EXPLORING CRITICAL VULNERABILITIES IN SIEMIMPLEMENTATION AND SOC SERVICEPROCUREMENT: AN IN-DEPTH ANALYSIS OFHIGH-RISK SCENARIOS

Ertuğrul AKBAŞ
Computer Engineering, Istanbul Esenyurt University, SureLog SIEM İstanbul, Turkey

ABSTRACT

This research paper examines the high risks encountered while using a Security Information and Event
Management (SIEM) product or acquiring Security Operations Center (SOC) services. The paper focuses
on key challenges such as insufficient logging, the importance of live log retentions, scalability concerns,
and the critical aspect of correlation within SIEM. It also emphasizes the significance of compliance with
various standards and regulations, as well as industry best practices for effective cybersecurity incident
detection, response, and management.

KEYWORDS

SIEM, Security, SOC, Cyber Security, Insufficient logging, Live Log, Hot Log, Log Loss, Correlation

1.INTRODUCTION

SIEM solutions and SOC services stand as foundational pillars in the ever-evolving landscape of
modern cybersecurity. These components play a pivotal role in protecting organizations from an
increasingly sophisticated array of cyber threats. However, the effectiveness of these vital tools
can be undermined by an array of challenges that span from log manage- ment intricacies to the
complexities of data correlation. This paper delves deeply into the intricacies of these challenges,
dissecting the inherent risks they pose and shedding light on how they can potentially erode an
organization’s overall security posture.

While there exists a wealth of research analyzing SIEM products and SOC services, this paper
takes a novel approach to analyze. We depart from traditional methodologies and instead focus
on evaluating these security measures in alignment with legal requirements, governmental orders,
industry regulations, and best practices.

In this endeavor, we aim to shed light on the crucial intersection of cybersecurity and compliance.
By assessing SIEM and SOC effectiveness through the lens of applicable laws, orders,
regulations, and industry benchmarks, we seek to provide a comprehensive understanding of how
organizations can not only bolster their security posture but also ensure conformity with the everevolving landscape of cybersecurity laws, governmental orders, regulations, standards and
obligations.

Our analysis is based on White House orders, OWASP, MITRE, and SANS, which makes our
evaluation a novel methodology. Our analysis builds upon the foundation laid by these
authoritative sources, weaving together insights, methodologies, and best practices into a

coherent evaluation framework. By doing so, we aim to provide a holistic and rigorous approach
to assessing cybersecurity measures, whether within governmental institutions, corporations, or
individual systems.

2.CURRENT METHODOLOGIES IN EVALUATING SIEM SOLUTIONS

Many features within the realm of SIEM solutions are commonly available and fulfilled by a
significant portion of the offerings.

Fundamentally, all SIEMs have the capacity to collect, store, and correlate events generated by a
managed infrastructure [1]. Besides these key capacities, they listed the features as:

• Correlation rules
• Data sources
• Real time processing
• Data volume
• Visualization
• Data analytics
• Performance
• Forensics
• Complexity
• Scalability
• Risk analysis
• Storage
• Price
• Resilience
• Reaction and reporting capabilities
• UEBA
• Security

They also presented a comparison table and this table depicted at table 1.

Figure 1. Example of a Petri Net