Why does the customer need this?
SIEM, SOAR and SGRC become important when information security can no longer be maintained manually: there are too many events, the infrastructure is distributed, there are clouds, branches, external services, business-critical applications, personal data, CII, GIS, financial transactions or internal audit requirements. In such a situation, management needs not just to “install a system”, but to gain control over: what is happening, what is critical, who is reacting, what risks are open and what has already been fixed.
For the customer, the value is that information security ceases to be a set of unrelated tools. SIEM helps you see and connect events, SOAR helps you respond faster, SGRC helps you manage processes, controls, risks and reporting. Together they provide the basis for a SOC, a mature information security function and demonstrable manageability to business, audit and regulators.
Decoding abbreviations
| Abbreviation | What does it mean | What task does it close? |
|---|---|---|
| SIEM | Security Information and Event Management - management of information and security events. | Collects logs and events from systems, normalizes them, links them together, identifies suspicious chains and helps analysts see the incident. |
| SOAR | Security Orchestration, Automation and Response - orchestration, automation and response to information security events. | Automates typical actions: create an incident, enrich with data, check an indicator, block an account, launch a playbook, notify those responsible. |
| SGRC | Security Governance, Risk and Compliance - management of information security, risks and compliance. | Helps maintain policies, controls, risks, requirements, reviews, tasks, exceptions, audits and management reporting in one process. |
| SOC | Security Operations Center is a center for monitoring and responding to information security incidents. | An organizational model where people, processes and SIEM/SOAR/SGRC tools work together: monitoring, triage, investigation, response and reporting. |
| MSSP | Managed Security Service Provider - external or internal provider of managed information security services. | A model when monitoring, response or part of SOC processes is transferred to a dedicated team or service contractor according to SLA. |
When is a SIEM needed?
SIEM is needed when a company wants to see security events not for individual servers, network devices and applications, but as a single picture of risk. This is especially important for banks, telecoms, industry, the public sector, retail, companies with personal data, CII, many branches, external services and critical business applications.
Event Sources
Servers, workstations, network devices, NGFW, WAF, VPN, EDR/XDR, AD/LDAP, databases, applications, Kubernetes, clouds and business systems.
Correlation
SIEM connects events with each other: suspicious login, change of rights, network activity, protection activation, anomaly in the application and user actions.
Prioritization
It's not every journal entry that matters, but the risk. Rules, severity, asset criticality, exceptions and routing of events to those responsible are configured.
Audit and investigation
Events are stored for investigations, audits, incident retrospectives, reporting and provability of the actions of IT and information security teams.
When is SOAR needed?
SOAR is needed when there are already a lot of events and incidents, and manual processing slows down the response. Its task is not to replace analysts, but to relieve a repeatable load: enrich the incident, check indicators, create a task, run a blocking script, notify the system owner and record the result.
| Situation | What does SOAR provide? |
|---|---|
| Many similar triggers | Playbook automatically collects context, cuts out noise, and transmits an already prepared incident to the analyst. |
| The response depends on several systems | SOAR connects SIEM, EDR/XDR, NGFW, IAM/PAM, ITSM, mail, instant messengers, threat intelligence and internal directories. |
| It is necessary to comply with the response SLA | Every step is recorded: who received the incident, what was done, where the delay was, what decision was made and when it was closed. |
| We need to reduce the human factor | Typical actions are performed according to an agreed scenario, and dangerous operations require confirmation from a responsible specialist. |
When is SGRC needed?
SGRC is needed when it is important for the information security team to manage not only incidents, but also the entire control system: requirements, policies, risks, owners, deadlines, exceptions, audits, reviews, security measures and reporting to management. This is especially true for regulated industries, groups of companies, distributed infrastructure and organizations where information security must be understandable to the business.
Governance
Who is the owner of the process, what policies are in place, who is responsible for control, how exceptions are accepted and how decisions are recorded.
Risk
What risks are open, what assets are critical, what measures reduce the risk, where tasks are overdue and what requires management attention.
Compliance
How the requirements of Federal Law No. 152-FZ, Federal Law No. 187-FZ, FSTEC, FSB, industry standards, internal policies and audit procedures are met.
Reporting
Reports on incidents, risks, controls, resolution statuses, exceptions, SLAs, audits and maturity of the information security loop.
How do they work together
SIEM, SOAR and SGRC are best thought of as a single operational chain. SIEM sees the event and helps understand what happened. SOAR orchestrates responses and automates repeatable actions. The SGRC links incidents and vulnerabilities to risks, controls, responsibilities, timelines and management reporting.
Sources
Systems, applications, networks, information security, clouds, databases, AD, DevOps, endpoint and business-critical services send events.
SIEM
Events are normalized, enriched, correlated, given severity and turned into alerts or incidents.
Triage
The trigger is checked for: asset criticality, user, context, repeatability, false positive or real attack.
SOAR
Playbooks are launched: enrichment, blocking, notification, task creation, confirmation request or escalation.
ITSM and teams
The incident goes to the owners of the systems, IT, information security, DevOps or contractor with an SLA, status and responsibility.
SGRC
An incident is associated with a risk, control, policy, exception, audit or risk mitigation activity.
Reporting
Management sees not a stream of logs, but the dynamics of risks, incidents, SLAs, eliminations, repeatability and process maturity.
Improvement
Correlation rules, playbooks, controls, roles, training and security architecture are regularly adjusted.
What does RESTART undertake?
| Customer's task | What do we do |
|---|---|
| Understand where to start | We conduct a survey: sources of events, assets, information security, current incidents, roles, regulations, reporting requirements, restrictions and the SOC/SOC-ready target model. |
| Select architecture and platforms | We design HLD/LLD, define the roles of SIEM, SOAR and SGRC, compare vendors, check integrations, cost of ownership, data and operational requirements. |
| Collect sources and rules | We connect critical sources, set up normalization, correlation rules, use cases, dashboards, routing and basic investigation scenarios. |
| Automate response | We design and implement SOAR-playbook, integration with ITSM, EDR/XDR, NGFW, IAM/PAM, threat intelligence, mail and notification channels. |
| Make risks and controls manageable | We set up SGRC processes: policies, controls, risks, owners, exceptions, tasks, deadlines, statuses, audit and management reporting. |
| Put the environment into operation | We prepare regulations, role matrix, analyst instructions, use case development plan, metrics, SLA and post-launch support. |
SOC-readiness and MSSP-perspective
It makes sense to view SIEM/SOAR/SGRC not only as a product implementation, but also as preparation for a mature monitoring model. Even if your own SOC is not needed yet, it is useful for a company to build a SOC-ready outline: clear sources of events, basic scenarios, roles, SLA, escalation rules, playbook, reports and the ability to connect an internal team or an MSSP partner.
This approach reduces the risk of “you bought a platform, but it doesn’t work”: even before implementation, people, processes, sources, use cases, analyst workload, event storage requirements, support model and performance criteria are recorded.
Partner platforms SOC, GRC and response
For SIEM, SOAR and SGRC environments, RESTART selects platforms not according to the “biggest product” principle, but according to the maturity of the customer: what sources of events already exist, who will deal with incidents, what regulations are needed, what reports are needed by management and regulators, whether it is possible to automate the response and how the environment will be supported after launch.
Positive Technologies
VM, SIEM, AppSec, NDR, WAF, cyber resilience
R-Vision
SOAR, SGRC, VM, TIP, UEBA, SIEM
Security Vision
SOAR, NG SOAR, SGRC, SIEM, VM, TIP, UEBA
UserGate
NGFW, SUMMA, SIEM, LogAn, Client, SecaaS
F6
threat intelligence, DRP, anti-fraud, XDR, ASM
Kaspersky
endpoint, EDR/XDR, KATA, threat intelligence
Partners are listed as the technology backbone of the solution class. The specific composition of products, versions, licenses, certificates and delivery conditions are confirmed before the project.
Connection with AI, vulnerabilities and compliance
SIEM, SOAR and SGRC are strengthened when connected to other areas of information security. Vulnerability management shows which assets require attention. DevSecOps provides events on secure development and pipeline. CII, Federal Law No. 152-FZ and GIS set requirements for controls and reporting. Security & Compliance AI can help experts quickly understand policies, incidents, checklists and reports, but the final decisions remain with the responsible experts.
What does the client get?
- map of event sources, critical assets, protection systems, roles and current information security processes;
- target SIEM/SOAR/SGRC architecture and implementation plan without overloading the team;
- a prioritized set of use cases, correlation rules, playbooks and reports;
- integration with information security, ITSM, EDR/XDR, NGFW, IAM/PAM, DevOps, threat intelligence and internal directories;
- SGRC model for risks, controls, policies, exceptions, audits and management reporting;
- analyst work regulations, SLA, escalation routes, SOC-ready metrics and maturity development plan.
First practical step
It’s better to start not with choosing a vendor, but with diagnostics: what events need to be collected, what assets are critical, what incidents are already occurring, who will respond, what reports are needed, what regulatory requirements are applicable and what processes are already in place. After this, you can consciously choose whether you need only SIEM, whether you need SOAR, which SGRC processes to launch first, and which MVP will give a quick effect.
RESTART usually offers the first stage in the format of a survey and design session: architecture, sources, use cases, roles, roadmap, pilot environment and requirements for industrial operation.
Frequently asked questions
Is it possible to start with just SIEM?
Yes. If the company does not yet have a unified picture of events, it is reasonable to start with SIEM, critical sources and basic use cases, and connect SOAR and SGRC as the processes mature.
Does everyone need SOAR?
No. SOAR is especially useful where there are repeatable response scripts, multiple tools, SLA requirements, and a team that is willing to work from a playbook.
Is SGRC only for regulators?
No. SGRC is useful even without external review: it helps management see risks, owners, control statuses, exceptions, objectives and information security maturity in a clear management form.
Let's discuss your environment
Describe the task, current systems, constraints, and expected results. We will offer a practical first step: diagnostics, pilot, audit, roadmap or project team.
