First, what is a Security Incident and Event Management (SIEM) tool? Gartner describes SIEM tools as a technology that supports threat detection, compliance, and security incident management through the collection and analysis (both near real-time and historical) of security events and a wide variety of other event and contextual data sources.

Second, what is security Orchestration Automation and Response (SOAR)? Gartner describes SOAR tools as tools that allow an organization to define incident analysis and response procedures in a digital workflow format.

What does this mean? A SIEM tool allows you to collect security and compliance events from various sources, aggregate them, and view them in one place, often called a single pane of glass. Once you have all your security and compliance events in one place, you can check for patterns.

A SOAR tool automates the response to raised security or compliance alerts. Often tools combine SIEM and SOAR functionality providing a single solution that ingests logs from different products and then automates a reaction.

Here are some examples.

• If you ingest events from your user authentication service showing that your accounts are subject to password spray attacks from a specific country, you can protect the accounts being targeted and block access to the country from which the attacks originate.

• If you ingest events from your endpoint protection or anti-virus tools, you can isolate devices that do not have required patches installed or devices that are infected with a virus.

• If you ingest events from your firewall, you can detect if your firewall is subject to a port scanning attack, so you can block the firewall ports being attacked and also block connections from the source IP addresses.

• If you ingest logs from your on-premises servers, such as your Active Directory domain controllers, you can detect potential privileged account compromise.

• If you ingest threat indicators, you can compare your security events against threat intelligence from external cybersecurity providers, which means you can discover indicators of compromise (IOC) to help protect yourself against emerging cyberattacks and cyber threats.

A SIEM tool will allow you to correlate events from different sources and detect if you are being attacked on multiple fronts from the same source. Your SOAR tool can then block connections to your email, extranet, and web servers from the same source before they are attacked.

Now, you are probably thinking, ‘Wow, that sounds expensive!’ And yes, it can be, but the good news is that it must not be expensive. Such complex solutions are often costly because you need to find a data center and hardware to host the solution, buy licenses or a subscription and pay for support to keep the system running. However, some alternatives make some SIEM and SOAR solutions accessible to even the smallest business because the cost is based only on the number of logs that are ingested.

Note: As a security consultant, I have a complete solution running for demonstration purposes that costs me a maximum of a few USD per month. The quantity of logs that are typically ingested each month is low, but I can use many available features.

The SIEM and SOAR solution I am referring to is Microsoft Sentinel, which is shown as a leader on the Gartner Magic Quadrant and G2 Grid for SIEM.  Sentinel is a cloud-based SIEM and SOAR solution that can ingest logs from a multitude of sources, both Microsoft (cloud and on-premises) and non-Microsoft.  Integration with Microsoft solutions is very easy but the most complex integrations for non-Microsoft solutions are usually nothing more than routing syslog traffic to a Linux log collector, from which Sentinel ingests the logs.  In many cases, there is already a Sentinel data collector to ingest logs from third-party solutions.

Every new deployment of Microsoft Sentinel starts with a free trial which allows you to ingest up to 10GB/day of log data for the first 31 days at no cost for up to 20 Sentinel workspaces.  This is enough for a very comprehensive proof of concept.

If you are a Microsoft 365 customer, then you can ingest Azure Activity logs, Office 365 Audit Logs, and alerts from Microsoft Defender for Cloud, Microsoft 365 Defender, Microsoft Defender for Office 365, Microsoft Defender for Identity, Microsoft Defender for Endpoint and Microsoft Defender for Cloud Apps all for free, plus there are additional benefits for customers who have Microsoft 365 licenses to ingest Microsoft Information Protection logs and Microsoft 365 advanced hunting data.

If you have data sovereignty requirements or your company is made up of several entities, you can aggregate multiple Sentinel workspaces based in a different location to provide a single pane of glass from which to view the alerts generated from all of your Sentinel workspaces.

As Sentinel is cloud-based and there are no upfront infrastructure costs, and once you have deleted the Sentinel workspace hosted in Azure, there are no further costs.