Alert and event management with SIEM and SOAR tools
Our discussion on detection tools may have left you wondering where alerts are sent
and how alerts are accessed by security analysts.
This is where security information and event management, or SIEM, tools are used.
SIEM is a tool that collects and analyzes log data to monitor critical activities in an organization.
SIEM provides security professionals with a high-level overview of what goes on in their networks.
How exactly does it do this?
Let's use an example of a car.
Cars have many different parts: tires, lights, and let's not forget all the internal machinery that's under the hood.
There are many different components of a car, but how do you know if one of them has an issue?
Aha, you guessed it! The dashboard warning lights.
The dashboard notifies you about information related to the car's components, whether the tire pressure or battery voltage is low, you need to refuel, or a door hasn't been properly closed.
A car's dashboard notifies you about the status of the car's components, so that you can take action to fix it.
SIEM tools work in a similar way.
Just like cars have many different components, a network can have thousands of different devices and systems, which make monitoring them quite the challenge.
A car's dashboard gives the driver a clear picture of the status of their car, so they don't have to worry about inspecting each component themselves.
Similarly, a SIEM looks at data flows between all the different systems in the network and analyzes them to provide a real-time picture of any potential threats to the network.
It does this by ingesting massive amounts of data and categorizes this data, so that it's easily accessible through a centralized platform similar to a car's dashboard.
Here's what the process looks like.
First, SIEM tools collect and aggregate data.
This data is typically in the form of logs, which are basically a record of
all the events that happened on a given source.
Data can come from multiple sources such as IDS or IPS, databases,
firewalls, applications, and more.
After all this data gets collected, it gets aggregated.
Aggregation simply means all this data from different data sources gets centralized in one place.
Depending on the number of data sources a SIEM collects from, a huge volume of raw unedited data can get collected.
And not all data that's collected by a SIEM is relevant for security analysis purposes.
Next, SIEM tools normalize data.
Normalization takes the raw data that the SIEM has collected and cleans it up by removing non essential attributes so that only what's relevant is included.
Data normalization also creates consistency in log records, which is helpful when you're searching for specific log information during incident investigation.
Finally, the normalized data gets analyzed according to configured rules.
SIEM analyzes the normalized data against a rule set to detect any possible security incidents, which then get categorized or reported as alerts for security analysts to review.
Now that you've explored the capabilities of SIEM tools, let's examine another security management tool.
Security orchestration, automation, and response, or SOAR, is a collection of applications, tools, and workflows that uses automation to respond to security events.
While SIEM tools collect, analyze, and report on security events for security analysts to review, SOAR automates analysis and response to security events and incidents.
SOAR can also be used to track and manage cases.
Multiple incidents can form a case, and SOAR offers a way to view all of these incidents in one centralized place.
Well, there you have it. You've learned how incident management tools like SIEM and SOAR
make it easier for security analysts to see what's happening in a network and to respond to any threats efficiently.