How SIEM-SOCs Cure Alert Fatigue

Check out our full tour around the Security Operations Center, more commonly known as SOC, and their trusty technological tool, the Security Incident, and Events Management (“SIEM”) platform.
siem-soc

SIEM and SOC are two of the most important acronyms in the cybersecurity sector. The Cyber Insurance Academy recently hosted a virtual Masterclass, led by CYREBRO, which looked specifically at SOC-as-a-Service and the high level of cybersecurity protection that it can afford your insureds. But let’s peel things back to basics and take a deep dive into the traditional SOC, its purpose, and its inner workings.

Alert Fatigue and “The Boy Who Cried Wolf”

With so many security systems running concurrently, infosec professionals are often bombarded with early alerts of operational anomalies in each system. These warnings are crucial as they can enable teams to minimize the damage of a cyber attack by responding to it as quickly as possible.

When too many of these alerts become false alarms, known as false positives in the cyber world, these IT teams become desensitized to them, resulting in longer response times, misunderstood alerts or missed opportunities to prevent otherwise avoidable high-cost business disruption. Many organizations, especially SMBs, will switch some alerts off altogether and will cherry-pick which of them they can attend to according to the resources at their disposal rather than the threat at hand.

Not finding the right balance between filtering out false positives and enabling enough alerts to switch on and active can come at a very heavy price. Some statistics from our virtual SOC Masterclass:

“In 2021 62% of SMBs suffering a cyber attack in the world did not recuperate from it, and closed within a year and a half.”

“90% of post-mortem forensic analysis concludes that the high cost of damage was avoidable.”

In these scenarios, forensic analysis usually finds that all the warning flags were going off, logs reported suspicious activity, and escalation was stoppable, but no one could work out how to respond appropriately and in good time. This is because, in order to connect the dots, infosec professionals needed to sift through the paper trail of alerts in their siloed security system but alert fatigue had numbed them to these earlier warning signs. A classic case of the boy who cried wolf. That’s where Security Operations Centers step in as a potential remedy for this problem.

What is a Security Operations Center (SOC)?

A Security Operations Center (SOC) monitors and analyzes activity on networks, servers, endpoints, databases, applications, websites, and other systems on an ongoing basis, looking for anomalous activity that could be indicative of a compromise or security incident. The team working in the SOC aims to detect, analyze, investigate, report, and respond to cybersecurity incidents using a combination of technology solutions and a strong set of processes.

SOC services may be in-house, or they may be outsourced. They are typically staffed with security analysts and engineers as well as managers who oversee security operations. SOC staff members work closely with organizational incident response teams to ensure security issues are addressed quickly upon discovery.

The 24/7 monitoring provided by a SOC gives organizations an advantage to defend against incidents and intrusions, regardless of source, time of day, or attack type.

How is a SIEM used by SOCs?

Businesses today use multiple different types of endpoint systems, security tools, and applications to operate, such as EDR, Anti-virus, and firewalls, but also CRM software Financial Accounting software, and so on. Each of these systems regularly issues a record of security-related activities occurring across the network, known as “security logs”.

One of the key roles of a SOC is to act like a central hub, or “cyber brain”: it must collect every security log from every organizational system and interpret it successfully in order to identify those which merit an urgent response. With so many logs being created at any given moment, this is no easy feat!

A SOC will typically use a SIEM (Security Information and Event Management) platform to provide real-time analysis of security logs generated. 

The SIEM identifies the data contained in the logs and sorts it into categories such as malware activity, failed and successful logins, and others. In sorting through the logs, the SIEM acts as a “filter”, allowing only the most concerning incidents to be highlighted to the SOC. If the SIEM identifies an activity that could indicate a cyber threat to the organization, it generates a high-priority task alert to notify the SOC of the security issue. 

The SOC writes policies and protocols according to which the SIEM operates. For example, the SOC will program the SIEM to create an alert when “Log 1”, “Log 2”, “Log 4” and “Log 6” occur concurrently.

Business systems record their activity in what is known as logs, and send them over to a SIEM platform. The SIEM platform is managed, owned and used by the SOC.
The SIEM in action
The SIEM-SOC Central Hub
The SIEM-SOC Central Hub
The SOC response
The SOC response

What is the difference between a SOC and a NOC?

A Network Operations Center (NOC) is a centralized location where IT technicians supervise, monitor, and maintain a telecommunications network. It is the main point for network troubleshooting, software updating & distribution, backups, email management, performance monitoring, and more.

  • The NOC’s job is to manage incidents in a way that reduces downtime.
  • The SOC’s main role is to protect intellectual property and sensitive customer data – a focus on security.
  • NOCs handle incidents and alerts that affect performance and availability.
  • SOCs focus on incidents and alerts that affect the security of information assets.

Combining the SOC and NOC into one entity and having them each handle the other’s duties can spell disaster. This is because their approaches are so different and the skill sets they possess are distinctive.

 

It is vital for cyber insurance professionals to be well-acquainted with the SOC-SIEM function in an organization’s wider cyber hygiene. While SOC is not yet commonly listed by carriers as a minimum requirement to qualify for a cyber liability policy, shifts in the industry suggest that this may soon change. Indeed, most major carriers will ask about an insured’s SOC in their proposal form.

Watch the full recording of Nadav’s Masterclass by filling in the form. Make sure to follow our social media for updates on future Masterclasses, Panel Discussions, and other cyber insurance events.