What is the difference between a SIEM and a SOC?

Question

What is the difference between a SIEM (Security Information and Event Management) and a SOC (Security Operations Centre)?

Do they work together? And if independent when to use which?

Answer 1

At a high-level, just remember that:

• A SIEM (Security Information and Event Management) is a specific kind of technology, providing network visibility in a security context (by indicating suspicious/illegitimate activity through set-up rules and correlation intelligence), and enabling security analysts to act on suspected threats.
• A SOC (Security Operations Centre) encompasses the People, Processes, as well as Technology involved in protectively-monitoring a network, responding to incidents, and researching/actively searching for known/unknown threats.

Answer 2

A Security Information and Event Management (SIEM), is a tool that collects and normalises logs which are tested against a set of correlation rules that when triggered creates events for human analysts to analyse.

A Security Operations centre (SOC) is a centralised unit of security analysts (and related job roles) that deal with security issues, using a verity of tools. One of the main tools used by security analysts is a SIEM as it is the SIEM that will ‘surface’ security incidents to the human analyst.

Typically you will not have a SOC without a SIEM. But you may find IT teams that have a mature security element may have a SIEM (or something similar.) Although it is often the case (in my experience) that the SIEM capability will be outsources to a 3rd party or will be rolled up into a dedicated SOC.

You may also find that the SIEMS are used in Cyber Incident Response Teams (CIRTs) which are similar to SOCs, but may have expanded capability into other areas such as information sharing, intelligence and deeper incident repose.

If the SOC was a shop, the Security Analyst would be the retail assist working the tills and the SIEM would be the till.

Answer 3

NMS is a management tool of NOC same as SIEM solution is the Management tool of a SOC. SIEM provides an additional layer of security to a SOC which helps organizations enable advanced threat detection and incident response capabilities.

While A SOC comprises of all entities which are used for security monitoring within corporate IT environment like people, procedure, security software, security devices like firewalls, IDS/IPS, proxy servers, etc.

Answer 4

SOC is McDonalds franchise (Service) and SIEM is their Oven (Tool)

SOC:

A Security Operation Center (SOC) is a centralized function within an organization employing people, processes, and technology to continuously monitor and improve an organization's security posture while preventing, detecting, analyzing, and responding to cybersecurity incidents

Source: https://www.mcafee.com/enterprise/es-es/security-awareness/operations/what-is-soc.html

SIEM:

SIEM is a tool that collects, aggregates, normalizes the data and analyses it according to pre-set rules and presents the data in human-readable format.