Governments Urge Organizations to Prioritize SIEM/SOAR Adoption – Source: www.infosecurity-magazine.com

A new joint government advisory has urged organizations to prioritize the implementation of Security Information and Event Management (SIEM) and Security Orchestration, Automation and Response (SOAR) platforms.

The guidance, issued by government agencies in the US, UK, Australia, Canada and others, is designed to help business executives and cybersecurity practitioners navigate decision making around the procurement and implementation of these platforms.

The agencies highlighted the importance of SIEM and SOAR in collecting critical data in a centralized place for analysis.

“The platforms also help your organization detect cybersecurity events and incidents and then prompt timely intervention through alerting and ensuring that incident responders have access to the data that records what happened,” the agencies added.

The advisory contains three guidance documents:

• Implementing SIEM and SOAR platforms: Executive guidance. This document is designed for executives, highlighting the value of SIEM and SOAR, their challenges and high-level recommendations for implementing them
• Implementing SIEM and SOAR platforms: Practitioner guidance. This document provides high-level guidance for cybersecurity practitioners for procurement, establishment and maintenance of these platforms
• Priority logs for SIEM ingestion: Practitioner guidance. This document, also designed for practitioners, sets out detailed logging guidance for specific categories of log sources, such as endpoint detection and response tools and cloud deployments

SIEM is a software platform that collects, centralizes and analyzes log data from sources within a network or system for the purpose of cybersecurity.

SOAR is a software platform that automates the response to anomalous activity detected on a network.

Overcoming Deployment and Procurement Challenges

The advisory warned that implementing SIEM and SOAR platforms is an “intensive, ongoing process” that requires highly skilled human personnel.

A major challenge is preventing alert fatigue by ensuring the SIEM only produces alerts when cybersecurity events and incidents are occurring.

This requires cybersecurity practitioners identifying the right types and quantities of log data for the SIEM to ingest, as well as the right rules and filters to apply to that data.

The document advised the development of a threat model that defines events of interest that can trigger alerts related to the model.

A key technical challenge with the SOAR is ensuring these platforms only appropriate action in response to actual cybersecurity incidents and does not take action against regular network activity.

Meeting these technical challenges requires personnel to carefully to configure the SIEM and/or SOAR for the unique network and organization in which it is used.

Therefore, the agencies said that organizations managing sensitive information or providing critical services should consider implementing the platform in-house.

They acknowledged this will involve significant costs, including paying for the license of the platform and hiring staff with specialist skills.

For organizations that outsource some or all the implementation, the advisory recommended taking into account certain factors related to service providers.

These include ensuring they provide a 24/7 monitoring and incident response service and understanding whether they are bound by foreign data storage requirements.

The agencies also urged organizations to look for potential hidden costs across different SIEM and SOAR products when making procurement decisions.

For example, most SIEM pricing models are based on the quantity of data the SIEM ingests, with some capping ingestion according to a pre-purchased amount.

“For products that do not, your organization should be mindful of the potential to incur very significant costs if ingestion is not carefully managed,” they warned.