Bi-Directional Data: Connecting the SIEM to Your Environment Is No Longer a One-Way Street

By Brian Robertson, Senior Product Marketing Manager


You already know that today’s threats are far more advanced and aggressive than ever before. Our world is highly digitized and interconnected, creating pathways to critical data and systems. Add to the digital nature of data the faster rate of innovation, technological complexity, and data sharing which expands the attack surface further. Plus, the fact that threat actors are increasingly organized and leverage more sophisticated techniques to circumvent cybersecurity systems and solutions. All these factors combined create a virtual playground for cybercriminals to take advantage of vulnerabilities and gaps in security to infiltrate your environment.

Since the creation of security information and event management (SIEM) solutions, visibility has been mission critical when it comes to keeping pace with sophisticated threats. Connecting data to the SIEM has required the use of a physical or virtual ingestion devices; whether you call them ingestion nodes, connectors, collectors, or any other name; this function of bringing data to the SIEM is step one in gaining visibility. Visibility is of ultimate importance because it drives detecting or hunting threats, analyzing the conditions around the event, and establishing an effective action plan to remediate them. 

However, as threats have evolved the demand for these ingestion devices has also evolved. Today, data ingestion must support on-premises locations, multiple cloud locations, and even SaaS applications. As the attack surface grows, the ingestion device must be able to scale quickly and efficiently to handle new capacity demands or adapt to bursts in demand. 

The primary function of the ingestion device has also changed. We have seen with the introduction of embedded SOAR capabilities with the SIEM, that the ingestion device must not only collect data, but also serve as the conduit to forward response action messages created by SOAR playbooks. 

With all that depends on the ingestion device, it is critical to be able to readily view the status and health of the ingestion device to ensure the ingestion function is up and performing properly.

Evolution of the remote ingestion node

Securonix has long relied on our Remote Ingestion Node (RIN) to deliver data to the Securonix Next-Gen SIEM. With the introduction of our SOAR capabilities the RIN also took on the responsibility of delivering response action data to the environment. The function of the RIN is no longer one direction, it is bi-direction serving the purpose of collecting data but also forwarding response action messages to systems and devices within the environment to mitigate a threat.

Figure 1: Over time the Securonix RIN has evolved from simply ingesting and forwarding data to the Securonix SIEM to now also forwarding response data from the Securonix SIEM to devices within the environment.

As our customers deploy more and more RINs to support their growing environments, we had to rethink how the ingestion function was deployed and managed. With the recent announcement of the Securonix Unified Defense SIEM, Securonix also introduced Securonix Hub, our new cloud-based/virtual ingestion device, that will take the data ingestion and response function to the next level. Securonix Hub is built on modern orchestration and deployment technologies that enable functionality that aligns to the ingestion demands of today and tomorrow. You can now gain advance capabilities not available in previous Securonix ingestion nodes in the following areas:

  • Vertical and horizontal scaling
  • Orchestration 
  • Observability

Figure 2: Securonix Hub is an evolution of the Securonix Remote Ingestion Node (RIN) and is focused on delivering more scalability, modern orchestration and observability.

Meet higher capacity demands with vertical and horizontal scale 

To gain visibility into the growing attack surface, organizations need to be able to collect data from more locations across the globe and within both on-premises and multiple cloud environments. However, predicting the amount of data that will need to be collected at a given time is difficult and constantly changing. Organizations are finding it harder and harder to predict the amount of CPU, RAM and storage needed to handle their data requirements or determine how many ingestion devices are needed to handle the number of events they will have to support. Often these organizations find themselves in a situation where they: 

  1. Do not have enough capacity or that their requirements exceed capacity over time, and they need to go through a manual process of adding capacity that takes time and resources they may not have. 
  2. They deploy too much capacity, which causes overspending. 

Securonix Hub alleviates this situation by providing the ability to automatically scale vertically when resources are added to reach 80,000 Events per second per data source. Organizations can also easily add more ingestion as needed to support over 2 million Events per second total.

Ease deployment and management with modern orchestration

Ingestion tools of the past have been limited by the fact that they were created years ago and do not take advantage of modern tools that are available today. This often results in a complex manual deployment and upgrade process.

Securonix Hub allows for easy cloud and on-premises deployments and automated upgrades. Making upgrades of Securonix Hub virtually unnoticeable. Securonix Hub takes advantage of modern orchestration and deployment tools like containers, virtualization, and infrastructure-as-code technology to streamline the deployment and management of Securonix Hub. This minimizes complexity and manual activity and allows for ingestion to be deployed faster and managed without impact to the collection of data or forwarding of response actions.

Understand the health of your ingestion device with observability

Without visibility into the health and status of the ingestion device organizations cannot be confident that the device is performing its job. Lacking visibility into ingestion device health can result in critical data not being collected and made available for threat detection and investigations which allows threats to infiltrate your environment unnoticed. It is inefficient for an organization to go through the process of opening a support ticket and having the vendor verify the ingestion functionality. The organization should be able to see the health and status of the ingestion devices without vendor intervention. 

Securonix Hub is bringing new observability capabilities to the forefront so that customers and partners will be able to view the status, cumulative event per second, and system metrics (CPU, Memory, Disk Space) of each Securonix Hub. If a problem with a Securonix Hub does arise, this visibility allows for faster triage if issues do exist. 

Better visibility equals better threat detection, investigation, and response. 

Securonix Hub is designed to effectively deliver the visibility needed to keep pace with today’s modern advanced and sophisticated threats that look to capitalize on any vulnerability within your environment. Securonix Hub leverages modern technology to deliver extensive scalability, streamlined orchestration, and effective observability. Securonix Hub leverages a modern approach to ensure that data is being properly collected for effective threat detection and investigation workflows, and that response actions are being delivered to targeted systems to effectively remediate threats.  

To learn more about how Securonix Hub works with the Securonix Unified Defense SIEM, visit our platform page here.

Securonix Threat Labs Monthly Intelligence Insights – May 2024
Securonix Launches Expanded Partner Program to Bring the Benefits of...
Securonix Appoints Dev Singh as Head of Sales for ASEAN Region