CISA Releases Guidance on SIEM and SOAR Implementation

Newly released guidance from the US and Australian governments aims to provide organizations with advice on how to improve their security posture through implementing SIEM and SOAR platforms.

The US cybersecurity agency CISA in collaboration with the Australian Cyber Security Centre (ACSC) this week released fresh recommendations for organizations looking to procure SIEM and SOAR platforms, which collect and analyze log data from the network, and identify anomalous behavior and automate response.

SIEM and SOAR platforms provide increased visibility over an organization’s information and communication technology (ITC) environment and help with the detection of cybersecurity incidents, enabling defenders to respond to them early.

When properly implemented, SIEM appliances automate the collection of log data from sources scattered across the network, making it easier for security teams to navigate. 

SOAR solutions, on the other hand, apply predefined playbooks that “combine incident response and business continuity plans to determine automatic actions” and aid incident responders. 

SIEM and SOAR platforms are designed to integrate with one another, as the latter leverages data collected, centralized, and analyzed by the former. SOAR solutions may also be integrated with other security tools, CISA and ACSC say.

To aid organizations in understanding the importance of SIEM and SOAR platforms and in implementing them, the two agencies published three new guiding documents: one aimed at executive decision-makers and two meant for cybersecurity practitioners.

The guidance for executives defines SIEM and SOAR platforms, outlines their benefits and challenges, and shares implementation recommendations considered relevant. 

The guidance for practitioners covers SIEM/SOAR implementation and priority logs, providing recommendations on the best practices for implementing these platforms, as well as on the logs that should be prioritized for SIEM ingestion.

The documents, the agencies say, are mainly intended for use within government entities, but the recommended actions apply to any organization looking to implement and leverage SIEM and SOAR. 

Related: Vulnerabilities in CISA KEV Are Not Equally Critical: Report

Related: CISA Says Russian Hackers Targeting Western Supply-Lines to Ukraine

Related: Vulnerability Exploitation Probability Metric Proposed by NIST, CISA Researchers