Don’t Replace your SIEM-Embrace it with Security Analytics

Combining your SIEM with security analytics creates a better security posture for your company.


Threat Detection

 

Every year when the Gartner Magic Quadrant comes out, there are a number of vendors claiming dominance or leadership for that Quadrant. The 2017 Security Information and Event Management (SIEM) Magic Quadrant showed user and entity behavior analytics (UEBA) vendors entering the quadrant. Gartner’s inclusion of them reflect the changing needs of the SOC and cybersecurity. Gartner predicts that by the year 2020, a quarter of all SIEM vendors will have incorporated advanced analytics and UEBA into their products.¹ What it does not say, however, is to replace your SIEM.

Some UEBA vendors are now touting that SIEM is dead‒that UEBA will be the replacement and deliver better results then what SIEM can do today. It is true that SIEM is not a natural at analytics, but it does many things that UEBA does not do today.

SIEMs are the best for centralizing, normalizing, and managing the copious log feeds that today’s cybersecurity systems generate. They provide checkbox compliance and many also act as a place of record from a legal standpoint. SIEM has decades of experience ingesting logs and preparing them for investigative purposes. Some enterprise customers I know of have hundreds of log formats being reviewed in their SIEM.

Unfortunately, as the complexity of cyber attacks has increased, we have asked SIEM to deliver functionality for which it was never designed. To address this complexity, a SIEM would have a rules engines allowing straightforward rules to be created. These worked well for some threats, but for others, it would not detect an emerging threat if the tools, tactics or techniques used by the attackers evolved. This static nature of the rules made them fragile and required frequent updates. Secondly, to make rules works, a threshold was often involved, which can lead to either too many false positives, or miss the attack altogether.

This is why most UEBA vendors recommend replacing your SIEM. But a better alternative is to free the SIEM from the need to detect ongoing cyber attacks and let it do what by its nature it was intended to do.

Leveraging security analytics with SIEM as a data source provides the best of both worlds. The SIEM investment is protected and additional value is unlocked from the rich cyber log data stored there. Security analytics can now watch for those changes in behavior that may be indicative of an attack. These behavior changes create a set of cybersecurity leads that can be followed up on by your cyber hunters. The entities associated with the behavioral change can be examined in the SIEM to see what the underlying activities could have caused the attack.

Ultimately, security analytics uniquely augments other existing security tools‒not just your SIEM, but also data loss prevention, identity access and management and other solutions. Our relationship with McAfee ESM is a great example of how combining these technologies leads to an overall better security posture for your company.

To learn more about Interset and McAfee’s joint solution, check out our solution brief and website.  

Interested in seeing a demo? Send us an email at sales@interset.com.

¹ Gartner Event Presentation, To the Point: “Understanding the UEBA Landscape,” Toby Bussa, Avivah Litan, Gartner Security & Risk Management Summit, 12 –15 June 2017, National Harbor, MD.

 

Paul Reid is a technology strategist at Interset.