SOC, SIEM and SOAR

Everybody and their grandma have heard of firewalls. Not so known are the other components that make up a strong cyber defense. We'll be touching upon those in today's blog.

SOC, SIEM and SOAR. Lots of acronyms but what do they actually mean?

Security Operations Centre (SOC)

is the team responsible for monitoring, detecting and responding to security incidents - sort of like the cyber defense headquarters.

Typically you'll find security analysts, engineers and incident responders who monitor alerts, investigate suspicious activity and coordinate responses to potential threats.

Common responsibilities include:

• Monitoring security alerts

• Investigating suspicious activity

• Incident response

• Threat hunting

• Vulnerability management

• Security reporting

Many companies operate a 24/7 SOC to ensure threats can be identified and addressed as quickly as possible.

It also not uncommon for companies to outsource this and have a managed security service provider to act as a company's SOC.

Security Information and Event Management (SIEM)

SOC is the human element and the SIEM is one of their most important tools.

A Security Information and Event Management platform collects and analyses logs from across an organisation's environment.

These logs may come from:

• Servers

• Workstations

• Firewalls

• Cloud platforms

• Applications

• Network devices

• Endpoint security tools

The SIEM aggregates this information into a central location where security analysts can search, correlate and investigate these events.

Unsuccessful logins are not cause for concern on their own but context matters - pair this with numerous failed login attempts followed by a successful login and then usual activity - well that's something worth looking into.

In short a SIEM helps organisations identify threats that may get lost in the millions of daily log events.

Security Orchestration, Automation and Response (SOAR)

As organisations grow and security teams become fatigued with the sheer volume of alerts generated - a SOAR system is a welcome relief.

These platforms can automate repetitive security tasks and coordinate responses across multiple technologies.

Instead of a human analyst manually performing every step - a SOAR can execute predefined workflows known as playbooks.

Examples include:

• Automatically blocking malicious IP addresses

• Disabling compromised user accounts

• Creating incident tickets

• Gathering forensic information

• Notifying security teams

• Initiating containment actions

This frees up analysts to focus on higher value investigations as opposed to getting bogged down by repetitive admin.

How do they work together?

A useful way to think about these technologies is:

The SOC is the people.

The SIEM is the visibility.

The SOAR is the automation.

A SIEM collects and analyses security data.

The SOC investigates and responds to the alerts generated by the SIEM.

SOAR then automates parts of the investigation and response process, reducing workload and improving response times.

Why are they necessary?

Modern organisations typically have thousands of users and devices generating massive amounts of security data every day.

Without the right tools and processes, identifying genuine threats amongst the chaos is like finding a needle in a haystack.

The platforms discussed above help security teams make sense of the madness.

Final Thoughts

SOC, SIEM and SOAR are often discussed together because they complement one another.

A SOC provides the people and expertise.

A SIEM provides visibility into what's happening across the environment.

SOAR provides automation that enables security teams to respond more efficiently.

Individually they are powerful. Together they form the foundation of many cyber defence operations and help organisations detect, investigate and respond to threats before a worst case scenario occurs.