For more than a decade, in response to much higher volumes of alerts, event monitoring and security information (SIEM) became an integral component of enterprise safety and security software programs. However, the increasing complexity and sophistication of attacks are driving the requirement for advanced analytics beyond the log aggregation of older solutions of SIEM. Security analytics, which uses technologies of Big Data, has emerged to fill in the respective gaps.
In its recent latest report, Security Analytics Team of Competitive Rivals, consulting firm Securosis contends that solutions of security analytics provide maximum value when integrated along with advanced SIEM solutions and vice versa. One is not quite a replacement for the other, nor should they be completely viewed as competing solutions.
Most enterprises have had a SIEM in its place for quite a number of years. Its main strengths include correlation, forensics, data aggregation, and incident response, and reporting. The data sets that are usually handled best by a SIEM are endpoint activity, server, network data, and data logs, and identity data, application logs, change control activity, and various threat intelligence feeds.
One particular thing that some of the SIEMs struggles with is finding multiple patterns in large volumes of data and information. Solutions of security analytics, on the other hand, are designed intentionally to crunch through SIEMís huge data sets, looking for several indicators of malicious harmful activity, such as anomalous patterns of misconfiguration, activity, or privilege escalation. The solutions that are integrated are particularly good at advanced threat detection and tracing various insider attacks.
How do you actually benefit from solutions for integrating analytics with your SIEM? For one particular thing, security analytics solutions of today do not allow you to search for an alert and then set in complete motion an incident response process, that job is handled by SIEM and lend themselves well to comprehensive and easy threat activity reporting and visualizations. There are two key integration points where you will find the combination quite invaluable:
- Automated Data Analysis: SIEMs have been quite proficient at aggregating and collecting data for a very long time. In order to extract this particular data for further analysis, make sure that your integration of SIEM and security analytics has quite sufficiently robust automated processes. This can basically save a large amount of time.
- Alert Prioritization: Both your SIEM and your tools of security analytics will create and send out various alerts. Bi-directional data or information sharing between the SIEM and solutions of security analytics is quite essential so that your entire team can prioritize investigative all the respective actions and maintain the context.
Let us look at a complete scenario where SIEM and security analytics solutions can complement one another to detect what actually appears to be an advanced attack of the insider. In this particular use case, the entire security team of generally a fast-growing retail operation receives an alert from its solution of SIEM. It appears that an insider is penetrating the internal network, that is a highly unusual activity for a particular employee. For a more perfect picture of the situation, the entire team accesses its integrated SIEM and solution of security analytics for additional insights on what the adversary is actually up to. The integrated investigation reveals various types of unusual activity like privilege escalations and configuration various changes on multiple devices. The SIEM reports the trajectory of the particular attacker, that results in the compromise of the device which triggered the alert in the very first place, and this enables faster and smarter remediation.
John Woods is a self-professed security expert; he has been making the people aware of the security threats. His passion is to write about Cyber security, malware, social engineering, Games,internet and new media. He writes for mcafee products at www.mcafee.com/activate or mcafee.com/activate.