a proactive approach to security management, millions of individuals and businesses are underprepared to deal with the modern threats facing them. The first step to addressing that is by stepping back and figuring out where your specific risks are and what controls best address those risks.

This has brought many businesses to start looking at more sophisticated solutions that take unconventional and aggressive approaches to cyber-security, such as Security Information and Event Management solutions (SIEM) as well as Security Operation Centers (SOC).

But before you go down this path and start making some significant decisions that have bearing on both your cyber-risks as well as your bottom line, let’s take a moment to get into what SIEM/SOC are and where they are a good fit.

What is a SIEM?

A SIEM, or Security Information and Event Management, is a tool that pulls in forensic data in order to provide security analytics.

SIEM is a broad term, and there is significant variation in what a particular SIEM might do. Think of SIEM like a car. A car has four wheels and a motor, but it can be as simple as a golf cart or as complicated as a Formula 1 racer. SIEMs have similar variation.

The key function a SIEM has is to pull logs from various hardware and software to have visibility on the key “events” occurring on a system, such as someone logging in, a file being saved, privileges being changed on an account, and so on. SIEMs gather these logs and, depending on the complexity of the product, send alerts of particularly suspicious activity.

SIEMs will also retain logs for a period of time, which can be useful both for compliance and forensic purposes. These logs can be helpful to determine what happened in the event of an incident, as well as provide information on how to address risks.

Why would you need a SIEM over something like Anti-Virus or Anti-Malware?

Anti-virus and similar software can be very good at stopping specific software from executing code (as long as it is familiar with the virus), but it has limitations.

For one thing, these applications are inherently imperfect and viruses and malware that change tend to get past defensive software like a typical Anti-virus product.

Not only that, but correlation of logs with a SIEM can give you information about other types of attacks that have nothing to do with viruses, such as insiders exfiltrating data, poor security configurations leading to odd logs, identifying unauthorized uses of encryption, and other threats that occur on the traffic of a network without running behind a specific virus.

OK, so what is a SOC then?

A SOC, or Security Operations Center, is a team of information security engineers who monitor and analyze system events on an ongoing basis.

If the SIEM is the car, the SOC is the driver. The typical SOC is a centrally managed group focused on monitoring specific systems for suspicious activity and often times intervening before attacks become significantly damaging.

A SOC will have professionals from a variety of security related fields. In addition to security engineers, you might also have leadership who focus on impact, communications, and project/incident management. You will often see some kind of SIEM at the center of the SOC, as the SIEM provides the SOC with the pieces of information they need to take action.

The SOC will follow specific protocols such as monitoring coverage times and standards, steps to be taken in the event of an incident, responses to third parties including potentially law enforcement or attorneys and others.

Do I need a SIEM or SOC or both?

The answer to this question is it depends. There has to be a serious conversation on risk vs. reward and return on investment when it comes to implementing these higher end security solutions.

Security engineers and log management solutions are not as affordable as many other security solutions that business leaders are accustomed to like perimeter firewalls, Anti-virus/malware, and spam filters.  They are not a one-size-fits-all solution so specific recommendations will vary and some organizations may not be able to justify them at all.

Another thing you have to be aware of are laws, regulations, and compliance standards in your business. Regardless of my opinion, or your opinion of impact on risk to your business, you may be required to implement these solutions.

Additionally, A SIEM is only as useful as who is managing it. While these are powerful tools with extensive features and analytics, in the hands of someone unprepared to deal with the demands of security engineering, a SIEM may not be useful.

In fact, you could find yourself in the midst of an incident that proper management could have avoided. But assuming you would face serious consequences as a results of a major security incident and have technical personnel or management companies capable of managing it, a SIEM can be a valuable tool to protect your organization.

The management piece is where the SOC comes in. Many businesses utilize a SOC solution to get the cyber-security expertise necessary to successfully manage a SIEM and make sure they utilize it properly. It’s difficult to establish the response procedures as well internally source the staff who can do this. From a budget perspective, a SOC can also provide an economy of scale and predictable costs. So while you may need to make a significant investment to get higher end security, at least you know what to expect.

Wrapping Up

SIEM and SOC are very complicated conversations, but hopefully this article gives you a sense of where you need to be thinking before you start making difficult decisions when it comes to higher end security solutions.

If you aren’t sure what your security toolkit should be, there’s never been a better time to start a discussion and take measures to reduce your cyber-security risks.

Learn more about the Managed Security Operations at DP Solutions.