With over 150 years of combined experience, We help companies achieve their goals, using technology to deliver tangible outcomes to deliver on their strategic goals. Intersect is a values-driven Advisory agency driven by design thinking centered engagements

Gallery

Contact Information

6120 Windward Parkway, Suite 250, Alpharetta, GA 30005

info@intersectgrp.net

706-715-2980

Linkedin X-twitter Facebook-f

Stephen Norton

// blog post

Tangent about Onboarding

Onboarding data & ingest autoscaling

Chas Clawson – Security Field CTO
Seth Williams – Security Solutions Architect

(This is is part three of a three part series)

Introduction

Navigating the intricacies of onboarding sources for Security Information and Event Management (SIEM) poses a unique set of challenges that are particularly daunting for IT security teams. The sheer volume and diversity of data sources, each emanating a myriad of event formats, protocols, and structures, create a complex web that demands meticulous mapping and management. Moreover, ensuring that each data source communicates effectively with the SIEM solution requires comprehensive understanding and calibration of various log sources and security events. Not only is the alignment of technological compatibilities crucial, but also ensuring that the incoming data is contextualized, classified, and normalized accurately for effective security analysis and threat detection. As the digital landscape expands, the need for a streamlined, yet adaptable, onboarding process becomes imperative to fortify the organizational security posture amidst an ever-evolving threat environment.

A recent RSA Survey showed that security teams feel overwhelmed by legacy SIEM systems and that they want to see better automation. From the survey, 30.9% of respondents said they didn’t know how to add a new data source to their SIEM, and 21.89% rely on the data source provider to do it. A full 42.5% claim it takes weeks, months, or longer to add new data sources. Only 19.74% of teams were very confident their SIEM could detect unknown threats and 37.34% were somewhat confident

Another leading SIEM, Azure Sentinel, does a terrible job at abstracting away the complexities of onboarding and normalizing data. Look at their recommended data flow in-order to get data parsed and normalized. This is why SIEM has a bad wrap.

customer data image

security data lake

Compare that to the Sumo Logic approach, where all data coming in gets fully indexed in its raw form, but also gets automatically parsed and normalized and stored in tandem with the original data.

First Post: The Reanimation of SIEM

Previous Post: Reimagining SIEM

Contact us: Lets discuss your environment

Share this post

Related Posts