Brian Robertson, Senior Product Marketing Manager
The big data dilemma
Effective threat detection, investigation, and response (TDIR) is fueled by data. As threats become more complex, security organizations must rely on more data from their environment. And organizations need to store that data for longer periods of time. To address the big data dilemma and the costs associated, many SIEMs stored data across multiple tiers. Data was distributed across “hot, warm and cold” data stores. Each tier delivers varying levels of performance and length of data retention with the “hot” storage making data readily available and easily searchable and the cold storage being able to retain data for extended periods of time at a lower cost. When originally designed, this tiered approach was sufficient, but the consumption of data has changed and so must the SIEM. Recent years have shown this multi-tier model can limit security operations efficiency and impact how effectively they can detect, investigate, and resolve cybersecurity events.
Securonix Unified Defense SIEM that leverages the embedded Snowflake Data Cloud can help address the big data dilemma for TDIR. By integrating the industry-leading analytics and threat hunting capabilities from Securonix with the virtually limitless scale of Snowflake’s secure and reliable data cloud your organization gains a SIEM that is better suited for the threat detection, investigation, and response processes of today.
Employing a data cloud at the core of the SIEM delivers a single tier approach for searchable data.
In this post, I will examine how Securonix Unified Defense SIEM leverages a single tier of searchable data advancing the full potential of a modern SIEM, including:
- Extending searchable data
- Accelerating performance
- Amplifying threat hunting
- Supercharging analytics
Extending searchable data
ThoughtLab’s “Cybersecurity Solutions for a Riskier World” reports that on average it takes 128 days to detect a breach. For threats that dwell in your environment or threats that use low and slow tactics to avoid detection, it is critical to have the data that can be easily investigated from when the threat first presents itself, which could have been several months ago. A multi-tier approach requires analysts to search multiple data storage clusters to get visibility into historical events. In traditional architecture, “hot” storage may contain only a week or two of searchable data. “Warm” storage may contain data for up to 90 days. However, to have visibility from several months back, you need the data from “cold” storage. Data stored in “cold” is compressed and is not readily available and requires rehydration to make the data usable. This rehydration process requires time and resources to decompress the data to make it searchable. This process creates inefficiency.
With a single-tiered model, the data store is more scalable. With virtually unlimited storage capacity, searchable data can be available for longer periods of time. This aligns to many organizations that require having a year’s worth of readily searchable data as a security best practice. Being able to search across a year’s worth of data is an effective way to gain visibility about the events leading up to, during, and after a breach.
The faster a security analyst or threat hunter gets the results of a search during an investigation, the more effective they can be in finding and mitigating threats. Many traditional SIEMs use a multi-tiered storage approach which does perform well for small, simple searches across very finite and recent time frames. The data needed for these simple searches is usually housed within the readily available “hot” data storage. Searches that look at multiple entities, across multiple data sets, and for longer time segments, cause traditional SIEMs to struggle to produce results in a timely manner. Either the compute and processing resources needed by the SIEM to perform its day-to-day function will be impacted or it requires security analysts to wait hours if not days for the data they need to be presented.
Many organizations have turned to using third-party tools to process these complex searches outside of the SIEM to improve performance or run several searches across smaller time segments. These additional manual steps elongate the threat hunting and investigation process.
Both internal testing and real-world testing with some of our largest customers show that leveraging the single-tier data approach can greatly improve search performance and investigation times. Securonix tested thousands of different types of query use cases and 95% of them showed faster performance than the traditional multi-tiered model*. The other 5% of searches were simple and the time was relatively the same as the traditional model. Testing revealed that the more complex the query, the better the performance improvement with Unified Defense SIEM. Some of the most complex queries showed an 8X performance improvement.
Powering threat hunting
A multi-tiered approach for SIEM impacts the efficiency of threat hunting, whether it is through manual workflows or using a retroactive autonomous hunting solution like Securonix Autonomous Threat Sweeper. As expected, having multiple locations where data resides requires threat hunting activities to be performed multiple times. Searching across multiple locations is time consuming and results in threat hunters or security analysts missing important details about threats potentially already within their environment.
A single-tiered approach simplifies this process and demonstrates how effective threat hunters and threat hunting tools can be. With a single data store, threat hunters can be confident the information they need is easily found and is inclusive.
Having data stored using different technologies inhibits innovation. The need for new capabilities, new analytics and doing more with security data is in constant demand. However, the ability to innovate can be restricted if the architecture has a lot of technical debt or is built so all data is not effectively leveraged. Many traditional SIEMs find themselves locked in their architecture and can fall behind when addressing today’s modern threats or adapting to the new ways organizations want to operate. A single-tier data approach for SIEM is built to simplify how and where data is stored. This supercharges the advanced analytics of today by making more data readily available over longer periods of time and it enables future innovation.
Securonix Unified Defense SIEM is a single-tier data architecture designed for innovation. The Securonix SIEM delivers higher performance and retains searchable data longer. This new approach ushers in our next wave of capabilities and sets the groundwork for us to build new threat hunting and investigation capabilities and analytics. The virtually unlimited scale of Snowflake Data Cloud means that we can ingest more data, process that data faster, and retain it for longer periods of time.
And we are seeing the results:
- Up to 365 days of “hot” searchable data lets customers access a year’s worth of data without having to rehydrate compressed data, minimizing the cost and inefficiency associated with it.
- Increased efficiency of large-scale searches by eliminating the varying performance and hydration needs of multi-tiered searches.
- Improved threat hunting and investigation by having a single set of data to quickly find the inclusive information you need.
- Increased ability to innovate by leveraging an architecture designed to eliminate the technical barriers caused by a multi-tiered model.
*- Performance improvements seen during internal testing of Securonix using multi-tiers versus a single tiered data store.