SIEM and SOC
SIEM and SOC
Security information and event management (SIEM) is an approach to security management that seeks to provide a holistic view of an organisation’s information technology (IT) security.
At the most basic level, a SIEM system can be rules-based or employ a statistical correlation engine to establish relationships between event log entries. In some systems, pre-processing may happen at edge collectors, with only certain events being passed through to a centralised management node. In this way, the volume of information being communicated and stored can be reduced. The danger of this approach, however, is that relevant events may be filtered out too soon.
The problem we see within the SIEM market is typically organisations have procured a solution as a tick box exercise for a form of compliance (PCI, PSN, ISO) without giving considerations to other use cases for the SIEM in the enterprise, essentially becoming a central store for all log data and creating lots of false positives due to a lack of time spent optimising the SIEM platform for the specific environment it is working in.
Typically due to this the SIEM has become a single point of alerting within the enterprise and a platform which essentially creates additional work for already stretched resources.
Our solution is that we go back to basics with the platform and understand the real requirements of the organisation, ranging from the data that needs to be collected right through to what reports are required within the business for things like security incidents etc.
This can take a number of approaches, for smaller businesses, we can take the simple approach of optimising the SIEM around fine tuning of rules for alerts to the solution. Whereas for the enterprise the focus is typically around automation of the SOC with our SOCAutomation platform, which is designed to correlate multiple similar alerts in the SIEM platform and automate repetitive tasks, like validating the alert.