Published on July 15, 2021
As the world’s IT ecosystem becomes increasingly complex there are additional attack vectors for threat actors to exploit. More and more security vendors have entered the market to address new threats which in turn begets more complexity...and around and around we go.
According to the IBM Cyber Resilient Organization Report 2020, enterprises deploy on average 45 cybersecurity-related tools in their networks. This can counterintuitively weaken their ability to respond to threats because they are creating operational complexities and alert fatigue for their analysts. The truth is that no single technology tool can solve all cybersecurity challenges on its own. The best advantage we have is collective intelligence that requires us to all work together.
Stopping the world’s cyberthreats is a team sport, and community efforts and knowledge sharing is a critical component to thwarting would-be threats. Interoperability is vital, and for that we must agree on common standards that help rather than hinder security analysts.
Organizations need all their security tools to work together seamlessly to be effective, so despite competing in business, we are all allies when it comes to securing our customers. This is where Sigma comes into play.
Better Together With the Sigma Project
At Securonix we are committed to a community-driven collective defense. We support open data formats in our products and share information with the entire security community. Our team of expert threat hunters from Securonix Threat Labs is so passionate about stopping the world’s cyber threats that they publish their research on Github for everyone to use as part of the Sigma community project.
Sigma was designed with a team sport model in mind - allowing researchers and analysts to describe, develop, and share detections in a shared language. Sigma allows analysts and organizations to define rules in a single format and consume them across multiple SIEM technologies, essentially acting as both a translator across solutions and a repository for emerging threat research.
The Securonix Threat Labs community helps standardize detection in Sigma across platforms in the following ways:
- Queries can be written once and then run across multiple different technologies, for example, Securonix SIEM and Elasticsearch.
- Queries can be translated between technologies, for example from SIEM to EDR, or from an on-premises SIEM to a cloud SIEM.
Sigma also enables detection-as-code, making it easier to develop and reuse code and perform version control.
Securonix on Sigma
Along with publishing threat research, Securonix also allows our customers to import Sigma rules into the Securonix platform to speed up detection and response. Customers can run YARA and Sigma rules against live, raw data, allowing them to use emerging threat intelligence from the community as soon as it becomes available. This Sigma content also provides customers with multiple methods to validate new potential policy violations and threats for any given query.
The hope is that, by working together and speaking the same language, we can improve our collective defenses. Staying ahead of emerging threats and publishing findings in an actionable way will continue to be a focus area for Securonix, and we hope you’ll join our community.