What is the Difference Between SIEM and SOC

Learning Objectives

  • Learn about SOC and its purpose in an enterprise
  • Differentiate between a SIEM and and SOC
  • Explore the ways a SIEM is beneficial for security analysts
  • Understand the challenges with SIEM platforms

In a secure environment, it’s essential for businesses to monitor network traffic, network appliances, and the cybersecurity technology responsible for protecting corporate data and resources. Without monitoring, businesses would be unaware if a security device failed or cyber-criminals breached protections and began exfiltrating data. Malware would also go undetected making it even more dangerous to leave the environment unmonitored. A Security Operations Center (SOC) and a Security Incident and Event Management (SIEM) platform are different strategies for monitoring a network environment, and they work together to help corporations prevent data breaches and alert them to potential ongoing cyber-events.

What is a SOC?

In a data center or large enterprise environment, a SOC is necessary for network security. The SOC is often a physical room within the organization’s office where several employees continually monitor network traffic, alerts, and visualized information that could be used to respond to a potential cyber-incident. The SOC focuses on security of the network rather than network performance and utilization, which makes it distinct from a Network Operation Center (NOC), but SOC and NOC employees could be housed in the same physical location.

SOC and SOC engineers perform a few standard functions:

  • 24/7 continual monitoring across the entire environment
  • Preventative maintenance and deployment of cybersecurity appliances
  • Alert ranking to determine priority during incident response
  • Threat response when a cyber-threat is found
  • Containment and eradication of discovered threats
  • Root-cause analysis after a cyber-incident
  • Assessment and management of compliance for various regulations

SOC engineers work directly with a SIEM platform to analyze network traffic and events. The SIEM plays a large role in a SOC employee’s ability to quickly determine if a threat compromises the network and work directly to contain it. An unmonitored network environment could have multiple threats breaching resources, but an intelligent SIEM provides the right information and alert system so that SOC employees can identify them.

Employees who make up the SOC team have a range of professional skills mainly in the cybersecurity industry. The number of team members depends on the business, but a SOC team could have forensics experts, security analysts, and cryptography and malware analysts to name just a few of the professionals who work in a SOC.

During a cybersecurity incident, the SOC team will contain and analyze the threat to figure out what went wrong, why cyber-protections failed, and what can be done to avoid the issue in the future. The SOC team is responsible for incident response, but they could also hire outside consultants to help with major security breaches so that evidence is archived and sent to law enforcement. They then work with network engineers and other security professionals to remediate the issue by changing procedures or physical infrastructure so that it will not happen again. No cyber-defenses reduce risk by 100%, but the likelihood of improved outcomes can be greatly improved with the right deployed appliances and lessons learned from previous events.

What is a SIEM?

A SIEM is a collection of cybersecurity components used to monitor network traffic and resources. From a user perspective, it’s a centralized dashboard of security information used to display alerts and suspicious network activity to a security analyst. It’s a platform containing:

  • Log aggregation from multiple sources
  • Threat intelligence
  • Event correlation and organization for easier analysis
  • Advanced analytics visualization
  • Customizable dashboards for analytics
  • Threat hunting features to find currently compromised resources
  • Forensics tools for investigation after a cyber-incident

The SIEM platform is used within a SOC, and security analysts work with these platforms in their day-to-day operations. One aspect of a SIEM not listed above is SOC automation. Some SIEM platforms integrate artificial intelligence (AI) to automate intrusion detection and prevention. A SOC analyst is still necessary for containment and eradication of the threat, but the SIEM will analyze network traffic, potentially block access, and send an alert to a security analyst to further research into the event.

Complex and advanced threats are difficult to eradicate from an environment. An advanced persistent threat (APT) will set up backdoors and additional ways to exfiltrate data even after initial eradication. For example, some variants of ransomware will replicate itself to storage across the network. If left on network storage, it can potentially reinfect the network and create another cyber-event that could impact data integrity. These threats are difficult to identify and completely remove from the environment, but a SIEM can help monitor and detect them so that analysts can remove the APT.

Actively searching for threats gives security analysts a way to find a compromise based on data collected in logs. Threat hunting features in a SIEM help with newly emerged threats that might be unknown. For example, a new variant of malware in the wild could currently be undetected by antivirus software, but a SIEM might detect unusual traffic probing a network resource and alert SOC analysts so that they can further look into the issue.

What are some SOC challenges when working with a SIEM?

At first glance, a SIEM looks like an obvious solution for any enterprise in need of network security, but using a SIEM comes with its own set of challenges. These challenges can be overcome, but they should be considered before choosing the right solution.

Depending on the number of monitored resources, a SIEM collects potentially thousands of events and aggregates the information in one location. Analysis of multiple resources in one location is a benefit for the SOC team, but the log files must be stored either locally or in the cloud. This means that the organization must have enough storage space to store the log data.

Too many false positives from a SIEM creates a phenomenon called analyst fatigue or analyst burnout. A SIEM that can analyze data and send alerts to the SOC team is beneficial, but too many false positives leaves analysts apathetic to alerts. When analysts no longer trust the platform, they become desensitized to alerts and may miss critical ongoing threats from legitimate notifications.

Alerts must also be specific enough so that the analyst knows the type of threat and can determine the right procedures that should be followed to contain it. The SOC team must configure the SIEM to give them the right alerts and detailed information so that they can quickly determine the right steps based on the type of threat detected.

Although a SIEM is not a requirement to have a SOC, the two cybersecurity strategies work together to protect internal resources. Without a SIEM, a SOC team does not have the right tools to detect and contain threats.

It’s time to let data charge