SIEM was yesterday, now comes TDIR?! A new four-letter acronym is circulating in the SOC (Security Operations Center) world: Threat Detection Investigation Response (TDIR). In this blog post, we explain what it’s all about and how it relates to SIEM, SOAR and other SOC systems.
Traditional vs. Modern SIEM systems
A traditional security information and event management (SIEM) system typically consists of the following components:
- Data collectors and data stores
Data collectors are agents or software installed on network devices, servers and other enterprise systems to collect log data. Following data collection, log data is normalized, meaning it is standardized in format to facilitate data analysis and correlation. Storage of the normalized log data then usually takes place using relational databases such as MySQL or Oracle.
- Correlation and analysis
The next step is to identify the security events and anomalies by analyzing and correlating the data. However, this is usually a simple rule-based correlation, which can lead to a high number of false positives and false negatives.
- Messages and Reports
In case of a positive result, notification and reporting follows. Often, traditional SIEM systems have limited alerting and reporting capabilities, which can hinder security teams’ ability to quickly identify and respond to incidents.
- User interface and integration with other security tools
The user interface is the interface through which security teams interact with the SIEM system. Older SIEM systems often have simple and limited user interfaces and integration capabilities with other security tools. This can make sharing data and automating security incident response much more difficult.
With the overall increase in problems with traditional SIEMs, modern SIEM systems are coming to the forefront to detect attacks.
Modern SIEM systems: more intelligence, more flexibility, more data
Modern SIEMs can detect threats in real time compared to traditional SIEM systems because they can use machine learning and artificial intelligence to analyze event and log data. They can also be extended with threat intelligence and security orchestration, automation and response (SOAR) capabilities or integrated with various other security tools such as firewalls, intrusion detection systems and threat intelligence platforms, making it easier to implement a comprehensive security solution. Last but not least, modern SIEMs often have a cloud-based variant that solves data storage capacity and system availability issues.
Increase security and efficiency with Threat Intelligence and SOAR
The inflationary increase in threat types and techniques triggers the need for companies to keep their security measures up to date and also continuously updated. To act effectively and efficiently, it pays to integrate Threat Intelligence and SOAR into SIEM solutions:
Threat Intelligence provides information about threat actor groups, attack techniques, as well as the tools used in cyberattacks. A modern SIEM system can use the threat intelligence feeds to enhance its correlation and analysis capabilities with detection rules. As a result, the SIEM system detects and combats threats earlier and more effectively. On the other hand, the threat intelligence solution can also use log data and security alerts provided by the SIEM to detect new threats and improve the threat intelligence feeds.
SOAR systems are solutions that help automate SOC tasks and processes. They integrate with various security tools and systems to automate repetitive, time-consuming and manual security tasks. The SOAR platform can leverage SIEM’s correlation and analytics capabilities to perform automated incident triage, find threats and respond to incidents.
Towards Unified Security Operations - TDIR
So what innovations does the “new kid on the block” – Threat Detection Investigation Response (TDIR) – deliver for SOCs? In principle, TDIR is the logical next evolutionary step of modern SIEM on the way to a unified SOC core system by integrating SIEM, SOAR and Threat Intelligence in one solution. The vision is to provide a Unified Security Operations System that consolidates existing security tools and solutions into one consistent view: One Source of Thruth and One Central Point of Control. This not only improves the information displayed to SOC analysts, but makes their jobs more efficient.
Our Security Services
The security product suite from our partner Splunk already contains the important building blocks for a TDIR: a market-leading SIEM, which includes threat intelligence, and a powerful SOAR solution. This setup will soon be complemented by a unified user interface: Splunk Mission Control. This can extend an existing implementation of Splunk Enterprise Security and SOAR, creating a Unified Security Operations solution.
