Executive summary and joint guidance on security information and event management and security orchestration, automation and response

The Canadian Centre for Cyber Security Cyber securityThe protection of digital information, as well as the integrity of the infrastructure housing and transmitting digital information. More specifically, cyber security includes the body of technologies, processes, practices and response and mitigation measures designed to protect networks, computers, programs and data from attack, damage or unauthorized access so as to ensure confidentiality, integrity and availability. (Cyber Centre) has joined the Australian Signals Directorate’s (ASD) Australian Cyber Security Centre (ACSC) and the following international partners in releasing updated cyber security guidance on security information and event management (SIEM) and security orchestration, automation and response (SOAR):

• Czech Republic’s National Cyber and Information Security Agency (NÚKIB)
• Japan’s National Center of Incident Readiness and Strategy for Cyber Security (NISC) and Computer Emergency Response Team Coordination Center (JPCERT/CC)
• New Zealand’s National Cyber Security Centre (NCSC-NZ)
• Republic of Korea’s National Intelligence Service (NIS)
• Singapore’s Cyber Security Agency (CSA)
• United Kingdom’s National Cyber Security Centre (NCSC-UK)
• United States’ Federal Bureau of Investigation (FBI)
• United States’ Cybersecurity and Infrastructure Security Agency (CISA)
• United States’ National Security Agency (NSA)

SIEM and SOAR platforms offer many benefits to organizations. Both platforms can enhance an organization’s ability to detect and respond to cyber security risks by collating, analyzing and automating some aspects of an organization’s work. To function effectively, SIEM and SOAR platforms rely on proper deployment and maintenance over time.

This series of guidance includes 3 publications.

Executive guidance: Implementing security information and event management and security orchestration, automation and response platforms

This executive summary provides considerations for organizations that are looking to procure SIEM and SOAR platforms. The executive summary:

• defines SIEM and SOAR platforms
• outlines the benefits and challenges associated with using SIEM and SOAR platforms
• identifies best practices for implementing and maintaining SIEM and SOAR platforms

Read Executive guidance: Implementing security information and event management and security orchestration, automation and response platforms.

Guidance for practitioners: Implementing security information and event management and security orchestration, automation and response platforms and their implementation

This joint guidance provides high-level direction for cyber security practitioners on SIEM and SOAR platforms. Cyber security practitioners in government and other organizations can leverage this guidance to implement SIEM and SOAR platforms.

Read Guidance for practitioners: Implementing security information and event management and security orchestration, automation and response platforms and their implementation.

Guidance for practitioners: Priority logs for security information and event management ingestion

This joint guidance is intended for cyber security practitioners. It provides recommendations for logs that should be prioritized for ingestion by a SIEM platform, as well as tips on querying the platform.

Read Guidance for practitioners: Priority logs for security information and event management ingestion.