HOW SIEM AND SOC SUPPORT INCIDENT RESPONSE

With more than half of American companies reporting cyber incidents in the last 12 months, you don’t have to be an IT expert to realize that preparing for incident response is tied to business survival. Between the loss of data, failed productivity, regulations, and loss of reputation, businesses need to be able to respond quickly to cyber incidents. Employing both security information and event management (SIEM) and security operation center (SOC) products and services can have a positive impact on incident response and recovery.

Cyber Incidents

Let’s begin with cyber incidents that impact businesses. The National Institute of Standards and Technology (NIST) Special Publication (SP) 800-171 defines a cyber incident as any event that may “jeopardize the confidentiality, integrity, or availability of a system or the information the system processes, stores, or transmits or that constitutes a violation or imminent threats of violation of security policies, security procedures, or acceptable use policies.”

In other words, anything that negatively impacts a business’s ability to securely access, use, and store its digital information or keeps the network from operating securely is considered a cyber incident. The costs of a data breach can also be phenomenal in terms of lost productivity, financial implications, the loss of reputation, and more.

Examples of cyber incidents range from unauthorized access to information on a business network or system to malware attacks, denial of service (DDoS) attacks, or insider acts. Other disruptions caused by natural disasters including tornadoes, hurricanes, and earthquakes are also considered cyber incidents. Workplace events such as a power outage that interferes with access to your business network also qualifies as a cyber incident.

Incident Reporting

Under certain circumstances, your business may be required to report cyber incidents to the federal government as they can have serious consequences. The theft of private, financial, or other sensitive data and cyberattacks that damage computer systems can create ongoing harm to businesses and even threaten national security. If a business falls victim to a cyber incident that results in any of the following scenarios, it should be reported to the federal government as soon as possible:

• An incident that results in significant loss of data, system availability, or control of systems
• Cyber incidents that impact a large number of victims (such as patients or clients)
• Attacks that indicate unauthorized access to, or malicious software present on, critical information technology systems
• Any attack or cyber incident that has an effect on critical infrastructure or government functions (i.e. utility providers or manufacturers involved with the defense industrial base [DIB], etc.)
• Incidents that may have an impact on national security, economic security, or public health and safety

Incident Response

The statistics about cyber incidents impacting businesses are astounding and demonstrate that the odds a business will experience a cyber incident at any given time are pretty high. For example. A 2019 study by Keeper Security and the Ponemon Institute show the number of small and medium businesses (SMBs) that experienced data breaches increased to 63 percent, a jump from 58 percent in 2018 and 54 percent in 2017. The same report showed that a whopping 76 percent of U.S. companies surveyed for the study reported a cyberattack in the 12 months prior. That is just looking at attacks and doesn’t account for other cyber incidents such as those caused by natural disasters or workplace issues. The bottom line is that businesses are at high risk for experiencing a cyber incident and should be prepared with an incident response plan.

Some businesses may work within their own IT department or may hire a third-party IT firm such as Dox Electronics to help develop an incident response plan. Depending on your local state laws and federal laws regarding your industry, most businesses fall under one or more security regulations such as HIPAA, CMMC, DFARS, NIST SP 800-171, HITECH, FERPA and several others. This also has an impact on the development of your incident response plan. The Cybersecurity Maturity Model Certification (CMMC), the newest and most stringent of federal cybersecurity requirements to date, requires the following for incident response:

• Plan for Incident Response
• Detect and Report Events
• Develop and Implement a Response to a Declared Incident
• Perform Post Incident Reviews
• Test Incident Response

Security Information and Event Management

Security information and event management, known as SIEM, is one part of computer and network security. There are SIEM software products and services that combine security information management with security event management. Such tools provide an analysis of real-time security alerts associated with your business devices, applications, and network.

SIEM products and services examine a business’s internal network traffic and log files including website visits and incoming traffic such as emails, search queries, etc. That information is continuously monitored, gathered, and correlated. It is important to your company’s security process as someone needs to collect this information to determine if it means anything. For example, does a series of events mean an incident is occurring or has occurred?

When a cyber incident does occur, SIEM tools are valuable for incident response because they help organizations collect log files to track down where things went wrong, what the root cause of the incident was, what vulnerability led to the incident, etc. It’s this information that can help stop the incident if it’s already in progress, shore up any security vulnerabilities, and even prevent incidents from wreaking havoc on business data and systems.

Security Operation Center

While SIEM is the product or service that collects data from your network and devices, it’s the security operation center (SOC) that gets the data and security alerts. A SOC is similar to a call center, but instead of getting calls from clients for support, they get digital signature alerts from computer network monitoring and scanning programs found in the SIEM.

Analysts at the SOC examine and analyze the information from the SIEM software to see if an incident is in process or has occurred. If there is an issue, they alert the client so the threat can be terminated and any damage can be assessed and repaired immediately. The SOC is the combination of people, processes, and technology reviewing your business SIEM data continuously to see if there’s malicious activity. Think of them as your company’s personal, digital watchdog.

By employing both SIEM and SOC into your business cybersecurity preparedness plan, you’ll be able to quickly identify cyber incidents and address them to limit the damage that is done. In the end, SIEM and SOC contribute greatly to a positive incident response and outcome.

To learn more about SIEM and SOC for your business, contact Dox Electronics at (585) 473-7766. Protect your business with cybersecurity preparedness today!