understanding siem & soar
TRANSCRIPT
SIEM & SOAR OVERVIEW
D3 Technical Training | Level 1
Understanding SIEM & SOAR
LOG COLLECTION
LOG ANALYSIS
EVENT CORRELATION
LOG FORENSICS
IT COMPLIANCE
APPLICATION LOG MONITORING
OBJECT ACCESS AUDITING
REAL-TIME ALERTING
USER ACTIVITY MONITORING
DASHBOARDS
REPORTING
FILE INTEGRITY MONITORING
SYSTEM & DEVICE LOG MONITORING
LOG RENTENTION
SIEM COMPONENTS
COMPLIANCE AND AUDIT FINDINGS
Collect security event from a wide variety of sources into a central repository for parsing, normalized and stored
WHY SECURITY INFORMATION AND EVENT MANAGEMENT (SIEM)?
LOG AND ALERT CENTRALIZATION
Real-time analysis and alerting of potential threats from log data flowing in
REPORTING & SEARCHING
Historic data, real-time monitoring vs reporting/searching for analysts 24x7 vs Adhoc
WHAT ARE EFFECTIVE SIEM USE CASES?
REAL-TIME MONITORING
USER MONITORING
THREAT CORRELATION AND CONTEXT
MEET COMPLIANCE MANDATES
INCIDENT MANAGEMENT
FORENSIC INVESTIGATION AND THREAT HUNTING
LONG-TERM EVENT STORAGE
REPORTING AND DASHBOARDS
1
2
3
4
5
6
7
8
WHAT IS SECURITY ORCHESTRATION & AUTOMATION RESPONSE (SOAR)?
ORCHESTRATIONHow technologies integrate to work together
INCIDENT MANAGEMENT AND COLLABORATIONEnd-to-end management of incidents by analysts
AUTOMATIONHow machines do task-oriented “human work”
DASHBOARDS AND REPORTINGVisualizations and capabilities for collecting and reporting on metrics and other information
SOAR ADVANTAGES
FINANCIAL
• Less FTEs in SOC
• Reduce security & compliance risk
• Reduce onboarding time
SOC
• Leverage threat intelligence
• Orchestrate across different tools
• Measure ROI
RESPONSE TIME
• Respond faster
• Handle more incidents
• Ensure compliance
ANALYST
• Automate repetitive tasks
• Analysts don’t burn out
• Prioritize efforts
SIEM & SOAR INTEGRATION
D3 Server request information from SIEM or other event system through REST API for events.
SIEM and event systems responds back using their API as a JSON response
JSON response contains all the information of the event that was generated on the SIEM or event system
D3 normalizes the event log, mapped the data to the D3 data model and create an Incident Report for triage and remediation
Raw event file and related event files are saved to D3 IR as an attachment
SIEM & SOAR USE CASE LIFECYCLE
Before SOAR, employees with
limited skillset for managed security
incidents which resulted in too
many false positives.
• Alert in SIEM / Other Sources
• Alert created in SOC Stream
• Workflow triggered• Analyst is given
context
• Alert is added to case & Client is notified
• Endpoint & Network Session Analysis
• Use SOCStream for hunting artifacts
• Propose actions to client
• Use SOCStreams for actions (isolate, block IP ect.)
• Close Case• Send Incident
Report to client
SOAR improves and quickly filters out false positive in a few seconds. Containment and
orchestration with multiple security tools helps reduce incident response from a few
hours to a few minutes. SOAR follows a standard remediation and compliance procedure
that can be reviewed, reported and improved.
THANK YOU FOR COMPLETING THE SIEM & SOAR OVERVIEW TRAINING
Please start the Incident Response Overview course next on the D3 Partner Portal