This blog was originally published on LinkedIn.
To know SIEM is to love it. And hate it.
Security information and event management (SIEM) is a ubiquitous cybersecurity tool. It’s used by probably every security analyst who works in a security operations center (SOC).
That’s because SIEMs play a critical role. They collect all the logs from an enterprise’s infrastructure. They provide context. They attempt correlation among sources. They identify trends and out-of-the-ordinary patterns. They enable your security analysts to qualify and prioritize threats. The first SIEMs were a giant leap forward in the fight against cyber-threats.
Accent on the “were.” Today, if SIEM is your most sophisticated cybersecurity technology, it’s like bringing a knife to a gunfight.
Because SIEMs see everything. Everything – which is not always a good thing. Because they report every event to your SOC … whether real or false positive. Gazillions of events, in a relentless torrent of data. In effect, drowning the SOC with this deluge of data.
And yet, at the same time, SIEMs have massive blind spots. For instance, it is your analysts that have developed the rules that provide the context and the correlation – but are you willing to match the wits of your analysts against the universe of cyber-attackers? And are you really confident that your infrastructure is correctly configured to deliver the relevant log records?
Then, what happens if a cyber-intruder evades the watchful eyes of your SOC. This is where the “hate” part of the SIEM really comes into play: its eyes only go so far – unless the data gets better and the intelligence it can deliver gets WAY better.
Less complex, yet more comprehensive.
More efficient, yet more effective.
More inclusive, yet more accurate.
And faster, Faster, FASTER. Cyber-intruders that get inside your walls spend an average of several months there. They’re assessing value. They’re identifying avenues of further access. They’re biding their time until they can make the biggest strike with the greatest stealth.
How much time are you willing to give them?
So, how do you optimize your SIEM – for greater speed, for fewer errors, for reduced costs? Simple: you automate with artificial intelligence. However, I have great faith in what SIEMs can do – once Vectra has turbo-charged it. We have clients that used to take 4-10 hours to triage a discovered attack – now, it’s 5 to 10 minutes. We provide 3 times the coverage – at 10% of the personnel cost.
What’s not to love?