CH01
What is SIEM
Components, best practices, and next-gen capabilities
Coming Soon
Helping Interact Software Simplify Case Management While Increasing Visibility and Efficiency
Read More
Detect and investigate advanced attacks and insider threats with UEBA.
Read More
Finding skilled information security resources can feel like an impossible mission for many organizations. With such a unique skill set, these experts are in high demand. This situation leaves many organizations with understaffed security operations centers (SOCs), relying on their limited in-house security expertise to deploy, maintain, and use complex security stacks. The result? Organizations... Read more »
Read More
Helping Interact Software Simplify Case Management While Increasing Visibility and Efficiency
Read More
Helping Interact Software Simplify Case Management While Increasing Visibility and Efficiency
Read More
Detect and investigate advanced attacks and insider threats with UEBA.
Read More
Finding skilled information security resources can feel like an impossible mission for many organizations. With such a unique skill set, these experts are in high demand. This situation leaves many organizations with understaffed security operations centers (SOCs), relying on their limited in-house security expertise to deploy, maintain, and use complex security stacks. The result? Organizations... Read more »
Read More
Incident response is an organizational process that allows security teams to contain security incidents or cyber attacks, prevent or control damages. Incident response also allows teams to handle the aftermath of the attack—recovery, remediating security holes exposed by the attack, forensics, communication and auditing. This is known as reactive incident response.
Threat hunting is the core activity of proactive incident response, which is carried out by skilled security analysts. It typically involves querying security data using a Security Information and Event System (SIEM), and running vulnerability scans or penetration tests against organizational systems. The objective is to discover suspicious activity or anomalies that represent a security incident.
Many security incidents are only discovered weeks or months after they took place—while some are never discovered. Many organizations are developing proactive incident response capabilities. This involves actively searching corporate systems for signs of a cyber attack.
Case management involves collecting, distributing and analyzing data tied to specific security incidents, to allow teams to effectively respond.
Case management solutions help security staff:
Security Orchestration, Automation and Response (SOAR) is a new category of security tools defined by Gartner in a recent paper (a departure from Gartner’s previous definition the category, in 2015, as “Security Operations, Analytics and Reporting”).
Gartner defines SOAR as tools that:
SOAR tools provide the following four capabilities that help Security Operation Centers (SOC) respond to incidents more effectively.
Orchestration is the ability to coordinate decision making, and automate responsive actions based on an assessment of risks and environment states.
SOAR tools can do this by integrating with other security solutions in a way that lets them “pull” data and also “push” proactive actions. SOAR provides a generic interface, allowing analysts to define actions on security tools and IT systems without being experts in those systems or their APIs.
An example of orchestration:
processing a suspicious email
A detonating file, extracting anomalous behavioral and network indicators using Exabeam, a next-generation SIEM which includes an Incident Responder SOAR module
An automation playbook editor provided by Exabeam
Automation is related to orchestration—it is machine-driven execution of actions on security tools and IT systems, as part of a response to an incident. SOAR tools allow security teams to define standardized automation steps and a decision-making workflow, with enforcement, status tracking and auditing capabilities.
Automation relies on security playbooks, which analysts can code using a visual UI or a programming language like Python.
An example of an automation playbook:
Exabeam’s Malware Playbook
This SOAR capability helps security teams manage security incidents, collaborate and share data to resolve the incident efficiently.
A SOAR tool gathers and analyzes security data, typically taken from the SIEM, correlates data to identify priority and criticality, and automatically generates incidents for investigation. The incident already includes relevant context information, allowing analysts to investigate further. This removes the need for a human to notice the relevant security data, identify it as a security incident and manually set up an incident in the system.
A SOAR tool provides an investigation timeline to collect and store artifacts of the security incident, for current and future analysis. Artifacts may relate to known attacker’s activities, which may be carried out over an extended period. Additional artifacts can be pulled in to investigate if they are related to the ongoing incident.
The tool can record actions and decisions made by the security team, making them visible to the entire organization, as well as external auditors. Over time, the SOAR tool creates an organizational knowledge base of tribal knowledge—threats, incidents, historical responses and decisions and their outcomes.
A SOAR tools brings in threat data from open-source databases, industry leaders, coordinated response organizations, and commercial threat intelligence providers. The SOAR tool attaches the relevant threat information to specific incidents, and makes threat intelligence easily accessible to analysts as they are investigating an incident.
A security incident created automatically by Exabeam’s Incident Responder
SOAR tools are not only responsible for coordinating and automating incident response, but also for enabling central measurement of SOC activity.
SOAR tools generate reports and dashboards including:
SOAR tools work closely with SIEM, the SOC’s central information system. SOAR tools leverage the integration with SIEM to:
According to Gartner’s Critical Capabilities for SIEM 2017 report, next-generation SIEM solution must include a native component that enables handling and responding to detected incidents via automated and manual case management, workflow and orchestration, as well as capabilities for advanced threat defense.
So while SOAR tools are evolving as a separate category, in Gartner’s vision, SOAR should be an integrated part of the SIEM.
Exbeam’s Security Intelligence Platform is an example of this new hybrid. Exabeam is a SIEM solution based on modern data lake technology, which enables advanced analytics and User Entity Behavioral Analytics. In addition, Exabeam comes with two components that provide full SOAR functionality:
CH01
Components, best practices, and next-gen capabilities
Coming SoonCH02
How SIEMs are built, how they generate insights, and how they are changing
Coming SoonCH03
SIEM under the hood - the anatomy of security events and system logs
Coming SoonCH04
User and Entity Behavioral Analytics detects threats other tools can’t see
Coming SoonCH05
Beyond alerting and compliance - SIEMs for insider threats, threat hunting and IoT
Coming SoonCH06
From correlation rules and attack signatures to automated detection via machine learning
Read MoreCH07
Security Automation and Orchestration (SOAR) - the future of incident response
Read MoreCH08
A comprehensive guide to the modern SOC - SecOps and next-gen tech
Coming SoonCH09
Evaluation criteria, build vs. buy, cost considerations and compliance
Coming SoonCH10
SIEM Essentials Quiz
Read MoreCookie | Duration | Description |
---|---|---|
cookielawinfo-checbox-analytics | 11 months | This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Analytics". |
cookielawinfo-checbox-functional | 11 months | The cookie is set by GDPR cookie consent to record the user consent for the cookies in the category "Functional". |
cookielawinfo-checbox-others | 11 months | This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Other. |
cookielawinfo-checkbox-necessary | 11 months | This cookie is set by GDPR Cookie Consent plugin. The cookies is used to store the user consent for the cookies in the category "Necessary". |
cookielawinfo-checkbox-performance | 11 months | This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Performance". |
viewed_cookie_policy | 11 months | The cookie is set by the GDPR Cookie Consent plugin and is used to store whether or not user has consented to the use of cookies. It does not store any personal data. |