Saryu Nayyar | Forbes.com
Keeping attackers out of networks and protecting data is the most basic and critical job of a security team. Detecting threats early is key to categorizing and neutralizing them and to diminishing the effects of a breach after it has happened.
There is a wide range of “perimeter” tools that do some or all of the following early-detection tasks: network traffic analysis, endpoint detection and analysis, antivirus and anti-malware control, email filtering and access control. Individually and together, these tools deliver good network and data protection. The problem is they often operate in isolation from each other and keep their data in silos.
A SIEM is a blend of security information management (SIM) and security event management (SEM). The average SIEM is adept at analyzing and displaying known security threats but incapable of predicting the unknown ones as it lacks the intelligence to do so.
However, an intelligent SIEM — powered by AI-based data analytics and machine learning — provides security analysts a host of benefits: a unified view of data, deep insights based on context, coherent risk scores, behavior analysis over time, visualization, proactive threat hunting and more. If your company is looking to improve how it detects threats, make sure to look for these capabilities in an intelligent SIEM:
When researching intelligent SIEM platforms, the first thing you want to make sure is that it pulls data from all components of the security stack, including firewalls, VPN concentrators, switches and routers, active directory, endpoint defenses, enterprise antivirus and anti-malware apps.
A quality SIEM should be able to extract data from various silos into a single repository where the data is analyzed, contextualized and distilled into unified risk scores for all entities in the environment. This holistic approach facilitates the analysis of massive volumes of data, provides reports in near real time and makes threat identification and response highly effective.
A Unified View Of Data
An intelligent SIEM should also be able to pull everything into a single data lake in order to give security personnel a unified view of information. While it is possible for an analyst to manually look at what’s happening on the firewall, the VPN concentrator, and to see who’s logging into the network through an active directory, having a unified view of activity is better.
Deep Insights Based On Context
As you look at different technologies, keep in mind that data analytics enhances threat detection capabilities by correlating events, and revealing patterns that represent a threat when taken in context. This is impossible to do when information is siloed. Look for an intelligent SIEM that provides a central element of contextual analysis, which is especially useful when trying to detect an advanced persistent threat (APT) that may be moving low and slow through a network.
Unified Risk Scores
Before investing in a SIEM, it’s important to understand how it prioritizes risks. By ranking risks, a SIEM enables the enterprise to apply different controls to different users and entities, thereby improving overall security. The major advantage of risk scoring is that it greatly eliminates the amount of false positives.
Another element to consider is behavior analysis. This helps analysts detect subtle threats that occur over days, weeks or even months. A SIEM equipped with behavior analysis can store, find and analyze historical data as well as short-term data, thereby enabling analysts to identify trends that may have been developing over time. This visibility sharpens an organization’s ability to tailor access controls and detect threats more efficiently.
While most SIEM platforms come with some form of visualization, not all SIEMs feature analytics. Look for a SIEM that delivers analytics. The inclusion of analytics adds risk scoring and context to the visualization process, combining all the pieces necessary for advanced threat detection. It enables analysts to drill down into the event or series of events that generated a specific risk level for a user or entity. It also gives analysts a way to understand how events transpired over time and how they related to one another.
Proactive Threat Hunting
Finally, it’s crucial to look for an intelligent SIEM that will equip security analysts with the tools to do proactive threat hunting. By leveraging the contextual information and unified risk scores, analysts can hunt for threats hidden in the environment. They can open an attacker’s once-hidden back doors, shining a light on everything an attacker touched in the network.
Traditional SIEM technology solved a difficult problem when it was first invented — namely, unifying and normalizing security events from various tools for threat investigation. Since then, attacks and attack techniques have massively increased in sophistication. Detecting advanced threats must go beyond chasing down individual events and requires more complete context provided by correlating multiple data sources. Adding intelligence in the form of analytics to a SIEM provides the visibility organizations need to identify attacks that cannot be detected using individual threat crumbs.
External Link: Achieving Advanced Threat Detection With Intelligent SIEM