The Challenges of Extracting Critical Security Data from SIEMs

Being able to get the invaluable context from SIEM security data and correlating it with the wider array of security data is a serious challenge.

While numerous industry experts declared security information and event management (SIEM) obsolete more than a decade ago, these solutions remain widely deployed in many security programs. The rationale behind that mortality assessment was that these monolithic platforms, originally considered the be-all and end-all of security solutions for providing holistic protection, were progressively overwhelmed by emerging security challenges. Today, forward-looking security leaders see a SIEM solution as one arrow in the CISO’s quiver, one critical tool in the security tool chest. But, it’s not necessarily that simple. SIEMs are not ready to go out of the box, there always needs to be customizations to make them work effectively in a given environment.

Extracting SIEM security data and correlating it with a wider array of security information is a serious challenge.

In addition, as the landscape of security data continues to expand relentlessly, security incident response demands have become far more complex. Requirements are continually being redefined, daily in many cases. As a result, security leaders find themselves wondering which is more important for information security: to increase their capability to detect and respond or to simplify their tool portfolio.

Meanwhile, all that critical SIEM data must be readily available in its raw state, as well as in its structured, parsed format. This highlights the need to provide access to data on all events, logs and case materials for a single incident to support a holistic incident response investigation and rapid remedial response.

Further, SIEM vendors charge based on the volume of data. The more data you want to analyze, the more it will cost you. This is a serious limitation for security practitioners who need to see the full picture of what is going on in their environment in order to take corrective action.

That’s the beauty of machine learning and advanced analytics: extracting the big data context from data lakes, which is accompanied by cost effective data storage. With SIEMs, it’s not that easy or straightforward. In too many cases, it’s downright difficult to extract that data. Being able to get the invaluable context from SIEM security data and correlating it with the wider array of security data is a serious challenge.   

We’ve seen managed services organizations supporting SIEM platforms come up an array of custom solutions for extracting this critical data. They involve scripting and other manually intensive bespoke services to achieve that end. This circumstance is something of a “canary in a coalmine”, where the question is: how much more scripting and custom work is required to keep the SIEM up-to-date for data extraction and correlation. Here manual one-off point solutions are offered, when fast and comprehensive security automation, orchestration, and response are the need and the goal. The speed of SIEM data retrieval capability is generally dominated by accessing columnar or parallel data stores which are partitioned, and not aligned with the requirement of comprehensive and enterprise-wide security data correlation.

Look at it from a perspective that forward-looking CISOs must adopt, which is wider than that of the SIEM alone. SIEM, IAM (identity and access management) and CASB (cloud access security broker) solutions represent vertical silos which too often pigeonhole critical security data. These solutions all provide critical data sources of analytic responses, with risk scores utilized on a horizontal plane, yet which are isolated and separate from identity. A customer choice for a solution silo should not restrict the machine learning analytics available, nor should data be held hostage within closed solutions. So, what’s the solution?

A holistic risk-based approach driven by machine learning extracts context from big data, guaranteeing comprehensive monitoring across all horizontal planes of an environment.

Using machine learning as a force multiplier, analyzing the access and activity of a user for their accounts and entitlements is ground zero for predictive risk scoring. Activity alone fails to provide enough context and visibility. The identity gap with access must be closed to effectively evaluate risk. Chief risk officers understand this issue and now demand risk scoring down to the entitlement level, while also understanding the benefit of uncovering hidden privileged access through identity analytics and thus which activities to analyze for access abuse.

With our award-winning Gurucul Risk Analytics platform, Gurucul is at the forefront of providing solutions for a broad range of industry verticals, as it continually strives to define and develop the next generation of behavior based security analytics. Stop paying for SIEM data that doesn’t give you the complete picture. Big data and data analytics are the future of security. Put all the data you can get your hands on into a data lake and then build all your foundational security controls based on that data. We can help!

Share this page: