SIEM & SOAR | CompTIA Security+ SY0-601 | 1.7b

In this video you will learn about security information & event management (SIEM) functions such as: reporting, packet captures, log collectors, user behavior analysis, sentiment analysis, & log aggregation. You will also learn about security orchestration automation and response (SOAR).

Security Information & Event Management (SIEM)

Security information & event management is a field within the field of computer security, where software products and services combine security information management (SIM) and security event management (SEM).  They provide real-time analysis of security alerts generated by applications and network hardware.  Vendors sell SIEM as software, as appliances, or as managed services; these products are also used to log security data and generate reports for compliance purposes.[1]  The acronyms SEM, SIM and SIEM have sometimes been used interchangeably, but generally refer to the different primary focus of products:[2]

  • Log Management:  focuses on simple collection & storage of log messages and audit trails.[3]
  • Security Information Management (SIM):  long-term storage as well as analysis & reporting of log data.[4]
  • Security Event Manager (SEM):  real-time monitoring, correlation of events, notifications and console views.
  • Security Information & Event Management (SIEM):  combines SIM & SEM and provides real-time analysis of security alerts generated by network hardware & applications.[5]

The typical functions of SIEM technologies that you need to be concerned with for the CompTIA Security+ SY0-601 certification exam are:

  • Reporting:  event visibility is a key function of SIEM where reporting capabilities include real-time monitoring and historical base reports.[6]
  • Packet Captures:  provides details about each transaction happening in a network.[6]
  • Log Collectors:  includes receiving information (data inputs)  from devices with multiple protocols & formats, storing the logs, & providing historical reporting and log filtering.[6]
  • User Behavior Analysis:  cybersecurity process about detection of insider threats, targeted attacks, & financial fraud that tracks a system’s users.  UBA looks at patterns of human behavior, and then analyzes them to detect anomalies that indicate potential threats.[7]
  • Sentiment Analysis:  use of natural language processing, text analysis, computational linguistics, and biometrics to systematically identify, extract, quantify, and study affective states & subjective information mostly in regards to customer sentiments & brand reputation.  Basically these tools can reveal the intent & tone behind social media posts, as well as keep track of positive or negative opinions.  Attackers can try to damage a company’s reputation by creating fake accounts & bots in social media platforms to provide negative public comments against a targeted organization.[6]
  • Log Aggregation:  aggregates information based on common information and reduces duplicates.[6]

Security Orchestration Automation and Response (SOAR)

SOAR is a stack of compatible software programs that enables an organization to collect data about security threats and respond to security events without human assistance.  The goal of a SOAR platform is to improve the efficiency of physical and digital security operations.[8]  The 3 main components of SOAR that you need to be concerned with are:[9]

  • Orchestration:  improves incident response by integrating technologies & security tools.  Helps organizations deal with complex cybersecurity incidents by coordinating different technologies.  SOAR can tie together network security & IT operations tools – for example, gather data from network monitoring tools and use it to set firewall rules.
  • Automation:  manually detecting and responding to security incidents might require hundreds of repetitive tasks.  Many of these tasks can be automated during the incident response phase. For example, SOAR systems can automatically triage certain types of events avoiding manual investigation of each event to identify a real security incident.
  • Response:  SOAR platforms collect data from other security tools, integrating with SIEM and threat intelligence feeds.  They help triage and prioritize security events, and pass on rich information about the security incident to human security staff.  SOAR also provides case management, supporting collaboration, communication & task management between security operations center (SOC) staff.

References

  1. (2007). SIEM: A Market Snapshot. Dr. Dobb’s Journal.
  2. Swift, D. (2007). A Practical Application of SIM/SEM/SIEM Automating Threat Identification. SANS Institute.
  3. Kent, K. & Souppaya, M. (2006). Guide to Computer Security Log Management. Computer Security Resource Center, NIST.
  4. Jamil, A. (2010). The Difference Between SEM, SIM and SIEM
  5. (2007). The Future of SIEM – The Market Will Begin to Diverge. Tech Buddha.
  6. Santos, O.; Taylor, R.; Mlodziannowski, J. CompTIA Security+ SY0-601 Cert Guide.
  7. Market Guide for User Behavior Analytics. Gartner.
  8. Shea, S. SOAR (Security Orchestration, Automation and Response). TechTarget.
  9. Security Orchestration Automation and Response (SOAR): A Quick Guide. Cynet.