Published on June 24, 2017
Like it or not, your SIEM deployment is actually preventing you from succeeding in your daily cyber security battle. You adversaries are using techniques your SIEM can’t detect, across device types that SIEMs weren’t built to handle, and most importantly the greatest threat actor already has access to organizational IT resources. The insider threat – posed by malicious and negligent insiders, or compromised accounts is, in fact, the fastest growing threat vector faced by enterprises today.
Detecting sophisticated threats that often leverage the inside threat vector is very hard for legacy SIEM tools. In fact, a leading analyst firm recently called SIEM correlation “overrated”, However, big data security analytics platforms (such as Securonix SNYPR) that use a full-stack big data architecture coupled with detection rooted in machine learning and data science are providing considerable benefits to security teams.
Here are the top seven reasons why SIEM solutions fall short of next-gen SIEM security analytics frameworks.
#1 High cost structures:
Legacy SIEM solutions are typically priced by the amount of log or event data they ingest or store. With the rapid adoption of mobile devices, automation technologies, digital processes, and assets for business operations, the data generated by enterprises has grown exponentially over the last decade making it cost prohibitive to collect or store this data. SIEM solutions, therefore, don’t have the critical information needed to detect sophisticated attacks simply because organizations find it too expensive to gather and retain this information, causing missed attacks and data breaches.
Contrast: Securonix offers predictable and low-cost pricing model based on identities. The model is independent of the amount of data generated, captured or stored by the solution. This alone can reduce the ongoing cost of data management by up to 80% while simultaneously improving your security.
#2 Lack of scalable and flexible architecture:
Legacy SIEM solutions were built on RDBMS, or in many cases proprietary flat file databases. The data structures and formats are closed systems that do not allow the flexibility to manipulate event data for the effective analysis needed today. In addition, these RDBMS or file-based architectures do not scale to the “3 V’s” – volume, velocity, and variety of information they need to handle for effective analysis.
Contrast: The SNYPR security analytics solution is infinitely scalable because it is built on big data infrastructure that is capable of handling the vast amount of data for storage and analysis. The SNYPR open data model permits data sharing with other external applications allowing organizations to use the data to run their own analytics without having to duplicate the data.
#3 Lack of pre-packaged security use cases:
Legacy SIEM solutions are focused on an IP-centric enterprise, and hence lack the sophisticated work – and attack patterns in today’s environments. The security use cases that do come with most SIEM tools are implemented using rigid rules based logic and are focused on threat scenarios like worm outbreaks, simple malware detection, and compliance reporting. While SIEM tools have tried to augment their capabilities with external threat intel feeds and collaborative use development, they still are woefully inadequate in the face of a motivated and well-equipped threat actor.
Contrast: In the SNYPR security analytics platform content is packaged in the form of applications for modern threat detection across insider, cyber and fraud threat detection use cases. The platform is fundamentally designed to adapt and detect the “unknown unknowns”. The packaged content enables plug and play deployment freeing the security analytics from the burden of creating and managing complex correlation rules. Instead, the analyst can now focus on investigating and remediating a potential threat that could be damaging to the organization.
#4 Limited enrichment of event data with additional context:
Event enrichment is an afterthought in Legacy SIEM. These solutions do not add the relevant context necessary for threat detection and incident response today. Some SIEM collectors will perform normalization of the data so that it is easier for the rules engine to process, but the data is limited to the IT technology that generated it – e.g. OS log event will only have OS fields, but no additional context.
Contrast: The SNYPR security analytics platform enriches the event data in real-time at the time of ingestion. Information such as user context, asset metadata, IP context, geo-location, threat intelligence, as well as application information is added at the time of data ingest allowing this data to be used in real-time threat analytics and for rapid threat investigation and response.
#5 Inability to analyze complex data:
Legacy SIEM solutions are largely focused on IT infrastructure information. The focus of monitoring is mainly compliance monitoring and reporting, and what we would categorize basic security monitoring. They are unable to incorporate the business, open and in some cases personal non-IT information into their threat detection frameworks.
Contrast: SNYPR security analytics is able to incorporate a very large and diverse set of information into their detection algorithms. This includes business applications, cloud resources, IDM/IAM data, non-IT contextual data and therefore are able to sniff out and prioritize the advanced threats that fly under the legacy SIEM radar.
#6 Detection logic is not adaptable:
Legacy SIEMs rely on basic correlation rules that are prone to false positives and false negatives. This is because rules-based correlation is designed to find known threats and patterns that have already been observed in the environment. Rules based detection is unable to adapt to modern data types, sophisticated hackers, and advanced insider threats, leading to both too many irrelevant security alerts as well as missed alerts that lead to major incidents.
Contrast: SNYPR security analytics uses patented machine learning algorithms using supervised, unsupervised and hybrid learning that is designed to detect the highly sophisticated cyber attacks targeting organizations today. The anomaly detection logic has built in adaptive learning mechanism to constantly tune the models based on learnings from the environment.
#7 Extremely limited search and threat hunting capabilities:
Legacy SIEMs do not allow for threat hunting capabilities because they do not store and are unable to scale to the amount of data needed for effective hunting and investigation. The event data stored in SIEM databases is not structured for search and pivoting that allows threat analysts to hunt for threats inside and beyond the organizational domains.
Contrast: The SNYPR security analytics platform enables robust search and visualization capabilities that arm SOC and threat analysts to actively hunt cyber threats to their organization. The SNYPR platform uses open HDFS and SOLR that permit the ingestion and retention of the vast amount of easily accessible and searchable enriched event data.
You can learn more about the Securonix SNYPR Next-Gen SIEM platform here.