security notes (miscellaneous, unsorted)

Is about using automation to make monitoring security events easier and streamlined. No human operator could hope to monitor an entire network manually, especially at a large and complicated enterprise. SIEM, therefore, is a kind of automation technology that takes over network monitoring by recording and collecting information, logs and packets. It monitors the flow of traffic through the network, paying particular attention to patterns that could indicate a cyber attack. Then, using a database of information and artificial intelligence software, it attempts to learn specific or unusual patterns that could suggest that a particular network is under attack and alert IT managers and security professionals.

SIEM is similar to an advanced virus detection system but with a much broader scope. It helps to identify a large number of threats to an organization and can train itself (to some extent) without the need for continual tuning by software analysts and engineers. It’s a time-saving method for cybersecurity personnel that helps them process the constant influx of new data on the network and leverage it to their advantage.

Is about orchestrating the response to these security events.

SOAR performs a similar function to SIEM but at a much higher level. The primary focus of SOAR is to gather and organize information in a way that cybersecurity professionals can easily manage and process.

SOAR, unlike SIEM, takes information from a wide range of platforms and delivers it to a single, central hub that engineers can then evaluate. The idea is to standardize case management and help investigators naturally incorporate incident investigations into their workflow.

SOAR also automates the process of incident response by analyzing and categorizing each specific incident and then deciding whether there is a need for a human operative to do more work. SOAR helps to eliminate the need for people to respond to constant alerts manually and enables engineers to categorize different threats for evaluation.

The system, therefore, offers a suite of additional services that not only identify threats on the network but also gives SecOps more tools to carry out their work. SOAR integrates into existing workflows, helping to make network management more efficient and automated.

SIEM is intelligent software, just like SOAR. But SIEM is prone to generating more alerts than a team can respond to. SOAR helps to reduce the number of alerts and also make workflows more manageable.

Managed Detection Response, is another type of threat detection system but with important differences from SIEM and SOAR.

Organizations typically use MDR when they want to be able to speed up the detection of threats on their network. The average time to detect an issue in a company is about 200 days without MDR technology. However, with it, companies can identify and deal with problems as quickly as a few hours.

The main focus of MDR is on detection, not compliance. Organizations themselves don’t usually implement MDR. More often than not, it is provided by a third-party who takes over the operation and running of the system and does it on the company’s behalf. MDR, therefore, is ideal for companies that don’t have the internal resources to manage their own threat detection systems.

MDR comes with a host of monitoring tools, security tools, and perimeter detection tools that attempt to detect when an intrusion occurs and then prevents it from damaging the rest of the network.

The good thing about MDR services is that the providers do all of the testing and sandboxing for you. Suppose, for example, that your company falls prey to a nasty piece of malware. Instead of having to live with the problem or hire a bunch of security experts to remove it from your system, the provider will do all of the hard work on your behalf to get rid of it for you. Usually, you don’t have to lift a finger.