The important role of SIEM in the SOC Triad

As IT environments become increasingly complex and sophisticated (a result of digital transformation initiatives such as cloud adoption, IoT convergence, remote working, and third-party infrastructure integration), it seems to make sense that organisations are adopting increasingly complex cyber security solutions to tackle associated new vulnerabilities and risks. In fact, it’s not uncommon for larger businesses to deploy dozens of security tools at any one time, with Gartner reporting that worldwide spending on security and risk management is forecast to grow 11.3% in 2023.

All too often, however, the combination of increasingly sophisticated security threats, expanding attack surfaces, and understaffed and overworked security teams results in overly complex – oftentimes sprawling – patchworks of isolated security products. Sadly, in some cases, this ‘piling up’ of tools can do more harm than good; causing several systemic pitfalls including interoperability, management, governance, and usability issues.

As it turns out, however, mitigating organisational security challenges doesn’t require an overwhelming amount of data protection tools and backup systems. Just the opposite, in fact. The secret for organisations is to leverage an asset they already have, data.

The Security Operations Center (SOC) Visibility Triad

The good news is that Gartner has created a new SOC security model based on this very concept. Namely, the SOC Visibility Triad (or, simply, ‘the SOC Triad). This approach combines three foundational elements to create a comprehensive security approach:

• SIEM (Security Information and Event Management).
• Tooling (including EDR)
• NDR (Network Detection and Response).

First introduced in 2015 by Anton Chuvakin, the triad “seeks to significantly reduce the chance that the attacker will operate on your network long enough to accomplish their goals” and promotes a security strategy that encourages teams to accept security breaches as inevitabilities, whilst still understanding how they can detect, respond, and remediate such threats effectively.

According to Gartner, “the escalating sophistication of threats requires organisations to use multiple data sources for threat detection and response” and so, by combining the three pillars above, the Triad works to harness the strengths of each solution whilst mitigating their respective weaknesses. In other words, each solution reinforces the other, creating a multi-layered and comprehensive approach to network security.

Security Information and Event Management (SIEM)

For the purpose of this article, I’d like to take a closer look at the first element, SIEM, and why it’s so important and beneficial to businesses.

Security information and event management (SIEM) is the method of identifying, monitoring, recording, and analysing cyber security events in real-time. SIEM technology can sort through huge data sets within seconds to detect abnormalities or malicious behaviour, also offering IT personnel a ‘quick glance’ view of how their infrastructure is performing at any given moment.

A SIEM provides a unified and extensive view of IT infrastructure security, across all network applications and from multiple vendors of hardware and software. To do so, it primarily relies on logging mechanisms from places including endpoints, custom applications, cloud services, and various other data sources. These logs are collected in a variety of different formats, and parsed to ensure that they can be correlated and analysed more efficiently, which means improved and earlier detection capabilities leading to a SIEM’s ultimate objective of reducing ’dwell time’ (the time an attack occurs to when it is detected).

SIEM affords businesses the ability to stay ahead of external and internal security threats by allowing SIEM users to map their organisation’s threat landscape and identify attacks using pre-established rules. These rules are mapped to the latest tactics, techniques and procedures (TTPs) that attackers would use, meaning SOAR (security orchestration, automation, and response) agents can respond quickly to security incidents via triggered alerts and automated security controls which stop the suspicious activity from progressing.

SIEM is effective in the face of ever-evolving threats and threat actors since, over time, its monitoring capabilities improve and become more accurate. It's also a flexible solution that supports multiple environments and can flex and scale as your business and network grows.

Sean Tickle is cyber services director at Littlefish, a managed IT and cyber security service provider based in the UK.