SIEM, SOAR and SDAR
Part 1 of 2
This is the first in a series of companion articles to supplement your knowledge of Security Data Analytics and Reporting (SDAR). This article will give you a high-level overview of the different terminologies and overlapping features of some common IT tools. You’ll also learn, in detail, about SIEM software and its use cases.
Overview
Faced with an ever-growing list of acronyms in the information technology field, discerning between each of them can be confusing. IT tools like SIEM, SOAR and SDAR have several overlapping intended uses.
Figure 01: These are the key differences between SIEM, SOAR and SDAR. They feed on the information system logs and some more information, depending on the intended use
Among these, SIEM is the most popular, due to its robust set of use cases and so, most security professionals are familiar with it. However, like caring for a child, SIEM requires constant monitoring and attention. As a result, SOAR is also gaining popularity. Many organizations lack a skilled group of security professionals. SOAR helps organizations to automate mundane activities and frees up resources to investigate security incidents.
SDAR is known by various other acronyms, including SDA (Security Data Analytics). Some of its main functions include processing system event logs and reporting based on use cases to address systems hygiene and standards compliance.
SIEM
SIEM is a tool built with specialized use cases to spot malware, cyber-attacks and anomalies (indicators for an attack), by detecting and analyzing event logs from various devices and systems. Its strength lies in its ability to correlate events from various devices and systems to identify patterns that would otherwise be missed. Most of SIEM’s use cases are pre-built, based on the vendors’ R&D teams, with information gathered from other customers and/or threat intelligence.
SIEM tools were historically used by organizations to help monitor compliance (PCI, HIPAA, etc.). Organizations often buy a SIEM tool without understanding it and leave it to their security analysts or even better, outsource it to a managed service partner. SIEM spits out alerts—seriously, lots of alerts—and so, hiring a few analysts to fine-tune the SIEM solutions is a crucial step for organizations to feel confident in their cyber security systems.Generally, the drivers for pursuing SIEM as an organization include:
Figure 02: Critical business drivers to pursue SIEM solutions
Use cases for SIEM are built around spotting anomalies within an organization’s computing infrastructure. SIEM then correlates baselines, identifies available threat information and alerts security teams if the anomalies are found to be a potential threat. Some examples of SIEM use-cases are (non exhaustive):
Detecting backdoors in systems (used by the vendors, government agencies, etc.)
Detecting symptoms of DDoS attacks
Identifying dormant threat actors
Recognizing ghost remote administration
Detecting keystroke loggers
Detecting brute force login attempts
Detecting DMZ zone jumping and/or reverse tunnel
SIEMs have advanced significantly over the past 2 years, due to advancements in the machine learning field. Additionally, some SIEM vendors are building MITRE ATT&CK awareness directly into their solutions. Despite all this, due to their need for continuous tuning and the bigger SOC teams, organizations have started to investigate SOAR products.
Conclusion
In this article, we learned about three different security tools and took an in-depth look at SIEM. In the next article of this companion series, we will look into SOAR, SDAR and the overall business value your organization can gain by investing time into building effective security reporting.