cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
bjames
Viewer

When Building a SOC....

When building a Security Operations Center (SOC), is a SIEM enough? 

7 Replies
bkwalker
Newcomer III

Enough what?

tmekelburg1
Community Champion

Is this a philosophical question? 😉

 

MITRE: Ten Strategies of a World-Class Cybersecurity Operations Center 

 

 

peek
Viewer II

In a word: no.
Of course you will need people to look at the event streams and make sense of them. This is true regardless of the amount of automation you build into the SIEM/SOAR system. You should also look at EDR/XDR solutions. SIEM tends to be a lagging indicator. EDR can potentially stop things before they create an incident. This is a really loaded question.

mstoyanoff
Viewer II

It's a good start, but you will also need security analysts, automation, processes to follow, etc.

Hari
Newcomer II

This is a somewhat  strange question in my opinion. It depends!. If your SIEM covers every possible threat vector for your organization then I guess it would be ok. In real life, it's highly unlikely that this would be the case though. You would probably need elements of SOAR, EDR etc too.  I might be wrong. 

 

curious_mind
Viewer

In one word, nope! A SIEM is a robust tool to fetch logs and correlate, analyze uses the build in AI to show you its calculated output. However, first thing while you procure a SIEM, understand your business, identify your threat landscape. You are going to need many use cases catered for your organization. While building the use cases, you might come up with the need to many tools, whose logs are needed in the SIEM to make it something useful.

sergeling
Contributor I

Short answer would be no. SIEM is a great start, but not enough. For a more mature SOC you would want to incorporate more tools and data sources to enhance detection and analytic capabilities.