The installation of a new EDR solution has led to a significant increase in alerts, causing alert fatigue and overwhelming the security team. To manage this, the organization needs to centralize the aggregation of these alerts and automate the response process.

A SIEM (Security Information and Event Management) system is the primary tool for centralizing security data. It aggregates logs and alerts from various sources, including the new EDR, into a single platform. This allows analysts to correlate events, reduce false positives, and prioritize threats from a unified viewpoint.

A SOAR (Security Orchestration, Automation, and Response) platform complements the SIEM by automating the remediation workload. It uses predefined "playbooks" to execute response actions automatically, such as isolating an endpoint or blocking an IP address, which directly reduces the manual effort required by analysts.

C. MSP: A Managed Service Provider is an external service that would outsource the workload, not provide a tool to help the internal team centralize it.

D. NGFW: A Next-Generation Firewall is a network security device that is a source of security alerts, not a tool for centralizing and managing alerts from other systems.

E. XDR: While Extended Detection and Response centralizes data, it is typically a more integrated, often single-vendor, evolution of EDR. A SIEM is the classic, vendor-agnostic solution for centralizing data from disparate sources, which is the immediate need.

F. DLP: Data Loss Prevention is a specific security control designed to prevent data exfiltration; it would add to the alert volume rather than help manage it.

1. NIST (National Institute of Standards and Technology). (2021). NISTIR 8334 (Draft) - A Response to the Challenge of Finding and Fixing Vulnerabilities. Section 2.2

"Security Orchestration

Automation

and Response (SOAR)

" describes SOAR as a solution to "reduce the burden on security practitioners" by automating "time-consuming

manual

and repetitive tasks." This directly addresses the increased workload.

2. NIST. (2006). SP 800-92 - Guide to Computer Security Log Management. Section 4.3

"Log Management Infrastructures

" discusses the centralization of logs for analysis. It states

"Centralized logging permits the correlation of events among several systems

" which is the core function of a SIEM in addressing a high volume of alerts from sources like an EDR.

3. Carnegie Mellon University. (2017). The 2017 SEI Cyber Intelligence Research Agenda. Section 3.2.2

"Security Orchestration

" discusses the need for tools that "integrate information from a variety of sources (e.g.

SIEMs

threat intelligence platforms...)" and "automate and assist with the response

" highlighting the synergistic roles of SIEM and SOAR. (Document CMU/SEI-2017-SR-001).

4. Suh

B.

& Lee

H. (2021). A Study on the Method of Building an Intelligent Security Control System Using SOAR. Journal of The Korea Institute of Information Security & Cryptology

31(1)

139-150. This academic paper explains that SOAR platforms are introduced to handle the "increasing security threats and alerts" by integrating with SIEMs to automate response procedures

which is the exact scenario described. (DOI: https://doi.org/10.13089/JKIISC.2021.31.1.139).