Many new safety specialists misunderstand this idea and believe the greater data you have got, the better off you’re. I’ve seen corporation register their tools to random threat intelligence feeds with the notion of “more data makes them safer”. Huge SOCs show me many dashboards complete of statistics from diverse flashy tools, however the reality is, none of these tools or information sources matter. The genuine value of the facts you collect is primarily based on how it’s far used.
Now let’s examine and evaluate SIEM, SOAR and XDR technologies one by one. A SIEM typically performs some steps to the data it receives.
In the first step, data is parsed into fields and link associated values. An instance is identifying the time variable and time values. In the second step, data is normalized and classified to reduce the collected data into a more useful and prepared format. In the third step, data is enriched by using making use of extra information and changes to give it more valuable. In the forth step, data is indexed so it could be speedy identified for the duration of quires. In the fifth step, data is stored and referenced.
The following diagram represents in a nut shell of what a SIEM will do with the data it gets. The purpose is to reduce hundreds of thousands of logs into possible alerts that a SOC analyst can investigate. Duplicate alerts can be consolidated into one alert with a enumerate and indexing can permit searching while not having to scan all data to find the content material of interest.
A SIEM is very helpful however doesn’t solve all of the challenges faced by analysts on today’s networks. As a result, organizations have to be compelled to develop their own processes concerning however they manually reply to events. These processes are often reborn into repeatable responses additionally referred to as Playbooks, that have the potential to be machine-controlled with the proper technology. because the volume and speed of events increases, analysts are finding themselves once more experiencing the info overload drawback even with a SIEM. Another challenge with a SIEM is its inability to touch upon all of the potential and on the market data sources. You can imagine huge data as an example that represents data sizes that are too big for a SIEM to collect. This release demand for extra tools to accommodate data the SIEM can’t handle similar to big data management platform for bigdata that means a requirement for a lot of infrastructure and complexity. Even data which will be collected by a SIEM might not be processed properly while not custom parsing or standardization requiring countless manual labor.
Organizations need automation of actions supported playbooks thus their analysts will specialize in additional complex tasks. SOCs additionally need some way to manage the lifecycle of an event more usually called case management ensuring SOC and non-SOC groups that are concerned are tracked and control in command of their actions. SOCs need to deal with all information resources past what a SIEM is limited to method to ensure they may be aware about the modern-day threat panorama. All of those necessities were detected with the aid of the industry and brought about the creation of the security Orchestration, Automation, and response (SOAR) marketplace.
SIEM is collect logs, SOAR is consolidate IOCs case. SIEM is incorporates user behavior analytics, SOAR is automates processes for testing for false positives. SIEM is automate commands, SOAR is automates playbooks. SIEM is optimized ans suited for true and raw event search, SOAR is suited for hunting suspicious activities. SIEM is syslog based, SOAR is alert and IOCs based. SIEM integrate with vulnerability scanners, SOAR is integrates with 3rd party threat feeds.
Many famous SIEMs vendors have either obtained a 3rd party SOAR or built their own SOAR imparting to fill within the void of talents left by means of their SIEM platform. Many SIEM / SOAR vendors bill on data usage, which can be measured as events per second. Because of the extra data you send on the system, it can be higher your periodic invoice can be or it can be bigger license cost.
Default SOAR automation and playbooks are every day growing. You have to be ready to develop or modify playbooks to satisfy your custom needs to look the true value.
The price of a SIEM / SOAR solution is primarily based at the excellent of the data acquired. If data is not obtained concerning the security posture of a positive part of the network, you may be blind to events inside that a part of the organization. If the data is not nicely processed and managed by means of the SIEM / SOAR, you’ll additionally be blind to the source of that data based totally on the poor results you’ll acquire.
One very last data management idea that has recently hit the security marketplace is XDR. This concept stems from endpoint detection and response (EDR), that is an endpoint threat detection solution that combines actual-time monitoring and data accumulated from endpoints to automate response and analysis. if you think this carefully, you should find this skill quite similar to what the SIEM/soar marketplace is trying to do but, EDR is just for endpoints. What has happened is the EDR vendors also noticed this connection and determined to open up their services to devices outside of endpoints. As a result, they changed the E representing endpoint to X, which now represents extended or extended detection and response (XDR).
I’ll finalize this article with the important statement, which is The true value of the data you collect is based on how it is use this security technologies.