Free guidance for implementing SIEMs and SOARs
When IT teams become swamped with data their network devices spew out they often turn to SIEM (security information and event management) or SOAR (security orchestration, automation and response) platforms.
SIEM solutions collect, aggregate, and correlate log data so network defenders can monitor activity and uncover advanced cyber threats. SOAR platforms work with SIEM tools — and some include a SIEM — to deliver timely responses from playbooks that combine incident response and business continuity plans to dictate some of the actions to be taken when a specific security event occurs.
However, no matter how much automation vendors promise, these applications are rarely plug-and-play. And, the fact is these platforms can’t replace human incident responders — but they can streamline the response, if properly implemented.
Which is why cybersecurity agencies from nine jurisdictions (including the U.S., the U.K, and Canada) today issued three publications providing guidance for cybersecurity executives and network defenders.
Together the publications define SIEM and SOAR platforms, outline potential challenges, provide recommendations for implementation, and highlight relevant benefits for executives and practitioners.
The three are
— Implementing SIEM and SOAR Platforms: Executive Guidance;
— Implementing SIEM and SOAR Platforms: Practitioners Guidance;
—and Priority Logs for SIEM Ingestion: Practitioner Guidance, which provides practitioners detailed technical guidance for specific categories of log sources, such as Endpoint Detection and Response (EDR) tools, Windows/Linux operating systems, network devices, and cloud deployments.
“By automating log collection and centralization, analyzing this data, and presenting the analysis in dashboards and reports, a SIEM makes it easier for a human security team to see and interpret what is happening across the network,” says one of the reports. “This information would otherwise be extremely complex and scattered. Another benefit of implementing a centralized log solution or SIEM platform is streamlining access to event data during an investigation into a suspicious event, eliminating the need to log into each machine to manually collect logs.”
What kinds of implementation problems do CISOs face? If an organization has only deployed log/data replication mechanisms to 10 of its 12 Active Directory (AD) servers, then the SIEM platform has a ’blind spot’ to events occurring on the two AD servers, the guidance points out. On the other hand, an organization may accept through a risk assessment process that the SIEM platform will ingest only a certain percentage of its desktop platforms as a representation of desktop activities.
The guidance also adds that a SIEM shouldn’t be used for log centralization, only for log analysis.
If a SOAR’s response functionality is not properly configured and maintained, the platform may misidentify regular user or system behaviour as an event or incident and take automated measures to isolate and respond, the guidance adds.
A SOAR platform may need SOAR a range of staff with specialist skills including security professionals to identify which parts of the response should be automated; platform engineers to design the automation; developers to determine how response automation may affect bespoke/in-house developed products or services; and legal counsel or governance risk and compliance experts, to determine any risks and regulatory consequences arising from response automation.
“For these reasons, SOAR platforms are usually not suitable for immature environments – that is, environments that lack an existing SIEM, have only a newly established SIEM capability, or lack an experienced security team,” says the guidance. “In general, investing in the proper implementation of a SIEM platform and achieving effective log analysis is a higher priority than implementing a SOAR.”
The three documents are worth reading by CEOs, CIOs and CISOs.