Critical Security Data from SIEM

The Challenges of Extracting Critical Security Data from SIEMs

Retrieving the invaluable context from SIEM security data and correlating it with a wider array of big data is a challenge. Is a holistic approach driven by machine learning the answer?

While numerous industry experts declared security information and event management (SIEM) obsolete more than a decade ago, these solutions remain widely deployed in many security programs. The rationale behind that mortality assessment was that these monolithic platforms, originally considered the be-all and end-all of security solutions for providing holistic protection, were progressively overwhelmed by emerging security challenges. Today, forward-looking security leaders see a SIEM solution as one arrow in the CISO’s quiver, one critical tool in the security tool chest. But, it’s not necessarily that simple. Today, machine learning is becoming more relevant but SIEMs are not ready to go out of the box. So, how do we tackle this evolving environment?

Extracting SIEM security data and correlating it with a wider array of security information is no easy feat.

In addition, as the landscape of security data continues to expand relentlessly, security incident response demands have become far more complex. Redefining the requirements continually, or daily in many cases. As a result, security leaders find themselves wondering which is more important for information security. Do they increase their capability to detect and respond, or simplify their tool portfolio?

Meanwhile, all that critical SIEM data must be readily available in its raw state, as well as in its structured, parsed format. This highlights the need to provide access to data on all events, logs and case materials for a single incident to support a holistic incident response investigation and rapid remedial response.

Further, SIEM vendors charge based on the volume of data. The more data you want to analyze, the more it will cost you. This is a serious limitation for security practitioners. They need to see the full picture of what is going on in their environment in order to take corrective action.

That’s the beauty of machine learning and advanced analytics.

It enables the extracting of big data from data lakes, which is accompanied by cost effective data storage. With SIEMs, it’s not that easy or straightforward. In too many cases, it’s downright difficult to extract that data. Retrieving the invaluable context from SIEM security data and correlating it with the volume of big data is a serious challenge.   

We’ve seen managed services organizations supporting SIEM platforms come up an array of custom solutions for extracting this critical data. They involve scripting and other manually intensive bespoke services to achieve that end. This circumstance is something of a “canary in a coalmine.” How much more scripting and custom work does it require to keep the SIEM up-to-date for data extraction and correlation? Here, manual one-off point solutions are offered. Fast and comprehensive security automation, orchestration, and response are the need and the goal. The speed of SIEM data retrieval capability is generally dominated by accessing columnar or parallel data stores. These are partitioning, and not aligning with the requirement of comprehensive and enterprise-wide security data correlation.

Furthermore, look at it from a perspective that forward-looking CISOs must adopt, which is wider than that of the SIEM alone. SIEM, IAM (identity and access management) and CASB (cloud access security broker) solutions represent vertical silos. These silos pigeonhole critical security data. These solutions all provide critical data sources of analytic responses. Utilizing risk scores on a horizontal plane, which isolates and separates from identity. A customer choice for a solution silo should not restrict the machine learning analytics available. It also should not hold data hostage within closed solutions. So, what’s the solution?

A holistic risk-based approach driven by machine learning extracts context from big data. It guarantees comprehensive monitoring across all horizontal planes of an environment.

Using machine learning as a force multiplier, analyzing the access and activity of a user for their accounts and entitlements is ground zero for predictive risk scoring. Activity alone fails to provide enough context and visibility. Closing the accessible identity gap can effectively evaluate the risk. Chief risk officers understand this issue and now demand risk scoring down to the entitlement level. They also understand the benefit of uncovering hidden privileged access through identity analytics. Therefore knowing which activities to analyze for access abuse.

With our award-winning Gurucul Risk Analytics platform, Gurucul is at the forefront of providing solutions for a broad range of industry verticals, as it continually strives to define and develop the next generation of behavior based security analytics. Stop paying for SIEM data that doesn’t give you the complete picture. Big data and data analytics are the future of security. Put all the data you can get your hands on into a data lake. Finally, build all your foundational security controls based on that data. We can help!

Share this page:
Previous
Next