SOC vs SIEM or SOC + SIEM?

by | | Managed Security, Network Security

cybersecurity monitoring center

A cybersecurity ecosystem requires information to operate.  Security teams must compile information from various sources, analyze that information to detect malicious activity, and determine the appropriate responses.  

The sheer volume of information in the typical organization requires tools to gather, process, and store the information efficiently and effectively.  Any large-scale security operation requires a Security Operations Center (SOC) to make decisions and a Security Information and Event Management (SIEM) to store the information.  While SOC and SIEM stand alone as separate solutions, combining their strengths yields even better results.

What is a Security Operations Center (SOC)?

A Security Operations Center (SOC) centralizes the analysis of IT security events and determines the appropriate response.  In very small organizations, this function might be the part-time duty of a specialist within the IT staff, but for larger organizations, the sheer number of events requires the adoption of a SOC to deliver effective security.

SOCs can be deployed in five general categories and will incorporate alerts from various components of the organization: 

  • endpoints
  • network equipment
  • firewalls
  • servers (internal or web)
  • cloud resources
  • virtual devices
  • mobile devices
  • applications.  

In a practical sense, many SOCs only monitor a portion of the possible systems.  SOCs share many similarities with Network Operations Centers (NOCs) and some organizations try to combine these roles into one solution, but usually, these roles will need to be separated in the future.

As an organization expands and encompasses more connected devices such as the internet of things (IoT) or operational technology (OT), those devices may also need to be included which further increases the number of devices monitored, the number of alerts generated, and the need for tools to manage this alert flow. Only the largest organization can afford to monitor all of these devices directly and even many of these huge organizations turn to managed SOCs to gain operational and cost benefits..  

If an organization must be selective, the devices monitored should reflect the risk priorities of the organization.  For example, a coffee shop chain would prioritize cash registers, servers, and PCs and ignore printers, copiers, or mobile devices.  However, a chain of copy/print shops would prioritize printers because it represents a core functionality for their business.

Regardless of the priorities, the flood of log files and other information will need to be quickly categorized as definite threats, definite non-threats, and items to be evaluated by the tools or experts within the SOC.

What is a Security Information and Event Manager (SIEM)?

A Security Information and Event Management (SEIM) tool:

  • aggregates logs data from various systems
  • stores the information in an organized fashion
  • correlates linked events
  • applies data analytics and machine learning to detect trends
  • detects devices and software
  • centralizes configuration and security management
  • classifies threats for efficient triage

SIEM databases also provide the data required to do an in-depth investigation of events over time.  SIEMs tend to be a crucial tool for many SOC analysts to monitor attacker behavior.  However, SIEMs also prove valuable to detect insider threat behavior, documenting employee bad behavior, or reporting to regulators, law enforcement, insurance companies, and other stakeholders.  

Some organizations may use a SIEM independently from a SOC and send alerts to internal or external security teams or managed detection and response (MDR) teams for evaluation.  SIEMs can also be outsourced for management which is equivalent to acquiring SIEM as a service from managed IT security service providers (MSSPs).

Where SOC and SIEM Meet

The superior solution will usually be to combine SIEM tools with SOC experts.

SIEMs tools generally produce alerts and store the logs that generated those alerts for full analysis. The alerts themselves need to be reviewed by humans who then confirm if the alert is meaningful or a false positive.

The human experts within SOCs can operate without a SIEM, but then they will need to find an alternative way to organize the log data or to flag key security events among the sea of data.  For larger organizations, this homebrew-style approach to security can be clumsy and make it difficult to meet compliance reporting and other requirements.

The increased functionality of SIEM software can be used to assist security professionals by prioritizing alerts and highlighting specific devices or activities.  Also, artificial intelligence offers the possibility of fully automated security in the future when AI will recognize threats and automatically counter them.

However, SIEMs cannot effectively provide security without SOCs at this time.  For example, SIEMs may not ingest data from all devices and experts will either need to work on configurations to allow ingestion or separate processes for non-compatible devices.  Additionally, many SIEMs issue alerts, but cannot act or even suggest appropriate actions so human security professionals must still use their experience to determine the response.

Similarly, solutions such as extended detection and response (XDR) tools and even endpoint detection and response (EDR) tools have started to incorporate SIEM-like tools for generating alerts for security teams.  Whether the capabilities of these tools will meet the need of the organization or compare favorably with the capabilities of a SIEM tool depends upon the organization and its security needs.

Managed SOC and SIEM Options

SOCs and SIEMs work better in combination, but only the very largest organizations can afford to deploy a fully staffed SOC and a robust SIEM.  Many companies, non-profit organizations, and governmental entities leverage outsourcing to obtain a stronger security profile than they can afford internally.  When outsourcing, organizations can consider outsourcing SOC functions, SIEM management, or both.

Outsourced SOC Only

When outsourcing SOC functions, the company will allow a third party to view and react to the log files and alerts generated by the company’s systems.  A company might manage its own SIEM and forward alerts to the SOC, or it can choose to manage and store the log files in some other fashion in parallel, or after the SOC team views them.

As a core component of any Managed Security Service Provider (MSSP), Clearnetwork has many resources that cover this topic:

Those interested in the details can explore these resources, but for now, we’ll highlight the core benefits of an outsourced SOC which include:

  • Improved Quality: Outsourcing improves the overall quality because:
    • Better Security Staffing: Bypass cybersecurity skill shortages and retention issues by using outsourced expertise.
    • Security Focus 24/7/365 – no IT operations and help desk distractions.
    • Security Maturity – managing a broader user base means a problem for one customer is experience leveraged for all.  Constant security work also builds experience much faster than for internal teams.
    • Immediate Access to Experts – malware analysts, incident responders, and forensic engineers as needed without the full-time retention costs
    • Defined performance through Service Level Agreements (SLAs)
    • Deliver state-of-the-art technology – With the larger customer base, an outsourced SOC can afford the most advanced tools, equipment, and talent.
    • Outsourced SOCs monitor threat intelligence feeds for the latest threats
    • Deliver improved support for various compliance and reporting requirements
  • Reduced Total Cost of Ownership: Instead of hiring a full team, buying expensive software, and investing in the hardware needed for an internal SOC, an outsourced SOC spreads out those costs across numerous clients and passes along the savings.
  • Rapid Deployment: Deploying and configuring tools takes time and expertise.  An outsourced SOC enjoys a dramatically reduced learning curve compared to an in-house team.
  • Scalability and Flexibility: In-house teams choose solutions and build teams based on current needs.  Increasing needs create overwork strain and decreasing needs jeopardize profitability and future budgets.  Outsourced SOCs can be quickly scaled to the current and future needs of an organization and often can integrate better with other security options such as managed detection and response (MDR), email security, etc.

Outsourced SIEM Only

An organization may choose to operate its internal SOC, but decide to outsource the SIEM functions and management.  The outsourced SIEM will feed in-house resources, but be managed, maintained, and monitored by the partner.

As a key component of Clearnetwork’s security offering, we have written in detail about Managed SIEM, but in general, customers can recognize many benefits including:

  • Expert configuration: SIEM software can be very complex and requires experience to properly configure the SIEM, ensure connections with systems, properly secure log data storage, and deliver the appropriate alerts to the SOC.
  • Improved Event Recognition: Event Correlation, Data Analytics, and Machine Learning from an outsourced SIEM vendor leverage the experience of other customers to train the software faster and to recognize threats more quickly.  Likewise, false positives may be flagged more consistently and false-alarm alerts will be silenced more quickly.
  • Improved Resources: Outsourcing to a security company allows an organization to:
    • access larger security teams than they can afford to maintain in-house
    • utilize specialists that could not be retained in-house
    • obtain 24/7/365 monitoring at lower expenses
    • benefit from more advanced SIEM tools than might be justified for in-house use
    • lower the total cost of ownership compared with in-house implementation (hardware, software, labor, power, etc.)
  • Rapid Flexibility: A managed SIEM bypasses expenses and time required for equipment to be purchased, employees to be hired, or software to be installed and configured.  Managed SIEMs can be scaled up quickly or decreased quickly to match the needs of the organization.  
  • Prevents Tampering: Insiders and attackers cannot modify log files that have been sent offsite to an outsourced SIEM.

Outsourced SOC + SIEM

When outsourcing only one of the components, some organizations risk miscommunication between organizations and rely upon internal resources that may be limited in capacity.

For example, a law firm might forget to inform the outsourced SOC about the new office of attorneys they just merged into the partnership.  The SIEM might pick up the new devices, but the SOC may not receive the alerts or know what to do when alerts for unknown devices suddenly appear.

As another example, a municipal utility may miss the outsourced SIEM alerts related to a new WiFi router that hasn’t been assigned to anyone in the IT department.  The outsourced partner will not be able to tell that the alerts have been ignored and the IT department may put the organization at risk until the manager notices the oversight.

These errors can happen to anyone, but a fully outsourced solution will decrease these types of miscommunication events because the SOC and SIEM information will flow through a single source with strong security practices and internal reporting.

By outsourcing SOC and SIEM, an organization will not only enjoy all of the benefits from both the outsourced SOC and SIEM solutions, but they may also see additional improvements such as:

  • Amplified benefits- Any of the individual benefits such as reduced total cost of ownership, rapid deployment, and access to experts will be increased by outsourcing both SOC and SIEM functions.
  • No insider conflict: With both SOC and SIEM outsourced, the security vendor can detect shadow IT and not be politically pressured to ignore it.  Malicious insiders cannot protect themselves by pressuring others or tampering with IT logs undetected.

Choosing the Right Security Provider

Of course, not all vendors can deliver on the promised benefits of outsourced SOC and SIEM resources.  Organizations need to evaluate their potential outsourcing partners carefully and look for several key factors:

  • Security Focus – Select a vendor focused on security.  Avoid the Managed IT Service Provider (MSP) that is more of a help desk trying to build their business by adding security services.  Select a vendor focused solely on delivering the best possible security every moment of every day.
  • Experience – Look for vendors that have a track record of delivering security to customers for years and have internal expertise.  Some vendors simply act as a middleman between customers and tool vendors without adding value. 
  • Up to Date – While experience can be crucial, security companies also need to be current on the latest threats, the latest trends, the latest tools, and the latest methods.  While some trends may be fads, a vendor with the proper balance of experience and current knowledge should be able to explain why a trend is important or why it should be ignored.
  • Good Communication – Any advanced topic can become a black box to those with less knowledge, but organizations need to understand their risks and what is being done to protect them.  A vendor should be able to provide clear reports, answer questions in plain English, and help executives understand the big picture without being drowned in acronyms or technical terms.

Clearnetwork delivers upon the promise of outsourced security because of our focus on security, our experience, our knowledge of current trends, and our ability to communicate well with our customers.  Since 1996, our clients have enjoyed improved security at a reduced cost, and we look forward to growing our business and protecting our clients for decades to come.