security information and event management (SIEM)
A SIEM solution examines log data for patterns that could indicate a cyberattack, then correlates(關聯) event information between devices to identify potentially anomalous(反常的) activity and finally, issues alerts accordingly(相應地).
Like SIEM, SOAR is designed to help security teams manage and respond to endless alarms at machine speeds.
SIEM,全名是security information and event management的縮寫,譯成中文就是安全資訊與事件管理,聽起來很抽象,所以我找了一下關於他的簡單描述如上寫。
看起來就是做一組程序,這組程序從做log 分析開始,然後找出可能隱藏的網路攻擊行為,並且接著把裝置機器的event資訊做關聯分析識別反常的網路行為,若確定網路行為異常,則發出適當的安全Alert。
為此,SOAR就應蘊而生啦: SOAR is designed to help security teams manage and respond to endless alarms at machine speeds。 可以把SOAR想像成SIEM的自動化方案,目的是幫助資安團隊以機器量級的速度處理沒有盡頭的資安Alert。
讓我們來看看SOAR一個比較具體的說明:Security orchestration(協調), automation and response (SOAR) offers a solution. Eighty to ninety percent of most security operations’ tasks can be automated to some extent(範圍), and the data that disparate(不同的) tools create can be distilled(提取) into a single pane(方格) of information. The resulting efficiency gains allow security teams to handle vastly(廣大的) more tasks while significantly decreasing mean times to resolution (MTTR).