UNIT –III

SOC Processes and Technology

What is SIEM
• SIEM is a technology that provides a centralized
platform to collect, analyze, and manage security
data from across an organization’s IT environment.
• It integrates Security Information Management
(SIM) and Security Event Management (SEM) into
a unified solution.
Contd..
• Purpose:
• Centralized log management.
• Detecting and responding to
threats.
• Compliance with regulatory
frameworks.
Why do we need SIEM?
• Rise in data breaches due to an internal and external threats.
• Attackers are smart and traditional security tools just don’t suffice.
• Mitigate sophisticated cyber-attacks.
• Manage increasing volume of logs from multiple sources.
• Meet stringent compliance requirements.
How Does SIEM Work?
• SIEM software is responsible for collecting and aggregating log data
created by companies. This comes from network and security devices, host
systems, etc.
• After that, the SIEM software identifies, analyses, and categorises events
and incidents. The SIEM software usually has two main goals:
• To create reports on all security events and incidents
• To alert if an activity is running against a predetermined set of rules, indicating a
possible security issue
• The need for better compliance management and more extraordinary
security measures has been the primary driving force behind adopting
SIEM solutions.
• These days, large companies base their security operations centre on SIEM.
SIEM Process
• Four steps are involved in the SIEM process:
1. Collect data from various sources—network devices, servers, domain
controllers, etc.

2. Normalize and aggregate collected data

3. Analyze the data to detect and discover threats

4. Pinpoint security breaches and enable companies to investigate alerts

SIEM Architecture: Components and Workflow
• SIEM architecture is designed to provide a centralized framework for
log collection, analysis, correlation, and response.
SIEM Architecture
Key Components of SIEM Architecture
• Data Sources:
• Collects data from multiple sources such as:
• Firewalls
• Intrusion Detection/Prevention Systems (IDS/IPS)
• Servers and applications
• Endpoints
• Cloud platforms
• Network devices
• Log Collection Layer:
• Aggregates logs and events from diverse systems using agents or APIs.
• Supports multiple formats like syslog, JSON, and proprietary logs.
Contd..
• Log Storage:
• Stores the raw logs for future reference and analysis.
• Uses secure and scalable storage systems like:
• On-premises databases
• Cloud-based storage
• Normalization and Parsing:
• Converts logs into a standardized format.
• Extracts key fields such as source IP, destination IP, and event timestamp.
• Correlation Engine:
• Analyzes normalized data to identify patterns and anomalies.
• Uses predefined rules, machine learning, or custom logic to detect threats.
• Threat Intelligence Integration:
• Integrates external feeds to identify known attack signatures and malicious IPs.
Contd..
• Dashboard and Reporting:
• Provides a user-friendly interface for monitoring and managing alerts.
• Generates reports for compliance (e.g., PCI DSS, GDPR, HIPAA).
• Alerting System:
• Sends alerts based on thresholds or detected threats.
• Escalates critical events to security analysts or automates responses.
• Incident Response:
• Automates or guides actions like:
• Blocking malicious IPs.
• Isolating infected devices.
• Notifying security teams.
• Forensic Analysis:
• Enables in-depth analysis of incidents using historical data.
• Helps in post-incident investigations and root-cause analysis.
SIEM Workflow
• Data Ingestion: • Alert Generation:
• Logs are collected from multiple • Alerts are triggered based on predefined
data sources in real time. rules or detected anomalies.
• Data Processing: • Incident Response:
• Logs are parsed, normalized, and • Automated actions like blocking an IP or
enriched with threat intelligence. isolating a device are executed.
• Event Correlation: • Security teams are notified for manual
• Correlation engine analyzes multiple interventions.
logs to detect suspicious behavior. • Post-Incident Analysis:
• Example: Multiple failed logins • Logs and alerts are reviewed for deeper
followed by a successful one from a insights and preventive measures.
foreign IP.
SIEM Functions
Collection
Aggregation
Parsing
Normalization and Categorization
Enrichment
Correlation Rules and Alert
Indexing
Storage
Contd..
• SIEM software is responsible for collecting and aggregating log data that is
created by companies.
• This comes from network and security devices, host systems, etc.
• After that, the SIEM software works at identifying, analyzing, and
categorizing all events and incidents.
• The SIEM software usually has two main goals:
• To create reports on all security events and incidents
• To alert if an activity is running against a predetermined set of rules, indicating a
possible security issue
• The need for better compliance management and greater security
measures have been the major driving force behind the adoption of SIEM
solutions.
• These days, large companies base their security operations center on SIEM.
SIEM Architecture: QRADAR
Example: Detecting a Brute Force Attack Using
SIEM
• Example: A user’s account is targeted with multiple login attempts
from different IPs.
• Workflow:
• Log Collection:
• SIEM collects login attempt logs from the authentication system.
• Data Processing:
• Normalizes the logs to extract usernames, IP addresses, and timestamps.
• Correlation:
• Detects multiple failed login attempts from different IPs on the same account.
Contd..
• Alerting:
• SIEM generates a high-priority alert for a potential brute-force attack.
• Response:
• Automatically blocks the suspicious IPs.
• Notifies the security team for further investigation.
• Post-Incident Analysis:
• The security team analyzes the incident to enhance detection rules.
List of top mistakes when it
comes to SIEM technology.
SIEM (Contd..)
• Collect Everything:
• The whole goal of SIEM is to collect and correlate events.
• So you should collect everything you can, right? Not really, at least not
right away.
• A better way to approach data collection is with a specific plan for what
you can do with the events you are collecting.
• Grow your capabilities methodically, and according to your plan, one
thing at a time, and
• you'll have a much easier time catching bad guys on a regular cadence
and will feel excited with continued success when you see your
capabilities and coverage increase over time.
SIEM (Contd..)
• Poor source data health
• As you consider the types of sensors (devices, applications) from which you
are collecting logs,
• you should ask,
• "Are the signatures up to date?
• Are the logs configured the way we need?"
• This is often overlooked, especially in the boarding of new data sources.
• Also consider timestamps—we see devices that send events with incorrect
timestamps; sometimes they are set to several weeks in the future.
• You can imagine this causes a lot of issues and makes your reports and
investigations less useful.
• Making sure your SIEM source data input is useful and accurate will help
solve
• the “garbage in, garbage out” problems you will otherwise run into.
SIEM (Contd..)
• Overcomplicated network models
• Do you have thousands of zones defined for your network model?
• Are all the zones tagged to define the purpose and business
requirements for each zone?
• Rarely do we see a complicated model like this work well in practice.
• Instead, consider starting with a simple, high-level, catch-all zone
model to simply tag what you own as “Protected.”
• This strategy helps differentiate between the inside world and the
outside. The benefits:
• Saves time during the initial implementation
• Provides a general but accurate view of the environment
• Provides the basis for many high-value user stories
SIEM (Contd..)
• Too much focus on top 10
• It's so easy to pull your top 10 events, signatures, talking hosts,
etc.
• But when you are looking for bad guys, these can be a distraction.
• Your top 10 lists will give you a great list of top misconfigured
devices and false positives.
• When trying to find attacks, you'll probably never see them pop up
in the top 10 list, so these are a distraction to your security
experts.
• You know what can be much more interesting?
• Bottom 10 lists.
SIEM (Contd..)
• Lost in compliance
• A common trap is searching for a SIEM that will solve
compliance off-the-shelf without any customization, in
order to keep auditors at bay.
• The challenge is, off-the-shelf SIEM content is useful only
when
• it is applied to specific systems (and thus customized) or
• when it is tweaked to better match the environment (like our
Activate Framework).
SIEM (Contd..)
• Using a SIEM (disproportionately) as a log search tool
• A common mistake is proportionally spending too much time chasing down
incidents with your SIEM versus building a SIEM system that will automatically
monitor for incidents.
• Using a SIEM solely (or disproportionately) as a log search tool will stifle your
team effectiveness in catching bad guys.
SIEM Features and Capabilities
• Alerting
• Analyzes events and helps escalate alerts to notify security staff of immediate
issues, either by email, other types of messaging, or via security dashboards.
• Dashboards and Visualizations
• Creates visualizations to allow staff to review event data, see patterns, and identify
activity that does not conform to standard processes or event flows.
• Compliance
• Automates the gathering of compliance data, producing reports that adapt to
security, governance and auditing processes for standards like HIPAA, PCI/DSS,
HITECH, SOX, and GDPR.
• Retention
• Stores long-term historical data to enable analysis, tracking, and reporting for
compliance requirements.
• Especially important in forensic investigations, which can occur long after the fact.
Contd..
• Threat Hunting
• Allows security staff to run queries from multiple sources via SIEM data, filter
and pivot the data, and proactively uncover threats or vulnerabilities.
• Incident Response
• Provides case management, collaboration, and knowledge sharing around
security incidents, allowing security teams to quickly synchronize on the
essential data, communicate, and respond to a threat.
• SOC Automation
• Integrates with other security solutions using APIs, and lets security staff
define automated playbooks and workflows that should be executed in
response to specific incidents.
• “A cyber security response playbook is a plan that outlines the steps you will
take in the event of a security incident”.
SIEM vs. Log management
• Both Security Information and Event Management (SIEM)
and log management software use the log file or event log to
improve security by
• reducing the attack surface,
• identifying threats and improving response time in the event of a
security incident.
• However, the key difference is that
• the SIEM system is built with security as its primary function,
whereas
• log management systems can be used more broadly to manage
resources, troubleshoot network or application outages and
maintain compliance.
Next-Gen SIEM Capabilities
• What is Next-Gen SIEM?
• An evolution of traditional SIEM systems incorporating advanced analytics,
machine learning, and real-time response capabilities.
• Traditional SIEM:
• Limited scalability.
• Relies heavily on manual configuration and predefined rules.
• Drivers for Next-Gen SIEM:
• Evolving threat landscapes.
• Need for faster detection and response.
• Increasingly complex hybrid and cloud environments.
Next-Gen SIEM Capabilities
• SIEM is a mature technology and the next generation of SIEMs
provide new capabilities:
• User and entity behavior analytics (UEBA) in advanced SIEMs go beyond
rules and correlations, leveraging AI and deep learning techniques to look at
patterns of human behavior.
• This can help detect insider threats, targeted attacks, and fraud.
• Security orchestration and automation response (SOAR) — Next-gen SIEMs
integrate with enterprise systems and automate incident response.
• For example, the SIEM may detect an alert for ransomware and perform
containment steps automatically on affected systems, before the attacker can
encrypt the data, while simultaneously creating communications or other
notifications.
Key Capabilities of Next-Gen SIEM
• Key Features: 4. Threat Intelligence Integration:
1.Real-Time Threat Detection and • Enrichment of events with
Response: global threat feeds.
• Continuous monitoring and analysis.
• Faster alert generation and prioritization. 5. Automation and Orchestration:
2.Machine Learning and AI: • Automated response
• Behavioral anomaly detection. workflows via SOAR.
• Reduces false positives. 6. Scalable Data Ingestion:
3.User and Entity Behavior Analytics • Handles big data in real-time
(UEBA): from diverse sources.
• Tracks normal vs. anomalous user behaviors. 7.Cloud-Native Support:
• Designed for multi-cloud and
hybrid environments.