Security Essentials, Textbook page 87

Copyright Goodheart-Willcox Co., Inc. 87 Chapter 3 Security Evaluation Using a dashboard is helpful to highlight trends in activities, such as an uptick in web traffic, or unusual traffic patterns. Trends can be evaluated against current business practices or investigated as potential threats. SIEM is a comprehensive solution that incorporates log management, analysis, alerts, and reporting, but a company may want to configure a log management sys- tem that is not as comprehensive or full-featured as SIEM. This option can be fulfilled by using a syslog mechanism for log management. SOAR SOAR, which stands for Security Orchestration, Automation, and Response, is a secu- rity solution that uses an array of software tools and solutions that allows for a collec- tion of data from multiple sources and generates an automatic response. Using SOAR solutions, security operations are executed automatically through collection of data from the broadest of resources without human intervention. SOAR is similar to SIEM as it collects information. However, SOAR takes information from multiple sources and centralizes the results. SOAR is a technique that enables an organization to simplify security operations in three key areas: threat and vulnerability management, incident response, and security operations automation. In a business not using SOAR techniques, security analysts must make decisions based on information available and may not be able to respond as quickly as needed. In addition, companies often use a multitude of products to collect information and then must manually aggregate the data to get a comprehensive overview of the situation. The amount of data can be quite large, and it is possible that relevant information is overlooked. Orchestration Orchestration is the integration of different technologies, including security and non-security tools to work together. SOAR functionality makes efficient use of the integration of existing security tools and equipment to investigate and respond to vulnerabilities. For example, if a suspicious IP address is identified during a scan of a log, a response could include changes in a network firewall. Automation Security automation is the automatic handling and processing of security-related tasks to identify vulnerabilities without human intervention. Security teams initially define the steps and actions using SOAR tools. Automation performs these tasks, such as querying logs, scanning e-mails, or managing user privileges. Automation replaces the need for human intervention. Incident Management The final piece of SOAR is improved incident response functionality. The response is based on intelligent decision making and the automated process, which increases secu- rity of the hosts and network. This allows for immediate triage of a vulnerability before it becomes an actual threat. Consider a scenario in which a user logon account exceeds the maximum attempts of failed logons. SOAR can generate a response to the user and con- firm if the user made the error. If it is true, a password reset can be initiated. However, if the user did not perform these attempts, SOAR can quickly disable the account and begin an investigative response such as identifying the IP and MAC addresses of the attempts. 1.7

Previous Page Next Page

Security Essentials, Textbook Page 87 (101 of 704)

Help