3 min read
The evolution of Security Information and Event Management (SIEM) solutions has made a few key shifts over time. It started as simply collecting and storing logs, then morphed into correlating information with rules and alerting a team when something suspicious was happening. And now, SIEM solutions are providing advanced analytics and response automation.
Today’s advanced SIEM solutions:
- Incorporate purpose-built sensors to continually collect digital forensics data across an organization.
- Leverage artificial intelligence and machine learning to identify out-of-the-ordinary network behavior that may indicate possible malware or a data breach.
Advanced SIEM requires continual tuning to learn what is deemed abnormal behavior for a given organization.
At EventTracker, this all happens through our ISO 27001 certified Security Operations Center (SOC), where expert analysts work with this intricate data to learn the customer network and the various device types (OS, application, network devices etc.). Ideally, these experts work in tandem with the customers’ internal IT teams to understand their definition of normal network activity.
Next, based on this information and the available knowledge packs within EventTracker, we schedule suitable daily and weekly reports, along with configure alerts. The real magic happens when this data becomes “flex reports”. These reports focus on valuable information that is embedded within the description portion of the log messages. When these parameters are trended in a graph, all sorts of interesting, actionable information emerges.
User and Entity Behavior Analytics
In addition to noticing suspicious network behavior, SIEMs have evolved to include User Behavior Analytics (UBA), or User and Entity Behavior Analytics (UEBA). UBA/UEBA triggers an alert when unusual user or entity behavior occurs. This is an important feature now that compromised credentials make up 76% of all network intrusions.
When credentials are stolen, they tend to be used in unusual ways, places, and times. For instance, if a log in occurs that is outside the normal pattern, then this is immediately flagged for investigation. If user ‘‘Susan’’ usually logs in to “Workstation5” but suddenly logs in to “Server3”, then this is out of ordinary and may merit an investigation.
Security Orchestration Automation and Response (SOAR)
While alerts to suspicious behavior are necessary, the real goal is acting on the suspicious behavior as quickly and effectively as possible. That’s the next evolution of SIEM: Security Orchestration Automation and Response (SOAR).
While traditional SIEMs can “say” something, those that incorporate SOAR can “do” something.
SOARs consolidate data sources, use information provided by threat intelligence feeds, and automate responses to improve efficiency and effectiveness.
For example, with EventTracker, if an infected USB is plugged into a laptop, even if it’s off the network at the time, and malware begins to run, EventTracker will detect the insertion of the USB, as well as detect any suspicious communication to a low-reputation IP address. It will also catch any suspicious processes that begin to run. Once detected, EventTracker automatically stops the communication and the executable, preventing a potential data breach.
Get the Most Out of Your SIEM
As attacks continue to become more sophisticated and persistent, traditional security tools that just focus on protecting the perimeter will continue to be replaced by solutions that also have detection and response capabilities, in particular on the endpoint devices.