The U.S. National Security Agency, the Cybersecurity and Infrastructure Security Agency and the FBI have authored new guidebooks with their allied counterparts for cybersecurity executives and network defenders on implementing platforms for SIEM/SOAR, short for security information and event management/security orchestration, automation and response.
SIEM tools gather and correlate log data to enable network defenders to check activity and identify advanced cyber threats. SOAR platforms tap SIEM data to provide appropriate responses to malicious activity detected.
Tailor-Fit Configuration
The first guidebook focuses on cybersecurity executives’ functions and identifies the technical challenges and best practices on SIEM/SOAR implementation. The six-page document recommends that SIEM/SOAR platform configuration be tailored to the user network and organization to ensure the platforms do not disrupt regular network services.
Another guidance specifically addresses cybersecurity practitioners’ role in SIEM/SOAR implementation, including ways to use the platforms to strengthen organizations’ cyberthreat detection and response. Principles for the platforms’ procurement, adoption and maintenance are also outlined in the 28-page guidebook.
Detection and Response Tools
A third guidebook provides practitioners with detailed technical road maps for specific categories of log sources. The 38-page document covers endpoint detection and response tools, Windows/Linux operating systems, network devices and cloud deployments.
The SIEM/SOAR platform implementation manuals were co-created by the national security agencies of the United Kingdom, Canada, Australia, New Zealand, the Czech Republic, Japan, South Korea and Singapore.