1.2 Compare security deployments
đŸ“˜Cisco Certified CyberOps Associate (200-201 CBROPS v1.2, 2025 Update)
1. Log Management
Definition:
Log management is the process of collecting, storing, and analyzing log data from devices, applications, and systems in an IT environment. Logs are records of events, like login attempts, system errors, or firewall alerts.
Key Points for Exam:
- Purpose:
- Helps detect security incidents.
- Supports troubleshooting and auditing.
- Provides compliance with regulations.
- How it works in IT environments:
- Devices like servers, firewalls, routers, and endpoints generate logs.
- Logs are sent to a central system for storage and analysis.
- Types of logs:
- System logs (operating system events)
- Application logs (software behavior)
- Security logs (firewall, antivirus, intrusion detection alerts)
- Retention:
- Logs must be stored for a period defined by company policy or compliance regulations (e.g., 90 days, 1 year).
- Exam tip: Know that log management is the foundation for both SIEM and SOAR.
2. SIEM (Security Information and Event Management)
Definition:
SIEM is a security system that collects, aggregates, and analyzes log data from multiple sources to detect threats in real-time.
Key Points for Exam:
- Main Functions:
- Log Collection & Aggregation – Gathers logs from multiple systems (servers, firewalls, endpoints).
- Normalization & Correlation – Converts different log formats into a standard form and connects related events to identify threats.
- Alerting – Notifies security teams about suspicious activities.
- Reporting – Generates compliance and security reports.
- Example in IT:
- A SIEM collects login attempts from all servers. It detects if a single user account is trying to log in multiple times unsuccessfully across different servers. The SIEM raises an alert for a possible brute-force attack.
- Exam Focus:
- Know that SIEM is proactive in detecting threats.
- It works by aggregating logs and correlating events to identify anomalies.
- SIEM is centralized and supports security teams in monitoring large networks.
3. SOAR (Security Orchestration, Automation, and Response)
Definition:
SOAR is a system that automates the response to security alerts and orchestrates actions across multiple security tools.
Key Points for Exam:
- Main Functions:
- Orchestration – Connects different security tools (firewalls, antivirus, SIEM, endpoint protection) to work together.
- Automation – Performs repetitive tasks automatically, like blocking an IP or isolating a compromised system.
- Incident Response – Helps the security team respond faster to threats.
- Example in IT:
- SIEM detects a phishing email attack.
- SOAR can automatically quarantine the suspicious email, update the firewall, and create an incident ticket for investigation.
- Exam Focus:
- Know the difference between SIEM (detection and analysis) and SOAR (automated response and orchestration).
- SOAR improves efficiency and reduces human error in handling incidents.
4. How Log Management, SIEM, and SOAR Work Together
| Feature | Log Management | SIEM | SOAR |
|---|---|---|---|
| Purpose | Collect and store logs | Detect and analyze threats | Automate and orchestrate response |
| Data Source | All devices and apps | All logs from log management | Alerts from SIEM and other tools |
| Action | Store and review | Generate alerts | Take automated or guided actions |
| Human Interaction | Mostly manual analysis | Analysts review alerts | Minimal manual intervention |
| Key Benefit | Foundation for security | Faster detection of threats | Faster mitigation and response |
Example Workflow in IT Environment:
- A firewall logs multiple failed login attempts. (Log Management)
- SIEM collects and correlates these logs, detecting a potential brute-force attack, and sends an alert.
- SOAR automatically blocks the offending IP and notifies the security team.
5. Exam Tips
- Remember: Logs → SIEM → SOAR is the typical workflow.
- SIEM = Detection & Analysis
- SOAR = Automated Response & Orchestration
- Log management is critical for both SIEM and SOAR, as without logs, these tools cannot function.
- Focus on understanding how these tools interact in an IT environment, not just definitions.
