How do SIEM and SOC contribute to digital resilience? DORA in focus

Banks and insurance companies are directly affected by DORA (Digital Operational Resilience Act)- To ensure digital resilience, companies must respond quickly and in a well-structured manner to critical incidents.

Yassmine El Khaoudi focuses on how SIEM (Security Information and Event Management) and SOC (Security Operations Center) help companies meet DORA requirements.

A few words about DORA (Digital Operational Resilience Act)

The DORA regulation sets standards for the cybersecurity and operational resilience of insurance and financial services companies in the EU. It requires:

  • Companies must effectively manage cyber risks.
  • Companies must ensure that their systems remain stable even in the event of incidents.

 

DORA aims to ensure that the requirements are monitored and enforced consistently across the EU. The package of laws seeks to strengthen cooperation in the management of cyber risks and to increase confidence in digital infrastructure.

What SIEM and SOC achieve

These comprehensive requirements for monitoring, response and resilience create the basis for the use of solutions such as SIEM and SOC. These play a central role in Chapter II on ICT risk management. Article 10 requires real-time incident detection through monitoring and analysis tools.

Organizational units such as the Security Operations Center are particularly important here, as they ensure the continuous monitoring and analysis of security incidents. Articles 11 and 12 emphasize the need to respond quickly to incidents and to recover systems and data efficiently – through regular backups and recovery plans.

How do the Regulatory Technical Standards (RTS) complement the DORA regulation?

RTS define specific technical minimum requirements for ICT risk management.

They specify how security incidents are to be monitored, logged and handled. In this way, they create a basis for operational resilience.

SIEM systems support the implementation of the RTS. While SIEM systems correlate event data and generate alerts, SOC teams analyze this data and take appropriate action.

SIEM (Security Incident Event Management)

SIEM is a security solution that enables companies to identify and eliminate potential security threats and vulnerabilities. SIEM systems are considered central security platforms that combine and analyze data from various sources (e.g., Syslog, Windows Event Logs).

They provide real-time monitoring, event correlation and analysis, making it possible to quickly detect and defend against complex attack patterns, anomalies and malicious actions (i.e., security threats that arise from intentional or negligent human error).

An alert (notifications) informs SIEM solutions of suspicious activity and prompts a deeper investigation.

In addition, they support companies in complying with legal requirements such as DORA via compliance and audit reports.

 

A SIEM system can only remain effective if it is continuously developed. This includes, for example, efficiently sorting out false positives (misleading test results) and integrating new threats in the form of updated rules and correlations.

A comprehensive ecosystem is provided, for example, by Microsoft with its Defender tools/solutions such as MDE (Microsoft Defender for Endpoint) and Sentinel.

These practical tools complement SIEM systems by providing integrated threat detection and response capabilities. The tools are important building blocks for enabling digital resilience.

SOC teams monitor security incidents

They detect threats and handle incidents 24/7.

But what exactly does an SOC team do?

Qualified security analysts investigate and process the incoming alerts. False positives can be identified and actual threats quickly isolated.

The SOC is responsible for quickly containing and eliminating security incidents. The aim is to keep damage to a minimum. Thanks to threat intelligence, the SOC can analyze current threat data and take targeted protective measures.

In addition, the team ensures that compliance requirements are implemented in the area of security operations – the SOC thus contributes to compliance with regulations and support for data protection provisions. It is essential to constantly optimize the security strategy – this way, the SOC is prepared for new threats.

In the “three lines of defense” model, i.e., in a multi-level security model, the SOC takes on the first line of defense by monitoring security incidents, detecting threats and implementing operational measures. The second line is formed by the CISO, who defines compliance requirements and checks that they are implemented. The third line is formed by the audit.

Work in the SOC is divided into three shifts:

  • L1 analysts evaluate alerts and sort out false positives.
  • L2 analysts perform deeper root cause analysis and initiate countermeasures.
  • L3 analysts go on a threat hunt and investigate complex incidents.

From risk to security rule: how SIEM manages security

Companies start by identifying and assessing risks (such as malicious acts). They determine suitable scenarios (use cases) to investigate.

Tools such as the Mitre ATT&CK Framework (a publicly available knowledge database of cyber-attacks) serve as a reference for possible threat scenarios. To begin implementation, relevant log data from the source systems is identified, converted to a uniform format and integrated into the SIEM system.

The ability to normalize security events and integrate them into data lakes (structured and unstructured data sets) is a prerequisite for conducting more in-depth analyses and detecting threats that traditional firewalls and IDS/IPS (intrusion detection / prevention systems) cannot identify. Newer technologies such as Microsoft Defender EDR already perform rule-based analysis at the endpoint before the data is processed further.

The SIEM system maps the defined use cases applying specific rules that are designed to recognize potential threat scenarios.

Good examples of possible threats are unusual login attempts from other countries or suspicious data transfers.

The rules generate events that are aggregated and analyzed in the SIEM or a security orchestration, automation, and response (SOAR) solution. Technologies like SOAR support automated playbooks to handle security incidents. These playbooks use threat intelligence feeds, such as MITRE ATT&CK tactics, to detect known attack techniques and respond accordingly.

Combined event patterns trigger alerts. The SOC team checks these to rule out false positives and detect actual security incidents. Finally, the team ensures that the incidents are addressed and resolved – thus minimizing risks.

siem and soc

SIEM in use: data leakage or not?

Scenario 1: Ruling out a false alarm

Maria*, an analyst, regularly prepares reports. On a Friday afternoon, she copies large amounts of data from the customer database to her encrypted company USB stick. She wants to finish these reports during a planned business trip. The SIEM system detects unusual data transfer activity and sounds the alarm because it classifies the amount of data and the use of a USB device as data theft.

Now the test begins. It turns out that the data transfer was authorized and in line with security guidelines.

The security team lifts the restrictions and Maria* can continue her work.

*fictive person

Scenario 2: No false alarm – detecting an attempted data theft

Maria* decides to copy sensitive customer data and pass it on to a competitor. She tries to transfer huge amounts of data to a private USB stick. The SIEM system registers the unusual activity and immediately triggers an alarm chain. The security team responds immediately, blocks access to the affected systems and disables the USB port on Maria’s PC.

This time, the investigation has shown that it was indeed an attempted data theft. Legal action is taken against Maria*, and the sensitive data remains protected.

*fictive person

DORA Chapter II – ICT risk management and the role of SIEM/SOC

Article 8 – Identification

Article 8 of DORA requires companies to thoroughly identify critical ICT resources, possible cyber threats and ICT vulnerabilities. This forms a comprehensive risk management basis, which is necessary for targeted security measures.

This risk identification according to Article 8 takes place in modern SIEM systems.

But how? SIEM systems collect data – and they do so continuously. This data (e.g., log data, login activities and network traffic) is compared with threshold values or known attack patterns.

SOC teams use the information to monitor critical systems and detect specific threats.

The clever combination of SIEM and SOC enables continuous risk analysis and a solid cyber protection concept for the company.

Integrated threat intelligence feeds provide real-time information on new vulnerabilities and attack techniques. These feeds make it possible to assess risks in context. They prioritize threats based on the level of danger they pose.

Article 9 – Protection and Prevention

Organizations must implement preventive measures to protect their critical ICT resources to an appropriate extent. These include security policies and standards, as well as technologies that prevent potential attacks.

To do this, companies rely on technologies such as intrusion detection / prevention systems (IDS/IPS) and zero-trust architectures.

SIEM helps to prevent attacks by examining security events in real time, correlating them, and triggering alerts when potential threats arise.

While SIEM systems can detect vulnerabilities, they primarily deliver events that serve as a basis for further analysis.

SOC teams use this data to develop and implement preventive protective measures. These include skills such as threat intelligence and active monitoring.

Combining SIEM analysis and SOC strategies makes it possible to detect threats at an early stage and take preventive action. This significantly reduces the likelihood of attacks succeeding.

Article 10 – Detecting threats

Companies must have mechanisms in place to quickly and reliably identify security incidents and threats and respond to them in a timely manner. To do this, they must provide sufficient resources and capacities.

SIEM systems are indispensable when it comes to detecting threats.

Because they examine security-related events, identify suspicious patterns and create immediate alerts.

SOC teams monitor these alerts 24/7, assess their criticality and prioritize incident responses. This way, measures can be taken before the threats actually cause damage.

Article 11 – Response and recovery

Article 11 is about how to respond to security incidents and how to restore affected systems. These ICT business continuity guidelines represent a clear strategy for managing security incidents & responses. For example, organizations must have a disaster recovery plan in place to get back up and running quickly after an incident. The prerequisite for this is SIEM and SOC must work together efficiently.

Article 12 – Guidelines and procedures for backup how retrieval and recovery can work

Article 12 requires companies to establish robust backup and recovery plans. Backups are designed to enable the recovery of critical data in an emergency – without jeopardizing the protection objectives of information (availability, integrity, confidentiality).

There must be no possibility of manipulating ICT systems. Unauthorized persons must not be able to access them. Logically and physically separate systems with effective access controls, for example, can help.

The SIEM monitors backup integrity and can detect suspicious activities in the backup processes that indicate manipulation or other risks.

SOC teams regularly review and test the recovery processes. They ensure that backups are quickly and securely deployed in an emergency.

Specialized CSIRT (Computer Security Incident Response Team) and DFIR (Digital Forensics and Incident Response) service providers are also crucial here. These teams provide support for forensic analysis. They also take responsibility for ensuring that recovery is carried out effectively and comprehensively, especially in the case of incidents that last for a long time.

The process begins with the analysis of security incidents by CSIRT teams, who coordinate containment and recovery measures.

DFIR service providers complement this approach with forensic investigations. Here, they evaluate data such as log files and network analyses to determine the causes of the incident and secure evidence. Specialized tools are used, such as disk imaging software and frameworks to manage incidents. Threat hunting tools are also popular for detecting targeted attacks.

The skillful interplay of SIEM, SOC, CSIRT and DFIR ensures that backup and recovery processes are tamper-proof and ready for use at any time.

SIEM and SOC are at the heart of any good cyber defense

The digital resilience of companies in the financial sector is extremely important.

If SIEM and SOC are closely integrated and RTS guidelines are consistently applied, companies in the financial sector can strengthen their digital resilience – and also implement the requirements of DORA in a legally compliant manner.

Feel free to contact us.