The Era of SIEMs is OverSIEMs have done well to evolve beyond log retention, but their time is up. By: Hans Rattink
Not a day goes by without news of another data breach. Each time, security organizations and thought leaders warn the public about the nature of modern threats and offer advice. But among the noise around news events, the advice and warnings often go unheeded. Sadly, the warnings are true – adversaries are becoming more advanced and tougher to stop. To make matters worse, a history of poorly designed data privacy regulations has encouraged habits that sometimes sacrifice security.
Not long ago, we lived in a world where script kiddies and gold-digging criminals obtained simple scripts from the Dark Web to launch opportunistic attacks at will. Those days are mostly behind us. Threat actors today are increasingly bold and sophisticated, and government-sponsored threats make up an increasing proportion of the incidents we see. Attacks are indiscriminate – if a threat actor is looking for intellectual property, they'll often exfiltrate personal data on the way through too. The result for breached organizations can mean huge fines.
Existing security controls and SIEM solutions need to up their game to counteract the adversary's ability to exfiltrate all kinds of data. Are they able to take it to the next level? Many are stuck, still reactively counteracting known Tactics, Tools and Procedures of our adversaries. This isn't enough as most can't keep pace as adversaries improve their malicious attack methods.
Many organizations still prefer on-premises solutions despite the slow startup process and limited capabilities to protect data. That's not even mentioning the huge cost. Safeguarding personal data against breaches requires something better. SIEM evolved from a log retention platform to add improved alerts and dashboards to try and fill this gap in the market.
But SIEMs have never fully lived up to their promises. Getting security content and threat intelligence to work in harmony with many SIEMs proves time-consuming, not to mention the siloed visibility that these solutions have. Many solutions weren't built with the cloud in mind and can't capitalize on the strengths that come with cloud computing. These factors take time away from detecting and responding to threats for solution management and admin tasks. SIEM was never able to put us ahead of the threat and the increasing number of breaches demonstrates this.
Where SIEM has failed, security analytics applications are proving successful. Most security analytics software involves a combination of threat intelligence and data science techniques to speed up detection and response. But even though security analytics can be invaluable to security teams, results vary wildly depending on the provider. This is mainly due to overzealous or poorly chosen applications of data science techniques.
Data science has incredible applications in cybersecurity, but it's not yet a cure-all technology. In certain cases, the use of machine learning can lead to more noise and alerts than security professionals desire. The key is knowing when and where to apply it.
Secureworks® takes a deliberate and highly targeted approach to machine learning and other data science techniques. By pairing incident response experience and threat research with supervised and unsupervised machine and deep learning algorithms, the Red Cloak™ TDR analytics software can detect unknown threats by identifying behavioral clues. The algorithms are trained on data from our entire customer base, which further increases the accuracy of the software.
Security analytics can also support efforts to meet data privacy laws. In Europe, the risk-based approach of GDPR has been a huge improvement for protecting personal data. Despite progress though, many organizations are still using old habits. Corporate policies and sentiments, often inspired by the previous regulations, focus on data being left in-country, disregarding the larger picture and overall goal. Securing personal data with a risk-based approach means selecting the best controls to do so. In security, the trends show in a few years' time, advanced security solutions will be predominantly delivered by cloud. It's no longer about where the data is, but how the data is secured. That's why TDR is cloud native. It allows us to innovate quickly while scaling continuously to outpace the adversary.
SIEMs may be proving less useful than the industry needs, but software offers hope. Red Cloak TDR analyzes all security-relevant data against our threat knowledge drawn from extensive research and IR experience. Security content is already built-in, which enables more effective threat detection and response. It's time for a new approach.