member sign-in
Forgot password? Create new account Close

SIEM Kung Fu

Security Event Management / Logging 2016 August 05 0 comments

Another SIEM research paper? Really? Why are we still talking about SIEM? Isn’t it old technology?
Hasn’t it been subsumed by new and shiny security analytics products and services? Be honest — those thoughts crossed your mind, especially because we have published a lot of SIEM research over the past few years.

We previously worked through the basics of the technology and how to choose the right SIEM for your needs. A bit over a year ago we looked into how to monitor hybrid cloud environments.
Security monitoring needs to be a core, fundamental, aspect of every security program. SIEM — in various flavors, using different technologies and deployment architectures — is how you do security monitoring. So it’s not about getting rid of the technology — it’s a
question of how to get the most out of existing investments, and ensure you can handle modern advanced threats.

We understand how SIEM got its bad name. Early versions of the technology were hard to use and required significant integration just to get up and running. You needed to know what attacks you were looking for, and unfortunately most adversaries don’t share their attack playbooks before they come knocking on your door. Operating an early SIEM required a ninja DBA, and even then queries
could take hours to complete — even days for full reports. Adding a new use case with additional searches and correlations required an act of Congress and a truckload of consultants.

It’s no surprise organizations lost patience with SIEM. So the technology was relegated to generating compliance reports and some very simple alerts, while other tools were used to do ‘real’ security monitoring.
But as with most other areas of security technology, SIEM has evolved. Security monitoring platforms now support a bunch of additional data types, including integration with threat intelligence, reputation services, and network packet capture. The architectures have evolved to scale more efficiently and have both built-in fancy new ‘Big Data’ analytics engines as well as integrating with 3rd party analytics to improve detection accuracy, even for attacks you haven’t seen before.

Threat intelligence is integrated into the SIEM directly, so you can look for attacks affecting other organizations, so you are ready if/when they hit you.

This SIEM Kung Fu paper will provide what you need to know to get the most out of your SIEM, and solve the problems you face today by increasing your capabilities (the promised Kung Fu). But first let’s revisit SIEM’s key use cases and what is typically available out of the box with SIEM tools.

You have to login or register in order to post a question.