SIEM is a core technology in SOC However it’s not the only tool in SOC, there are other technologies that work in conjunction with SIEM tool like SOAR (Security Orchestration Automation and response), UBA (User Behavior Analysis), IM (Incident Management) tool, CMDB, Performance Availability and monitoring platform etc.
While choosing tools for SOC, it’s vital to pick tools which are best fits for the environment. Let’s say for MSSP; the tools must support multitenant architecture. An effective and stable tool will reduce overall TCO. For organizations, they can select the SIEM tool which is the best technical fit into their environment and can fit in their budget as well.
Once the tool has been chosen, the next step is to size it properly. It should not be oversized which can increase the overall cost and overhead as well. It also should not be undersized, that during the peak traffic or an attack (like DDOS), it starts dropping their traffic and resulting, we start missing alerts.
MSSP players can help in sizing and vendor also provide the sizing tools for their SIEM tool. Some vendors size it on eps basis; however, some on the storage basis. Each vendor has its own logic to calculate eps (event per second), so it’s essential to use the vendor specific tool.
For Network traffic, some of the vendors monitor flow traffic (Netflow, j-flow, s-flow); however, some vendor relies on packet traffic to be passed through their SIEM. Sizing for network traffic usually depends upon flow or packet traffic. It’s not mandatory for SIEM to monitor the network traffic especially if organizations have dedicated Network tools deployed; however, it’s always good to have network traffic correlated with security events.
Sizing for other tools, like UBA, SOAR etc. depends upon how many users to be monitored, how many use cases need to be built, Number of actions needs to be automated etc. These tools are so advanced that it can detect the anomaly by observing the traffic pattern and this detection process can be automated by using tools based on Machine learning. However, still, human intervention is required to set up the workflow before automated any action and sometimes validating the alert, action.