For more than a decade, in response to much higher volumes of alerts, event monitoring and security information (SIEM) became an integral component of enterprise safety and security software programs. However, the increasing complexity and sophistication of attacks are driving the requirement for advanced analytics—beyond the log aggregation of older solutions of SIEM. Security analytics, which uses technologies of Big Data, has emerged to fill in the respective gaps.
In its recent latest report, Security Analytics Team of Competitive Rivals, consulting firm Securosis contends that solutions of security analytics provide maximum value when integrated along with advanced SIEM solutions and vice versa. One is not quite a replacement for the other, nor should they be completely viewed as competing solutions.
Most enterprises have had a SIEM in its place for quite a number of years. Its main strengths include, correlation, forensics, data aggregation and incident response, and reporting. The data sets that are usually handled best by a SIEM are endpoint activity, server, network data and data logs and identity data, application logs, change control activity, and various threat intelligence feeds.
One thing that some SIEMs struggle with is finding patterns in large volumes of data. Security analytics solutions, on the other hand, are intentionally designed to crunch through SIEM’s huge data sets, looking for indicators of malicious activity, such as anomalous patterns of activity, misconfiguration, or privilege escalation. The integrated solutions are particularly good at advanced threat detection and tracing insider attacks.
How do you benefit from integrating analytics solutions with your SIEM? For one thing, today’s security analytics solutions don’t allow you to search for an alert and then set in motion an incident response process—SIEMs handle that job and lend themselves well to easy and comprehensive threat activity visualizations and reporting. There are two key integration points where you’ll find the combination invaluable:
- Automated Data Analysis: SIEMs have been proficient at collecting and aggregating data for a long time. In order to extract this data for further analysis, ensure that your integration of SIEM and security analytics has sufficiently robust automated processes. This can save an enormous amount of time.
- Alert Prioritization: Both your SIEM and your security analytics tools will create and send out alerts. Bi-directional information sharing between the SIEM and security analytics solutions is essential so that your team can prioritize investigative actions and maintain context.
Let’s look at a scenario where SIEM and security analytics can complement one another to detect what appears to be an advanced insider attack. In this use case, the security team of a fast-growing retail operation receives an alert from its SIEM solution. It appears that an insider is probing the internal network, which is highly unusual activity for an employee. For a more complete picture of the situation, the team accesses its integrated SIEM and security analytics solution for additional insights on what the adversary is up to. The integrated investigation reveals several types of unusual activity—like privilege escalations and configuration changes on multiple devices. The SIEM reports the trajectory of the attacker, which results in compromise of the device that triggered the alert in the first place, and this enables smarter and faster remediation.
John Woods is a self-professed security expert; he has been making the people aware of the security threats. His passion is to write about Cyber security, malware, social engineering, Games,internet and new media. He writes for mcafee products at www.mcafee.com/activate or mcafee.com/activate.
No comments:
Post a Comment