In today’s article, we discuss SIEM, SOC and CFC.
Cyber threats have grown significantly over the last decade. From simple malware to complex advanced persistent threat groups. Threat actors have progressed significantly, they are constantly improving their methods and techniques to breach security controls causing massive damage and disruptions.
The defence against these cyber threats is also attempting to catch up and has vastly improved over the last decade. Consider the Security Operations department, which has been constantly at odds with these threat actors in order to protect an organization from the damage caused by security breaches, and how they have progressed from simply using a SIEM tool to leveraging various technologies such as SOAR, AI, automation, and so on. We’ll start with the basics and look at what a SIEM is, then move on to the Security Operations Center (SOC) and how it differs from a SIEM, and finally understand what a Cyber Fusion Center (CFC) is and what enhancements it adds to a SOC.
What is a SIEM?
Gartner’s Mark Nicolett and Amrit Williams came up with the term “SIEM” in 2005. It is an acronym that stands for Security Information and Event Management. At a high level, SIEM is a platform that ingests logs from various devices, servers, and applications that are relevant to security monitoring and incident response, and then builds various use cases and dashboards that leverage these logs and alert you when suspicious activity is detected, thereby decreasing the Mean Time To Detection (MTTD). The SIEM platform can keep the collected logs for as long as the retention period allows. You can access the platform at any time to search for these logs, perform threat hunting or analysis, create dashboards or reports, and so on. SIEM is not a ready-to-use tool. It takes time to set it up correctly. The setup process typically takes time and involves several stages, such as deciding which SIEM tool and license to purchase, which logs and use cases to implement, ensuring that the logs are ingested and parsed, and fine-tuning the use cases to avoid a flood of false positives.
If a SIEM is not properly configured, it can overwhelm you with a large number of alerts and information. It is also critical to understand that a SIEM is not a Syslog server, and you should not ingest unnecessary logs into it, wasting its resources.
Since 2005, SIEM tools have evolved from a basic tool that only stored logs and had simple detection rules to a tool that is highly scalable, capable of running complex real-time detection rules, supports integrations with different systems, and has a plethora of add-ons and artificial intelligence capabilities.
Even with all of these bells and whistles, a SIEM is insufficient. It is, however, a stepping stone to a SOC.
What is a SOC?
A SIEM will generate alerts, but if no one monitors and acts on these alerts, the SIEM will be ineffective. This is where SOC takes action. SOC is a component of an organization’s overall security team; it brings together people, processes, and technology to counteract cyber threats. When it comes to cyber threats, the SOC is usually the first responder. The primary goal of the SOC is to continuously monitor alerts generated by various security tools or new emerging threats, identify if there is a security breach by analyzing logs (from network devices, servers, applications, and so on), respond to the security incident to contain the threat and limit any damage, and remediate the threat.
A SIEM is typically at the heart of a SOC, but a SOC can also monitor alerts generated by other tools such as IPS/IDS, EDR/XDR, user-reported incidents, and so on. SOC is typically a 24-hour-a-day operation with someone constantly monitoring and responding to cyber threats. SOC not only reduces MTTD but also the Mean Time To Respond (MTTR).
The SOC is composed of several members, including the SOC manager, who is responsible for the smooth operation of the SOC, multiple analysts who perform tasks such as monitoring, basic to advanced analysis and response, engineers who are in charge of tool administration, implementing use cases, automation, integration, and so on.
There are processes in place to guide SOC members in their daily activities. There are procedures in place to guide analysts on how to respond to security threats; these procedures ensure that the necessary steps are taken for an alert every time, and they also aid in the training of new analysts. The process also defines alert prioritization, SLAs, and how alerts are escalated and tracked. KPIs and reporting are in place to track the SOC’s performance and implement necessary improvements.
Cyber-attacks have increased and become more complex as digitalization and computer adoption have increased over the last decade. SOC must keep up with changes in the threat landscape as well as the tactics, techniques, and procedures employed by these threat actors. As a result, SOC is constantly working to improve its detection and response capabilities in order to mitigate the risk posed by new emerging cyber threats.
However, because of the SOC’s traditional reactive nature, it is extremely difficult to keep up with advanced threat actors and complex attacks. This is where SOCs evolved to include better technology and team collaboration, giving rise to Cyber Fusion Centers (CFC).
What is a CFC
Cyber Fusion Center (CFC) can be thought of as an advanced or next-generation SOC. CFC employs a proactive approach to identifying threats and defending against them in a unified and timely manner. CFC fosters collaboration among various teams within an organization to support cybersecurity. This improves threat intelligence gathering, shortens the time it takes to respond to and stop an attack and reduces overall damage to the organization. These teams can include Security Operations, CSIRT, IT Operations, Fraud/Legal, and so on.
One of CFC’s primary goals is to integrate threat intelligence from various sources in order to better identify and respond to cyber threats. Internal threat intelligence sources such as SIEM, EDR, IPS/IDS, and so on, as well as external threat feeds, can be used. Real-time threat intelligence sharing is now possible; different organizations can share threat intelligence on a single platform, which can be integrated into the CFC. This threat intelligence, along with all of the collected logs, can help proactively monitor for emerging threats, identify security gaps, and put in place the necessary security measures to reduce the attack surface. Coordination between different teams aids CFCs in achieving this in a more efficient and timely manner.
CFCs seeks to integrate various security functions and technologies, such as threat intelligence, data analytics, artificial intelligence, incident monitoring, and response, into a single functional unit. CFC relies heavily on automation. A Security Orchestration, Automation, and Response (SOAR) tool integrates various security tools and platforms used by a SOC, such as SIEM, IPS/IDS, EDR/XDR, email security, and vulnerability management, and so on. SOAR tools offer a variety of automation and integration capabilities and are used to completely automate manual, repetitive tasks performed by analysts. SOAR playbooks are created to perform basic analysis and automatically close an alert, to pull in information from other platforms and threat intelligence to enrich an alert so that analysts can make faster decisions, and block IOCs automatically or with the click of a button. This helps a CFC to be more efficient compared to a SOC.
Along with automation, CFC employs advanced technology such as Artificial Intelligence and Machine Learning to analyze logs and integrated threats in order to detect suspicious behaviour and, in some cases, act on it.
As a result, a CFC is an enhanced version of a SOC that leverages threat intelligence, automation, data analytics, artificial intelligence, and so on, and coordinates efforts across multiple teams. This helps to reduce MTTR, be more proactive, and take preventive measures in a more timely or automated manner, resulting in better cyber threat protection.
Creating a SOC, maturing it, and transitioning it to a CFC is a time-consuming process. Many organizations may lack the resources or expertise to do so. Outsourcing this to a Managed Security Service Provider is a better option (MSSP). MSSPs are experts in this field, with the necessary skills, tools, and processes in place to carry out security operations and incident response in a timely and effective manner.
In a conclusion, SIEM is a tool for collecting, analyzing, and generating alerts from logs. The SOC employs people, processes, and technology to monitor and respond to security alerts and cyber threats. It is a more reactive approach. CFC bridges the gap between different teams, integrates threat intelligence, and heavily relies on technology, automation, and artificial intelligence to use this intelligence alongside all logs to proactively monitor threats and aid in attack surface reduction.