In the last installment of this blog series, my colleague Chris O’Brien discussed why enterprise log management (ELM) is here to stay. Now, I’ll tackle security, and explain why SIEM is here to stay.
Organizations are stretched thin managing increasingly complex environments and ever-expanding threat landscapes. At the same time, adversaries are becoming more organized and sophisticated, resulting in more complex and advanced threats. The current workflow in the Security Operations Center (SOC) – how data is analyzed and acted on – is simply not working. There are too many tools, not enough visibility, and burned-out analysts. Some of the problems are related to processes and procedures, but a key factor is the lack of effective technology. It’s time for a new vision for SIEM. The right SIEM, backed by context from other key security solutions, enables teams to comprehensively monitor, detect, and analyze threats to make more informed decisions.
Visibility into the threat landscape, with context-rich data supporting real-time alert workflows, is critical for a successful SIEM. Real-time and historical data helps establish the path or technique a threat uses to exploit a system, but it can be difficult to bring in all the data needed to find evidence of threats. For this reason, the SIEM requires a scalable data platform that can provide the speed, performance, and visibility the SOC needs. In addition to providing rapid access to critical data, the platform must also be able to bring together rich data, as well as context for machine learning applications, such as behavior analytics.
Because of platform limitations and storage costs, most SIEMs archive critical data, often providing only 30-90 days of data online for analysis and hunting. These budgetary considerations and technology limitations directly impact the security team’s ability to hunt, identify, and investigate threats. EDR and other platforms provide rich and useful data for security analytics, but face similar limitations. When investigating a threat, it is critical to have access to historical data to determine which systems, users, or data were compromised across time. By working with an incomplete dataset, you face the threat of missing critical indicators that could alert the security team to a threat before it becomes a costly data breach.
One of Devo’s customers, a large global bank, was directly impacted by these limitations. It used log data from its security devices to detect fraudulent and unauthorized activity, but it could only store a week’s worth of historical data and experienced long delays in accessing and querying cold data. Compounding the challenges, it faced regulatory pressure to retain data for longer time periods. By implementing the Devo Data Analytics Platform, the bank now ingests all security-relevant data and queries it in real time, while increasing its data retention from one week to five years, greatly improving its security posture and enabling it to easily meet regulations.
In today’s security world, all data has the potential to inform and improve cybersecurity. Enterprises must monitor increasing volumes and types of data to identify and analyze threats, and mitigate the possibility of breaches. Next-gen SIEM must provide a platform for capturing and retaining all security-relevant data and context, while supporting the hunting, triage and investigation, and response activities critical to the success of the security organization.