Designing a strategy for SIEM and SOAR
As stated in the previous section, an important aspect of the security operations strategy is the ability to create an architecture that utilizes tools for the SOC team to hunt and investigate activity and event log data from multiple sources. SIEM and SOAR solutions can facilitate this capability. Let’s define the two for clarity.
A security information event management (SIEM) solution is usually deployed within a security operations center that gathers logs and events from various appliances and software within an IT infrastructure. A SIEM solution then analyzes the logs and events for potential threats by searching for behavior that is not typical of best practices or may be seen as anomalous or atypical. The benefit of a SIEM is that without one, security operations personnel would need to review each of these log and event files manually. Since there are thousands of log and event files within companies, this option has the potential...
