The National Security Agency has partnered with the Australian Signals Directorate’s Australian Cyber Security Centre, also known as ACSC, and other international organizations to provide guidance for implementing SIEM, which is short for Security Information and Event Management, and SOAR, or Security Orchestration, Automation and Response.
New documents published Tuesday aim to define, identify potential challenges and share recommendations for implementing SIEM and SOAR tools.
What Are SIEM & SOAR?
SIEM and SOAR enable an organization to gain better visibility of its network. According to NSA, SIEM collects, aggregates and correlates log data to monitor cyber activity and identify threats. Meanwhile, SOAR analyzes data to automatically send out alerts as soon as it detects malicious cyber activity, accelerating mitigation and response.
SIEM and SOAR work hand-in-hand to secure networks and more rapidly detect cyber incidents.
The first document, titled Implementing SIEM and SOAR platforms: Executive guidance, said that adopting SIEM and SOAR as part of an organization’s cybersecurity strategy requires ongoing human intervention. Cyber personnel must ensure that they are applying the appropriate types, quantities, rules and filters for data ingested by the SIEM tool.
Meanwhile, the Implementing SIEM and SOAR platforms: Practitioner guidance reminds network defenders to carefully configure SOAR platforms based on their organization’s unique environment. Cyber professionals must determine which cyber incident responses must be automated and how these actions may affect products and services. Without properly configuring SOAR’s automated response, the cyber tool may misidentify regular user or system behavior, take automatic measures and disrupt service delivery.
Both publications also discuss different aspects of adopting SIEM and SOAR platforms, such as costs, use cases and best practices.
A third guidance, called Priority Logs for SIEM Ingestion: Practitioner Guidance, offers detailed recommendations of data logs that SIEM platforms must ingest to improve performance.
