9/11/2019 SOC, SecOps and SIEM: How They Work Together

 

CH08: THE SOC, SECOPS AND SIEM

08

The Modern
Security
Operations
Center,
SecOps and
SIEM: How
They Work
Together

This page is a comprehensive guide to the modern

Security Operations Center (SOC). In this chapter you will learn:

What a modern SOC looks like - why

organizations build a SOC and their objectives

What is SecOps and DevSecOps - how these new

practices are transforming the SOC

SOC deployment models - including new models

like distributed and virtual SOC

SOC command hierarchy - Tier 1, Tier 2, Tier 3

analysts and supporting roles 
This website uses cookies.
We use cookies to personalize content and ads, to provide social media features and to analyze our tra
Technologies ic. We
used in also
theshare
SOCinformation about your use of our site with our social media, advertising and analytics partners who may
- from traditional
combine it with other information that you’ve provided to them or that they’ve collected from your use of their services. You consent to our cookies if you continue to use our website. Please refer to our Privacy Policy for more
information. This message only appears once. tools like SIEM, GRC and IDS, to new developments
like NTA, EDR and UEBA
ACCEPT

https://www.exabeam.com/siem-guide/the-soc-secops-and-siem/ 1/19
9/11/2019 SOC, SecOps and SIEM: How They Work Together
SOC processes - the incident response model and
 
how SIEMs power the basic operations of the SOC

What is a SOC?
An Information Security Operations Center (ISOC or SOC) is a facility where security staff monitor enterprise systems, defend against security breaches, and
proactively identify and mitigate security risks.

In the past, the SOC was considered a heavyweight infrastructure

which is only within the reach of very large or security-minded
organizations. Today, with new collaboration tools and security
technology, many smaller organizations are setting up virtual SOCs
which do not require a dedicated facility, and can use part-time staff
from security, operations and development groups. Many
organizations are setting up managed SOCs or hybrid SOCs which
combine in-house staff with tools and expertise from Managed
Security Service Providers (MSSPs).

Motivation for Building a SOC

A SOC is an advanced stage in the security maturity of an

organization. The following are drivers that typically push
companies to take this step:

Requirements of standards such as the Payment Card

Industry Data Security Standard (PCI DSS), government
regulations, or client requirements

The business must defend very sensitive data

Past security breaches and/or public scrutiny

Type of organization—for example, a government agency or

Fortune 500 company will almost always have the scale and
threat profile that justifies a SOC, or even multiple SOCs


This website uses cookies.
We use cookies to personalize content and ads, to provide social media features and to analyze our tra ic. We also share information about your use of our site with our social media, advertising and analytics partners who may
combine it with other information that you’ve provided to them or that they’ve collected from your use of their services. You consent to our cookies if you continue to use our website. Please refer to our Privacy Policy for more
information. This message only appears once.
Focus Areas of a SOC
ACCEPT

https://www.exabeam.com/siem-guide/the-soc-secops-and-siem/ 2/19
9/11/2019 SOC, SecOps and SIEM: How They Work Together
A SOC can have several different functions in an organization, which
 
can be combined. Below are SOC focus areas with the level of
importance assigned to each in the Exabeam State of the SOC
survey.

SOC Focus Area Level of Importance in USA SOCs

Control and Digital Forensics—enforcing compliance, 62%

penetration testing, vulnerability testing.

Monitoring and Risk Management—capturing events 58%

from logs and security systems, identifying incidents
and responding.

Network and System Administration—administering 48%

security systems and processes such as identity and
access management, key management, endpoint
management, firewall administration, etc.

SOC Facilities

The classic Security Operations Center is a physical facility which is

well protected in terms of cyber security and physical security. It is
a large room, with security staff sitting at desks facing a wall with
screens showing security stats, alerts and details of ongoing
incidents. Nowadays, many SOCs look quite different. For example,
a Virtual SOC (VSOC) is not a physical facility, but rather a group of
security professionals working together in a coordinated manner to
perform the duties of a SOC.


This website uses cookies.
We use cookies to personalize content and ads, to provide social media features and to analyze our tra ic. We also share information about your use of our site with our social media, advertising and analytics partners who may

Challenges When Building a Security Operations

combine it with other information that you’ve provided to them or that they’ve collected from your use of their services. You consent to our cookies if you continue to use our website. Please refer to our Privacy Policy for more
information. This message only appears once.

Center ACCEPT
Security teams building a SOC face several common challenges:
https://www.exabeam.com/siem-guide/the-soc-secops-and-siem/ 3/19
9/11/2019 SOC, SecOps and SIEM: How They Work Together
Limited visibility—a centralized SOC does not always have
 
access to all organizational systems. These could include All three of these challenges are
endpoints, encrypted data, or systems controlled by third addressed by a Security Information
parties which have an impact on security. and Event Management (SIEM) system,
which powers daily operations in
White noise—a SOC receives immense volumes of data and
modern SOCs. Read more about SIEMs
much of it is insignificant for security. Security Information and
below in Technologies Used in the SOC.
Event Management (SIEM) and other tools used in the SOC are
getting better at filtering out the noise, by leveraging machine
learning and advanced analytics.

False positives and alert fatigue—SOC systems generate large

quantities of alerts, many of which turn out not to be real
security incidents. False positives can consume a large part of
security analysts’ time, and make it more difficult to notice
when real alerts occur.

What is SecOps?
Security Operations (SecOps) is a collaboration between security and IT operations teams, where security and operations staff assume joint ownership and
responsibility for security concerns. It is a set of SOC processes, practices and tools which can help organizations meet security goals more efficiently.

Before SecOps

After SecOps Towards DevSecOps

In the past, operations and security teams had

conflicting goals. Operations was responsible for
setting up systems to achieve uptime and performance SecOps combines operations and security teams into SecOps has additional implications in organizations
goals. Security was responsible for verifying a one organization. Security is “shifting left”—instead of which practice DevOps—joining development and
checklist of regulatory or compliance requirements, coming in at the end of the process, it is present at the operations teams into one group with shared
closing security holes and putting defenses in place. beginning, when requirements are stated and systems responsibility for IT systems. In this environment,
are designed. Instead of having ops set up a system, SecOps involves even broader cooperation—between
In this environment, security was a burden—perceived then having security come in to secure it, systems are security, ops and software development teams. This is
as something that slows down operations and creates built from the get go with security in mind. known as DevSecOps. It shifts security even further
overhead. But in reality, security is part of the left—baking security into systems from the first
requirements of every IT system, just like uptime, iteration of development. 
performance Thisor basicuses
website functionality.
cookies.
We use cookies to personalize content and ads, to provide social media features and to analyze our tra ic. We also share information about your use of our site with our social media, advertising and analytics partners who may
combine it with other information that you’ve provided to them or that they’ve collected from your use of their services. You consent to our cookies if you continue to use our website. Please refer to our Privacy Policy for more
information. This message only appears once.

ACCEPT

https://www.exabeam.com/siem-guide/the-soc-secops-and-siem/ 4/19
9/11/2019 SOC, SecOps and SIEM: How They Work Together

SecOps in the
 SOC 

The classic Security Operations Center is not compatible with

SecOps—security analysts sit in their own room and respond to
incidents, while operations are in another room, or building, running
IT systems, with little or no communications between them.
However, the modern SOC can foster a SecOps mentality:

Analysts can continuously inform operations staff about threats to

the organization’s systems, and actual incidents

Analysts can proactively seek out security gaps and work with
operations to close them

Operations can come to the SOC for guidance about security

implications of systems, components, vendors or changes

The Security Maturity Spectrum—are You Ready for a

SOC?
Different organizations find themselves at different stages of developing their security presence. We define five stages of security maturity—in stages 4 and 5, an
investment in a Security Operations Center becomes relevant and worthwhile.

Initial Developing Defined Managed Optimizing

1 2 3 4 5

Minimalists Reactive Concerned Advanced Security Mature

“Security isn’t our top “We haven’t explored
conern. We’ve got AV solutions and don’t
and FWs. We’re good!” belive we are at risk.
We’ll deal with a
breach if it happens.”
“We’re at risk, but “We have budget to “We’re knowledgable
budget is a problem. invest in security. We about security. We
We’re overwhelemed have limited continuously innovate
by the alerts we’re personnel and need to and improve our
facing. We need help maximize them.” program.”
prioritizing and
addressing threats.”

No SIEM. No SIEM. Considering a SIEM is integrated Very mature SIEM

SIEM or has basic with most areas. deployment.
No logging. Some logging. SIEM deployment.
Considering Integrated with
Basic FW at Patch Multi-FW and analytics as a virtually all
perimeter. management Network way to cut down systems. 
This website uses cookies.
added. segmentation on alert fatigue.
AV in use. We use cookies to personalize content and ads, to provide social media features and to analyze our tra ic. We also
Performs share information about your use of our site with our social media, advertising and analytics partners who may
threat
added.
combine it Dedicated
with other information
FW & that you’ve provided to them or that they’ve collected from your use of their services. You consent to our cookies if you continue to use our website. Please refer to our Privacy Policy for more
Starting to think hunting with
information. This message only appears once.
DMZ. Data about tools to senior analysts.
classification optimize incident
Basic Identity and added. investigation. Has customized
ACCEPT
Access security

https://www.exabeam.com/siem-guide/the-soc-secops-and-siem/ 5/19
9/11/2019 SOC, SecOps and SIEM: How They Work Together
Management Overhelemed by Looking to capabilities that
 added. alerts and logs. increase integrate into 
operational their workflows.
Needs to efficiency and
prioritize them. maximize Capable of
personnel output. building their own
Concerned with DS algorithms.
optimizing budget Intrigued by the
due to limited idea of threat Interested in cost
resources. hunting. efficiency and
reduced risk from
3rd party
solutions.

SOC Deployment Models

Following are common models for deploying a SOC within your organization:

Dedicated SOC Classic SOC with dedicated facility, dedicated full time staff,
operated fully in house, 24×7 operations.

Distributed SOC Some full time staff and some part-time, typically operates
8×5 in each region.

Multifunctional SOC / NOC A dedicated facility with a dedicated team which performs both
the functions of a Network Operations Center (NOC) and a SOC.

Fusion SOC A traditional SOC combined with new functions such as threat
intelligence, operational technology (OT).

Command SOC / Global SOC Coordinates other SOCs in a global enterprise, provides threat
intelligence, situational awareness and guidance.

Virtual SOC No dedicated facility, part-time team members, usually

reactive and activated by a high profile alert or security
incident. The term Virtual SOC is also sometimes used for an
MSSP or managed SOC (see below). 
This website uses cookies.
We use cookies to personalize content and ads, to provide social media features and to analyze our tra ic. We also share information about your use of our site with our social media, advertising and analytics partners who may
combine it with other information that you’ve provided to them or that they’ve collected from your use of their services. You consent to our cookies if you continue to use our website. Please refer to our Privacy Policy for more
Managed
information. This SOC
message only / MSSP
appears once./ MDR Many organizations are turning to Managed Security Service
Providers (MSSP) to provide SOC services on an outsourced
basis. Modern offerings are called Managed Detection and
ACCEPT

https://www.exabeam.com/siem-guide/the-soc-secops-and-siem/ 6/19
9/11/2019 SOC, SecOps and SIEM: How They Work Together
Response (MDR). Managed SOCs can be outsourced completely
 
or co-managed with in-house security staff.

Who Works in a SOC?

A Security Operations Center has a hierarchy of roles with a clear escalation path. Day-to-day alerts are received and investigated by the Tier 1 Analyst; a real security
incident is stepped up to a Tier 2 Analyst; and business critical incidents pull in the Tier 3 Analyst and if necessary, the SOC Manager.

Role Qualifications Duties


This website uses cookies.
We use cookies to personalize content and ads, to provide
Tier 1social media features and to analyze
Analyst our traadministration
System ic. We also share information
skills, about yourMonitors
use of our site
SIEMwithalerts,
our socialmanages
media, advertising
and and analytics partners who may
combine it with other information that you’ve provided to them or that they’ve collected from your use of their services. You consent to our cookies if you continue to use our website. Please refer to our Privacy Policy for more
Alert Investigator web programming languages configures security monitoring tools.
information. This message only appears once.
such as Python, Ruby, PHP, Prioritizes alerts or issues and performs
scripting languages, security triage to confirm a real security incident is
ACCEPT
taking place.

https://www.exabeam.com/siem-guide/the-soc-secops-and-siem/ 7/19
9/11/2019 SOC, SecOps and SIEM: How They Work Together
certifications such as CISSP or
 
SANS SEC401

Tier 2 Analyst Similar to Tier 1 analyst but with
Incident Responder more experience including
incident response. Advanced
forensics, malware assessment,
threat intelligence. White-hat
hacker certification or training is
a major advantage.
Receives incidents and performs deep
analysis, correlates with threat intelligence
to identify the threat actor, nature of the
attack and systems or data affected.
Decides on strategy for containment,
remediation and recovery and acts on it.

Tier 3 Analyst Similar to Tier 2 analyst but with Day-to-day, conducts vulnerability
Subject Matter Expert even more experience including assessments and penetration tests, and
/ Threat Hunter high-level incidents. Experience reviews alerts, industry news, threat
with penetration testing tools and intelligence and security data. Actively
cross-organization data hunts for threats that have found their way
visualization. Malware reverse into the network, as well as unknown
engineering, experience vulnerabilities and security gaps. When a
identifying and developing major incident occurs, joins the Tier 2
responses to new threats and Analyst in responding and containing it.
attack patterns.

Tier 4 SOC Manager Similar to Tier 3 analyst, Like the commander of a military unit,
Commander including project management responsible for hiring and training SOC
skills, incident response staff, in charge of defensive and offensive
management training, strong strategy, manages resources, priorities and
communication skills. projects, and manages the team directly
when responding to business critical
security incidents. Acts as point of contact
for the business for security incidents,
compliance and other security

Security Engineer Degree in computer science, A software or hardware specialist who

Support and computer engineering or focuses on security aspects in the design
Infrastructure information assurance, typically of information systems. Creates solutions
combined with certifications like and tools that help organizations deal
CISSP. robustly with disruption of operations or
malicious attack. Sometimes employed
within the SOC and sometimes supporting
the SOC as part of development or
operations teams.

This website uses cookies.
We use cookies to personalize content and ads, to provide social media features and to analyze our tra ic. We also share information about your use of our site with our social media, advertising and analytics partners who may
combine it with other information that you’ve provided to them or that they’ve collected from your use of their services. You consent to our cookies if you continue to use our website. Please refer to our Privacy Policy for more
information. This message only appears once.
Technologies Used in the SOC
ACCEPT

https://www.exabeam.com/siem-guide/the-soc-secops-and-siem/ 8/19
9/11/2019 SOC, SecOps and SIEM: How They Work Together

The foundational
 technology of a SOC is a Security Information and Event Management (SIEM) system, which aggregates system logs and events from security tools
from across the entire organization. The SIEM uses correlation and statistical models to identify events that might constitute a security incident, alert SOC staff about
them, and provide contextual information to assist investigation. A SIEM functions as a “single pane of glass” which enables the SOC to monitor enterprise systems.

Traditional Tools Used in the SOC Next-Gen Tools Leveraged by Advanced SOCs

Security Information and Event Management
(SIEM)
Governance, risk and compliance (GRC)
systems
Vulnerability scanners and penetration testing
tools
Intrusion Detection Systems (IDS), Intrusion
Prevention Systems (IPS), and wireless
intrusion prevention
Firewalls and Next-Generation Firewalls
(NGFW) which can function as an IPS
Next-generation SIEMs which include machine
learning and advanced behavioral analytics,
threat hunting, built-in incident response and
SOC automation
Network Traffic Analysis (NTA) and Application
Performance Monitoring (APM) tools
Endpoint Detection and Response (EDR), which
helps detect and mitigate suspicious activities
on hosts and user devices
User and Entity Behavioral Analytics (UEBA),
which uses machine learning to identify
suspicious behavioral patterns

Log management systems (commonly as part

of the SIEM)

Cyber threat intelligence feeds and databases

SOC Monitoring

Monitoring is a key function of tools used in the SOC. The SOC is

responsible for enterprise-wide monitoring of IT systems and user
accounts, and also monitoring of the security tools themselves—for
example, ensuring antivirus is installed and updated on all
organizational systems. The main tool that orchestrates monitoring
is the SIEM. Organizations use many dedicated monitoring tools,
such as network monitoring and Application Performance
Monitoring (APM). However, for security purposes only the SIEM,
with its cross-organizational view of IT and security data, can 
This website uses cookies.
We use cookies to personalize content and ads,provide
to provideasocial
complete monitoring
media features solution.
and to analyze our tra ic. We also share information about your use of our site with our social media, advertising and analytics partners who may
combine it with other information that you’ve provided to them or that they’ve collected from your use of their services. You consent to our cookies if you continue to use our website. Please refer to our Privacy Policy for more
information. This message only appears once.

ACCEPT

https://www.exabeam.com/siem-guide/the-soc-secops-and-siem/ 9/19
9/11/2019 SOC, SecOps and SIEM: How They Work Together

SOC Processes
 Facilitated by a SIEM: Key Examples 

Malware investigation
The SIEM can help security staff combine data about malware detected across the
organization, correlate it with threat intelligence and help understand the systems and
data affected. Next-gen SIEMs provide security orchestration capabilities, a
visualization of incident timelines, and can even automatically “detonate” malware in a
threat intelligence sandbox.

Phishing prevention and detection

The SIEM can use correlations and behavioral analysis to determine that a user
clicked a phishing link, distributed via email or other means. When an alert is raised,
analysts can search for similar patterns across the organization and across timelines
to identify the full scope of the attack.

HR investigation
When an employee is suspected of direct involvement in a security incident, a SIEM
can help by drawing in all data about the employee’s interaction with IT systems, over
long periods of time. A SIEM can uncover anomalies like logins into corporate systems
at unusual hours, escalation of privileges, or moving large quantities of data.

Departed employees risk mitigation

According to an Intermedia study, 89% of employees who leave their jobs retain access
to at least some corporate systems, and use those credentials to log in. A SIEM can
map out the problem in a large organization, identifying which systems have unused
credentials, which former employees are accessing systems, and which sensitive data
is affected.

Motivation for Using Next-Generation SOC

Tooling

Next-generation SIEM—helps lower alert fatigue, lets analysts

focus on the alerts that matter. New analytics capabilities,
combined with a huge breadth of security data, allow next-gen

This website uses cookies. SIEMs to discover incidents that no individual security tool can
We use cookies to personalize content and ads, tosee.
provide social media features and to analyze our tra ic. We also share information about your use of our site with our social media, advertising and analytics partners who may
combine it with other information that you’ve provided to them or that they’ve collected from your use of their services. You consent to our cookies if you continue to use our website. Please refer to our Privacy Policy for more
information. This message only appears once. NTA—easy to implement, great at detecting abnormal network
behaviors. Useful when the SOC has access to the traffic under
investigation and is interested in investigating lateral movement
ACCEPT
by attackers already inside the perimeter.
https://www.exabeam.com/siem-guide/the-soc-secops-and-siem/ 10/19
9/11/2019 SOC, SecOps and SIEM: How They Work Together
UEBA—uses machine learning and data science techniques to
 
detect malicious insiders, or bypass of security controls. Makes it
much easier to identify account compromise, whether by outside
attackers or insiders.

EDR—provides a strong defense against compromise of

workstations or servers, helps manage the mobile workforce.
Provides the data needed to carry out historic investigations and
track root causes.

Which Tools Should You Start With?

These stages of tools adoption were proposed by Anthony Chuvakin of Gartner.

Greenfield SOCs → SIEM only

Established SOC → Add automated threat intelligence

sandboxing, NTA and EDR.

Forward Leaning → Add UEBA and a full in-house Threat

Intelligence Platform—provided as a part of next-generation
SIEMs

SOC Processes
How SecOps and DevSecOps are
Transforming the SOC 
This website uses cookies.
We use cookies to personalize content and ads, to provide social media features and to analyze our tra ic. We also share information about your use of our site with our social media, advertising and analytics partners who may
Security
combine it with other information that you’ve provided to them orOperations Centerfrom
that they’ve collected processes
your use ofused to be completely
their services. You consent to our cookies if you continue to use our website. Please refer to our Privacy Policy for more
information. This message only appears once. isolated from other parts of the organization. Developers would
build systems, IT operations would run them, and security were
responsible for securing them. Today it isACCEPT
understood that joining
these three functions into one organization—with joint responsibility
https://www.exabeam.com/siem-guide/the-soc-secops-and-siem/ 11/19
9/11/2019 SOC, SecOps and SIEM: How They Work Together
over security—can improve security and create major operational
 
efficiencies.

Here are a few ways in which a SOC can integrate its processes with
dev and IT:

Creating a distributed SOC with DevOps members—DevOps

teams can help with incident response due to their deep
knowledge of IT systems, and can learn from security staff about
threats and critical vulnerabilities.

Pairing threat hunters with DevOps team leaders—instead of

discovering a threat and reporting it upwards, threat hunters can
work directly with dev or ops teams to close the security gap at
its source.

Opening the SOC for guidance and advice—anyone doing work

that has a security impact should have an easy path to reach the
SOC and consult with the organization’s top security experts.

Creating security centers of excellence—the SOC can work with

selected dev and operations groups to implement security best
practices, and then showcase these successes to the entire
organization to promote SecOps practices.

A Basic Incident Response Model

While SOCs are undergoing transformation and assuming additional

roles, their core activity remains incident response. The SOC is the
organizational unit that is expected to detect, contain, and mitigate
cyber attacks against the organization. The people responsible for
incident response are Tier 1, Tier 2 and Tier 3 analysts, and the
software they primarily rely on is the SOC’s Security Information
and Event Management (SIEM) system.

1 2 3 4 5

This website uses cookies.
We use cookies to personalize content and ads, to provide social media features and to analyze our tra ic. We also share information about your use of our site with our social media, advertising and analytics partners who may
combine it with other information that you’ve provided to them or that they’ve collected from your use of their services. You consent to our cookies if you continue to use our website. Please refer to our Privacy Policy for more
information. This message only appears once.

ACCEPT

https://www.exabeam.com/siem-guide/the-soc-secops-and-siem/ 12/19
9/11/2019 SOC, SecOps and SIEM: How They Work Together

 

Event Classification Prioritization and Investigation Containment and Recovery Remediation and Mitigation Assessment and Audit

Tier 1 Analysts monitor user
activity, network events, and
signals from security tools to
identify events that merit
attention.
Tier 1 Analysts prioritize, select
the most important alerts, and
investigate them further. Real
security incidents are passed to
Tier 2 Analysts.
Once a security incident has been
identified, the race is on to gather
more data, identify the source of
the attack, contain it, recover data
and restore system operations.
SOC staff work to identify broad
security gaps related to the attack
and plan mitigation steps to
prevent additional attacks.
SOC staff assess the attack and
mitigation steps, gather additional
forensic data, draw final
conclusions and
recommendations, and finalize
auditing and documentation.

A SIEM is a foundational technology in a SOC—here is how a SIEM can help with each incident response stage:

Alert generation and ticketing Searching and exploring data Context on incidents and security Reporting and dashboarding Compliance
orchestration reporting

A SIEM collects security data from
organizational systems and
security tools, correlates it with
other events or threat data, and
generates alerts for suspicious or
anomalous events.
A SIEM can help Tier 1 and Tier 2
analysts search, filter, slice and
dice, and visualize years of
security data. Analysts can easily
pull and compare relevant data to
better understand an incident.
When a real security incident is
identified, a SIEM provides context
around the incident—for example,
which other systems were
accessed by the same IPs or user
credentials.
Remediation and mitigation are an
ongoing activity, and they require
visibility of the status and activity
of critical security and IT systems.
SIEMs have a cross-organization
view which can provide this
visibility.
One of the core functions of a SIEM
is to produce reports and audits
for regulatory requirements and
standards like PCI DSS, HIPAA and
SOX—both on an ongoing basis and
following an incident or breach.

Next Gen SIEM Next Gen SIEM Next Gen SIEM Next Gen SIEM

Next-generation SIEMs leverage Next-generation SIEMs are based Next-generation SIEMs provide Next-generation SIEMs leverage
machine learning and behavioral on data lake technology that Security Orchestration and machine learning and data science
analytics to reduce false positives allows organizations to store Automation (SOAR) capabilities. capabilities that establish smart
and alert fatigue, and discover unlimited data at low cost. They They integrate with other security baselines for groups of users and
hard-to-detect complex events like also leverage machine learning systems and can automatically devices. This allows faster and
lateral movement, insider threats and User Event Behavioral perform containment actions. For more accurate detection of
and data exfiltration. Analytics (UEBA) to easily identify example, quarantine an email insecure systems or suspicious
high risk events and surface them infected by Malware, download activity.

This website uses cookies. to analysts. and test the Malware in a threat
intel our
We use cookies to personalize content and ads, to provide social media features and to analyze sandbox.
tra ic. We also share information about your use of our site with our social media, advertising and analytics partners who may
combine it with other information that you’ve provided to them or that they’ve collected from your use of their services. You consent to our cookies if you continue to use our website. Please refer to our Privacy Policy for more
information. This message only appears once.

ACCEPT

https://www.exabeam.com/siem-guide/the-soc-secops-and-siem/ 13/19
9/11/2019 SOC, SecOps and SIEM: How They Work Together

 Measuring the SOC 

Here are a few important metrics that can help understand the
scale of activity in the SOC, and how effectively analysts are
handling the workload.

Metric Definition What it Measures

Mean Time to Detection (MTTD) Average time the SOC takes to detect an How effective the SOC is at processing
incident important alerts and identifying real
incidents

Mean Time to Resolution (MTTR) Average time that transpires until the How effective the SOC is at gathering
SOC takes action and neutralizes the relevant data, coordinating a response
threat and taking action

Total cases per month Number of security incidents detected How busy the security environment is
and processed by the SOC and the scale of action the SOC is
managing

Types of cases Number of incidents by type—web The main types of activity managed by
attack, attrition (brute force and the SOC and where security
destruction), email, loss or theft of preventative measures should be
equipment, etc. focused

Analyst productivity Number of units processed per analyst How effective analysts are at covering
—alerts for Tier 1, incidents for Tier 2, maximum possible alerts and threats
threats discovered for Tier 3

Case escalation breakdown Number of events that enter the SIEM, The effective capacity of the SOC at each
alerts reported, suspected incidents, level and the workload expected for
confirmed incidents, escalated incidents different analyst groups


This website uses cookies.
We use cookies to personalize content and ads, to provide social media features and to analyze our tra ic. We also share information about your use of our site with our social media, advertising and analytics partners who may
combine it with other information that you’ve provided to them or that they’ve collected from your use of their services. You consent to our cookies if you continue to use our website. Please refer to our Privacy Policy for more
information. This message only appears once.

ACCEPT

https://www.exabeam.com/siem-guide/the-soc-secops-and-siem/ 14/19
9/11/2019 SOC, SecOps and SIEM: How They Work Together

 

The Future of the SOC

The Security Operations Center is undergoing an exciting transformation. It is integrating with ops and development departments, and is empowered by powerful new
technologies, while retaining its traditional command structure and roles—to identify and respond to critical security incidents.

We showed how SIEM is a foundational technology of the SOC, and

how next-generation SIEMs, which include new capabilities like
behavioral analytics, machine learning and SOC automation, open
up new possibilities for security analysts.

The impact of a next-gen SIEM on the SOC can be significant:

Reduce alert fatigue—via User Entity Behavioral Analytics (UEBA)

that goes beyond correlation rules, helps reduce false positives
and discover hidden threats.

Improve MTTD—by helping analysts discover incidents faster and

gather all relevant data.

Improve MTTR—by integrating with security systems and

leveraging Security Orchestration, Automation and Response
(SOAR) technology.

Enable threat hunting—by giving analysts fast and easy access

and powerful exploration of unlimited volumes of security data.

Exabeam is an example of a next-generation SIEM which combines data lake technology,

visibility into cloud infrastructure, behavioral analytics, an automated incident responder
and a threat hunting module with powerful data querying and visualization.

More like this


This website uses cookies.
If you’d likeWetousesee more content like this, visit the Exabeam Information Security Blog
cookies to personalize content and ads, to provide social media features and to analyze our tra ic. We also share information about your use of our site with our social media, advertising and analytics partners who may
combine it with other information that you’ve provided to them or that they’ve collected from your use of their services. You consent to our cookies if you continue to use our website. Please refer to our Privacy Policy for more
information. This message only appears once.
VIEW THE BLOG
ACCEPT

https://www.exabeam.com/siem-guide/the-soc-secops-and-siem/ 15/19
9/11/2019 SOC, SecOps and SIEM: How They Work Together

 
Prev

The SOC, SecOps and SIEM

Next

Evaluating and Selecting SIEM Tools - A Buyer's Guide

CH01 CH02

What is SIEM SIEM Architecture

Components, best practices, and next-gen capabilities How SIEMs are built, how they generate insights, and how they are changing

READ MORE READ MORE

CH03 CH04

Events and Logs UEBA

SIEM under the hood - the anatomy of security events and system logs User and Entity Behavioral Analytics detects threats other tools can’t see

READ MORE READ MORE

CH05 CH06

SIEM Use Cases SIEM Analytics

Beyond alerting and compliance - SIEMs for insider threats, threat hunting and IoT From correlation rules and attack signatures to automated detection via machine
learning
READ MORE
READ MORE


This website uses cookies.
CH07 We use cookies to personalize content and ads, to provide social media features and to analyze our tra ic. We alsoCH08
share information about your use of our site with our social media, advertising and analytics partners who may
combine it with other information that you’ve provided to them or that they’ve collected from your use of their services. You consent to our cookies if you continue to use our website. Please refer to our Privacy Policy for more
Incident Response and Automation
information. This message only appears once.
The SOC, SecOps and SIEM
Security Automation and Orchestration (SOAR) - the future of incident response A comprehensive guide to the modern SOC - SecOps and next-gen tech
ACCEPT

https://www.exabeam.com/siem-guide/the-soc-secops-and-siem/ 16/19
9/11/2019 SOC, SecOps and SIEM: How They Work Together

 
READ MORE READ MORE

CH09 CH10

Evaluating and Selecting SIEM Tools - A Buyer's Guide SIEM Essentials Quiz
Evaluation criteria, build vs. buy, cost considerations and compliance SIEM Essentials Quiz

READ MORE READ MORE

PRODUCT
Exabeam Advanced Analytics

Exabeam Cloud Connectors

Exabeam Data Lake

Exabeam Entity Analytics

Exabeam Incident Responder

Exabeam Threat Hunter

Exabeam Threat Intelligence Service (TIS)

Cloud Deployment Options

PARTNERS

SOLUTIONS
Compliance

Threat Detection

Cloud Security

IoT Monitoring

SOC Automation


This website uses cookies. ABOUT
We use cookies to personalize content and ads, to provide social media features and to analyze our tra ic. We also share information about your use of our site with our social media, advertising and analytics partners who may
Media
combine it with other information that you’ve provided to them or that they’ve collected from your use of their Kit You consent to our cookies if you continue to use our website. Please refer to our Privacy Policy for more
services.
information. This message only appears once.

SUPPORT
ACCEPT
CAREERS
https://www.exabeam.com/siem-guide/the-soc-secops-and-siem/ 17/19
9/11/2019 SOC, SecOps and SIEM: How They Work Together

 
LEARN
Library

Newsroom

Glossary

SIEM Cost Comparison

Exabeam vs Competitors

Analyst Corner

BLOG
Information Security

SIEM

UEBA

Security Operations Center

DLP

Incident Response

SIEM GUIDE
What is SIEM?

SIEM Architecture

Events and Logs

UEBA

SIEM Use Cases

SIEM Analytics

The SOC, SecOps and SIEM

Incident Response and Automation

SIEM Buyer’s Guide

SIEM Essentials Quiz

SIEM Concepts 
This website uses cookies.
We use cookies to personalize content and ads, to provide social media features and to analyze our tra ic. We also share information about your use of our site with our social media, advertising and analytics partners who may
combine it with other information that you’ve provided to them or that they’ve collected from your use of their services. You consent to our cookies if you continue to use our website. Please refer to our Privacy Policy for more
information. This message only appears once.
CONTACT
2 Waters Park Dr., Suite 200 San Mateo, CA 94403
ACCEPT

1.844.EXABEAM
https://www.exabeam.com/siem-guide/the-soc-secops-and-siem/ 18/19
9/11/2019 SOC, SecOps and SIEM: How They Work Together
1.844.EXABEAM
 [email protected] 

    

© 2019 Exabeam
Terms and Conditions — Privacy Policy — Ethical Trading Policy — Sitemap


This website uses cookies.
We use cookies to personalize content and ads, to provide social media features and to analyze our tra ic. We also share information about your use of our site with our social media, advertising and analytics partners who may
combine it with other information that you’ve provided to them or that they’ve collected from your use of their services. You consent to our cookies if you continue to use our website. Please refer to our Privacy Policy for more
information. This message only appears once.

ACCEPT

https://www.exabeam.com/siem-guide/the-soc-secops-and-siem/ 19/19