Security Operations Centers are essential part for dealing with cyber security threats where enterprise information systems are monitored, assessed and defended. SIEM (Security Information and Event Management), which is a combination of SIM (Security Information Management) and SEM (Security Event Management) provides near real-time analysis of security alerts generated by network hardware and applications.Different vendors provide different solutions and products for SIEM. Core features of SIEM include: Aggregation, Retention, Correlation, Ticketing systems for Incident Response teams and (Reporting and Alerting).Despite this, SIEM's is useless if you don't have an intelligent Security Analyst Team to Manage your Security Operation Center. SIEM is solely responsible for displaying centralized logs from different event sources. The Security Analyst team must make logical relations out of it for analysis.The first point, which should be kept in mind, is we don't need operational logs for our SIEM. Otherwise we would have 100,000 EPS (Events per second) or even 400,000 EPS, which would obviously be headache for our Security Analyst team to monitor. We only need logs from critical assets, which may include: Email Servers, Web servers, LDAP server, Authentication Server, Core router/Switches, Database Servers, IPS, IDS, Firewalls, Anti Virus, Web application Firewalls, Net flow and other critical areas of our concern in our Network infrastructure. The next part is to determine different use cases for different scenarios.When? How? What? Where? Why?
These should be considered when creating SOP's and use cases for SIEM.When does X occur? How does X occur? What damage is caused by this X? Where has X has propagated in our network? Why has X occurred (what's the purpose of X) ?. This is the most crucial part. If our IT security Analyst team has successfully developed use cases, then it becomes easier to manage our SOC.Don't forget an IT security Analyst needs 3 Areas of Knowledge to be a Good SOC Expert. Without all 3, our IT security Analyst team might be only like Click Monkeys.
- Knowledge about Network Infrastructure and Background Knowledge of the architecture of the Network Infrastructure (Devices, Systems, OS, Servers, Everything ).
- Knowledge about SIEM and How to Use SIEM to monitor and correlate logs from different event sources for Intelligence.
- Security Domain Knowledge, which is the core skill for any Security Analyst.
The final part is to use all this information for our Incident Handling and Recovery process, which would be the responsibility of our Incident Response team. By Managing SIEM properly, many cyber threats can be reduced and detected at earlier stages, which could save reputed and business loss for any organization.