Given all the vendor- and analyst-speak in the security space, it’s often difficult for organizations to know the difference between the marketing hype and reliable technology information. Case in point: some vendors in the Security Information and Event Management (SIEM) space claim that their products and services provide security analytics, when in fact their offerings only provide advanced rules-based searches on log data.
SIEM software products and services combine security information management (SIM) and security event management (SEM). They provide real-time analysis of known security threats generated by applications and network hardware. However, because they use static rules, SIEM offerings cannot accurately determine where unknown risk lies. Consequently, remediation activities based on SIEM are often manual and performed in an ad hoc manner.
On the other hand, true security analytics create profiles and behaviors of users and entities by using machine learning and model-driven technologies. Typically, these products continuously ingest data from disparate sources, including DLP, proxy, IT and business applications, and even SIEMs. They perform real-time analytics and risk scoring to automate security controls and determine where remediation action should be taken based on actual, rather than perceived, risk.
For example, user and entity behavior analytics (UEBA) solutions look at patterns of human and device behavior, and then apply algorithms and statistical analysis to detect meaningful anomalies from those patterns — anomalies that indicate potential threats.
Here are 6 ways to tell a SIEM from a security analytics product:
1) Security Analytics Can Detect Unknowns
SIEM uses a set of static tools to do real-time analysis of event data and, at a later stage, produce reports for auditing and compliance purposes.
“While SIEM is a core security technology it has not been successful at providing actionable security intelligence in time to avert loss or damage,” wrote Mike Small [note: link opens a PDF], a KuppingerCole analyst.
SIEM cannot do what security analytics products do: detect unknown threats. Leading security analytics products use behaviour-based security analytics and artificial intelligence to detect threats based on contextual information in real time for more efficient remediation.
2) Rich UEBA Wins Over Raw Data
“User and entity behavior analytics (UEBA) solutions use analytics to build the standard profiles and behaviors of users and entities (hosts, applications, network traffic and data repositories) across time and peer group horizons,” notes Gartner. “Activity that is anomalous to these standard baselines is presented as suspicious, and packaged analytics applied on these anomalies can help discover threats and potential incidents.”
In contrast, SIEMs rely heavily on raw data, as Gartner points out: “SIEM tools aggregate event data produced by security devices, network infrastructure, systems and applications. The primary data source is log data but SIEM tools can also process other forms of data.”
3) Manual vs Automated Threat Hunting
SIEMs do a good job of providing IT pros with the data they need to manually hunt for threats. Such data yields details about what happened and why it happened, but it does not help security analysts react faster to mitigate sophisticated cyberattacks. That’s where machine-based security analytics make the difference.
This technology provides the real-time analysis and speed needed to meet current security threats, while incorporating predictive capabilities that will help IT to determine what will happen.
4) Risk Ranking Outperforms Simple Alerts
SIEMs provide alerts on events that occur on the network and devices. The problem is that the alerts are always about known threats, never about unknown ones. In addition, SIEMs are not in the business of prioritizing or ranking risk, which is central to the smartest security analytics offerings.
By ranking risk for all users and entities in a network, a security analytics solution enables an organization to apply different controls to different users and entities, thereby improving overall security.
5) Short vs. Long-term Analysis
SIEMs excel at doing short-term analysis but do not perform well when it comes to storing and mining long-term data. Some SIEMs make it very difficult or even impossible to search online for historical data, even though one of their selling points is their ability to automate the gathering of compliance data.
In contrast, by using machine learning technology, advanced security analytics solutions give organizations real-time visibility into all their data, short-term and long-term. Such visibility sharpens an organization’s ability to tailor access controls and detect threats more efficiently.
6) Siloed Data Is No Match For Correlated Data
SIEM data lives in siloes, with no correlation between the various data on users and their activities, and no connections across applications used over time and users’ behavior patterns.
In contrast, state-of-the-art security analytics solutions consume massive volumes of data generated by user activity from disparate sources, including unstructured sets of data. Some of these solutions then apply machine learning simultaneously to hundreds of thousands of discrete events to identify relationships that span time, place, and actions.
Using artificial intelligence, security analytics products can link and analyze relationships to derive “meaning” that will aid in detecting, predicting, and preventing threats.
Understanding the differences between SIEM and security analytics boils down to use cases and automation. While SIEMs play a valuable role in aggregating logs and generating alerts, they lack the true analytics functionality required to derive meaning, context and risks from volumes of big data.
Without this capability, SIEM users must hunt threats manually, know what to look for and write rules to achieve even the most basic automation.
An article by Nilesh Dherange, CTO, Gurucul