Will your SIEM survive?

“The rise of data and the security data lake”

There is a long-standing problem in cybersecurity. There is the ever increasing need to log more sources to provide needed visibility to detect threat activity. The need to ingest raw logs has created an ingestion problem. The SIEM was supposed to be the ultimate solution to bring data from the numerous security tools that make up the typical enterprise cybersecurity arsenal. The original SIEM evolved out of log aggregation tools, and a so-called proverbial “log dumping ground” was transformed into the modern SIEM. This SIEM solution now serves two purposes: event management and log aggregation. Serving two masters has not worked very well for the vast majority of customers.

To make the problem worse, the pricing module was based upon log aggregation, not an alert management, correlation, and most of all threat analytics where the true security value is created. The current pricing module is typically based on gigabytes per day ingested. This pricing module does not discern between high-value logs and low-value non-alert raw data. To keep the pricing of the SIEM from going out of control, customers are forced to make the decision not to ingest data into the SIEM, thus limiting their visibility to events and logs they so desperately need when an investigation is necessary. The idea of using the SIEM as centralizing logging solution was a noble one at the time, but technology and needs have changed.

So, what should we do? Is a SIEM even needed anymore? Yes, we believe that we should leverage cloud and data analytics solutions to work in conjunction with the SIEM to form a highly efficient and cost-effective solution. This solution dramatically cuts SIEM ingestion costs and provides a means to logging more sources while making this expanded data/logs available to analyze by data analytics models and giving the security analyst data for quicker and more thorough investigations. In the next few blog posts, we will propose in detail a solution intertwined with the SIEM to solve these problems.

Today’s security analysts require comprehensive visibility and an analytics framework to enhance, identify, and defend against threat actors in the ever-expanding security landscape. To be effective, the SIEM needs a collaborative partner to enhance correlation, detection, and automation capabilities. Implementing an enterprise cloud-based data lake and Azure analytics solution enables better visibility into various log data sources without excessive costs while meeting compliance and long-term retention requirements.

Our Azure-based solution leverages cloud data storage, automation, and analytics, to provide the following improvements:

• It addresses the shared data needs of compliance, infrastructure, and security domains.
• It proactively prepares data to leverage advanced analytics such as artificial intelligence engines and models.
• It widens the analytics capabilities so you can analyze Indicators of Attack (IOA) and Indicators of Compromise (IOC) to enhance security detection and correlation.
• The solution focuses on collecting and analyzing Network, Endpoint, Communication, and Identity data in a central data lake for effective analytics and investigations.

We are very excited to share with you and also hear your feedback and suggestions. We realize this is a game changer for the way security operations teams look at and process data. We invite you to expand your knowledge of data ingestion and analytics for it will serve to expand your capabilities but also your career.