Name: Ehsan Raza

Roll No: F21RDOCS1M08054

Department: BSCS
Semester: 5th(M2)
Subject: Information Security
Submitted to: Sir Mazhar Shahid Naqshbandi
 SEARCH WORK:

TOPIC: SIEM, SOAR and SOC

1. SIEM
SIEM stands for security information and event management and provides organizations with
next-generation detection, analytics and response. SIEM combines security information
management and security event management to provide real-time analysis of security alerts
generated by applications and network hardware. SIEM provides data analysis, event correlation,
aggregation, reporting and log management.

Benefits of SIEM:
SIEM has number of benefits which include, consolidation of multiple data points, custom
dashboards and alert workflow management, and integration with other products.

SIEM uses:
SIEM has many use cases in the modern threat landscape including detection and prevention for
internal and external threats, as well as compliance with various legal standards.
 SIEM use in compliance by helping organizations comply with PCI DSS, GDPR, HIPAA
and SOX standards
 In IoT security, SIEM software is an essential part of your business’s cyber security as it
can mitigate IoT threats such as DoS attacks and flag at-risk or compromised devices as
part of your environment.
 In Preventing insider threats, SIEM software allows organizations to continuously
monitor employee actions and create alerts for irregular events based on ‘normal’
activity.

SIEM working:
SIEM software works by collecting log and event data generated by an organizations application,
security devices and host systems and bringing it together into a single centralized platform.
SIEM gathers data from antivirus events, firewall logs and other locations; it sorts this data into
categories. When SIEM identifies a threat through network security monitoring, it generates an
alert and defines a threat level based on predetermined rules. SIEM's custom dashboards and
event management system improves investigative efficiency and reduces time wasted on false
positives.

2. SOAR:
SOAR stands for Security Orchestration, Automation, and Response. SOAR platforms are a
collection of security software solutions and tools for browsing and collecting data from a variety
of sources. SOAR tools allow an organization to define incident analysis and response
procedures in a digital workflow format.

Benefits of SOAR:
SOAR checks and regulates the minimizing of the impact of security incidents of all types,
maximizing of the value of existing security investments, and an overall reduction of the risk of
legal liability and business downtime. And to achieve these following processes are involved:
 Consolidate process management, technology and expertise
 Centralize asset monitoring
 Enrich alerts with contextual intelligence 
 Automate response and perform inline blocking 

Application and capability:

SOAR is used to describe three software capabilities – threat and vulnerability management,
security incident response and security operations automation. SOAR allows companies to
collect threat-related data from a range of sources and automate the responses to the threat.
Threat and vulnerability management covers technologies that help amend cyber threats, while
security operations automation relates to the technologies that enable automation and
orchestration within operations. The team is concerned with:
 Automate Repeated Response Workflow
 Save Time for Higher Priority Triage Tasks
 Easy Standardized Response to follow

3. SOC:
A Security Operation Center (SOC) is a centralized function within an organization employing
people, processes, and technology to continuously monitor and improve an organization's
security posture while preventing, detecting, analyzing, and responding to cybersecurity
incidents.
Benefits of SOC:
The key benefit of having a security operations center is the improvement of security incident
detection through continuous monitoring and analysis of data activity. By analyzing this activity
across an organization’s networks, endpoints, servers, and databases around the clock, SOC
teams are critical to ensure timely detection and response of security incidents.

Functioning of SOC:
The function of a security operations center, is to monitor, detect, investigate, and respond to
cyberthreats around the clock. Security operations teams are charged with monitoring and
protecting many assets, such as intellectual property, personnel data, business systems, and brand
integrity. As the implementation component of an organization's overall cybersecurity
framework, security operations teams act as the central point of collaboration in coordinated
efforts to monitor, assess, and defend against cyberattacks.

SOC’s structure:
SOCs have been typically built around a hub-and-spoke architecture, where a security
information and event management system aggregates and correlates data from security feeds.
Spokes of this model can incorporate a variety of systems, such as vulnerability assessment
solutions, governance, risk and compliance systems, application and database scanners, intrusion
prevention systems, user and entity behavior analytics, endpoint detection and remediation, and
threat intelligence platforms.
The SOC is usually led by a SOC manager, and may include incident responders, SOC
Analysts, threat hunters and incident response manager. The SOC reports to the CISO, who in
turn reports to either the CIO or directly to the CEO.

Working of SOC:
A SOC acts like the hub or central command post, taking in telemetry from across an
organization's IT infrastructure, including its networks, devices, appliances, and information
stores, wherever those assets reside. The proliferation of advanced threats places a premium on
collecting context from diverse sources. Essentially, the SOC is the correlation point for every
event logged within the organization that is being monitored. For each of these events, the SOC
must decide how they will be managed and acted upon.