Moving Beyond SIEM For Strong Security Analytics

  /     /     /  
Publicated : 22/11/2024   Category : security


Moving Beyond SIEM For Strong Security Analytics


SIEM still a useful tool for infosec, but many argue it shouldnt be the main platform for analytics programs



While security information and event management (SIEM) tools have certainly helped many an enterprise IT organization get a better handle on aggregating and analyzing logs across disparate security tools, these organizations are starting to butt up against the limitations of SIEM. And as enterprises seek to gain more insight into business trends and user activity affecting security stances, theyre finding that they shouldnt make the mistake of confusing the use of SIEM for the existence of security analytics practices.
I think SIEM is a starting point for security analytics, but only a starting point, says Ed Bellis, CEO of Risk I/O.
SIEM gained steam as the tool of choice for teams seeking to sift through real-time event information to more quickly respond to security programs, says Geoff Webb, director of solution strategy for NetIQ, but he notes that during the past few years security teams have struggled to gain more value out of their SIEM deployments and that the reputation for these platforms have started to creak.
[Are you using your human sensors? See
Using The Human Perimeter To Detect Outside Attacks
.]
Part of that is deserved -- vendors sold it as security nirvana, whereas the reality is very different: Its a good tool and, like all good tool, needs to be used appropriately and for the right job, he says.
Part of the difficulty with SIEM has been issues of increased security noise and complexity of systems feeding into the SIEM.
The problem is that as more and more security and monitoring tools have been brought online, the amount of raw noise that must be dealt with by the SIEM tool has grown, too, he says. Worse, the infrastructure has become more and more complex, especially as virtualized devices become the norm, which contributes to an increasingly chaotic and noisy environment -- perfect for attackers, [but] terrible for the security team trying to piece together whats going on.
More detrimentally to a fully featured analytics practice, though, is SIEMs lack of analysis range, Bellis says.
SIEMs werent originally designed to consume much more than syslog or netflow information with a few exceptions around configuration or vulnerability assessment, he says. Security analytics is more than just big data -- its also diverse data. This causes serious technical architectural limitations that arent easy to overcome with just SIEM.
For example, SIEM cant account for data sources like financial data that could help with fraud detection, human resource information, metadata about the business, or sentiment data from sources like social media. These kinds of external sources to security can prove crucial in pinpointing business risks that require contextual clues to spot.
Security analytics needs to include big-picture thinking -- integration of the meanings and interactions of signals, not just the raw reduction of streams of events, says Mike Lloyd, CTO of RedSeal Networks.
As a result, organizations must first recognize that security analytics requires more computational power and start budgeting accordingly. If acquiring additional funds is an issue, then the security organization can get started through creative collaboration with other departments, Bellis says.
I think security analytics goes beyond SIEM and your SIEM budget, he says. There are great ways to jump-start your security analytics program within a company by leveraging existing resources. Many organizations already have data analytics and business intelligence teams. These groups can be a CISOs friend when building out a security analytics capability by leveraging both talent and tools.
In addition, they may also have the underlying big data infrastructure necessary for security analytics already up and running, including data warehouses or noSQL environments, which the organization may be able leverage for information security purposes. The point, says Bellis, is that repurposing existing investments made elsewhere can make it possible to kick analytics into gear without a huge additional budget.
In the past Ive repurposed ClickStream tools being used for Web analytics and customer service to identify security issues in near real-time, he says. Making do with what you have can go a long ways before expanding to a more complete security analytics platform.
Have a comment on this story? Please click Add Your Comment below. If youd like to contact
Dark Readings
editors directly,
send us a message
.

Last News

▸ IoT Devices on Average Have 25 Vulnerabilities ◂
Discovered: 23/12/2024
Category: security

▸ DHS-funded SWAMP scans code for bugs. ◂
Discovered: 23/12/2024
Category: security

▸ Debunking Machine Learning in Security. ◂
Discovered: 23/12/2024
Category: security


Cyber Security Categories
Google Dorks Database
Exploits Vulnerability
Exploit Shellcodes

CVE List
Tools/Apps
News/Aarticles

Phishing Database
Deepfake Detection
Trends/Statistics & Live Infos



Tags:
Moving Beyond SIEM For Strong Security Analytics