With over 150 years of combined experience, We help companies achieve their goals, using technology to deliver tangible outcomes to deliver on their strategic goals. Intersect is a values-driven Advisory agency driven by design thinking centered engagements

Gallery

Contact Information

6120 Windward Parkway, Suite 250, Alpharetta, GA 30005

info@intersectgrp.net

706-715-2980

Linkedin X-twitter Facebook-f

Stephen Norton

// blog post

The Reanimation of SIEM

With cloud awareness, AI, and Automation

Chas Clawson – Security Field CTO
Seth Williams – Security Solutions Architect

(This is is part one of a three part series)

Introduction

We were going to start this article with a good SIEM joke, but we’re still tuning it–ba dum ching! Unfortunately, that quip resonates too well with many security professionals. SIEM solutions failed to deliver. If you’ve been in the industry long enough you may have heard SIEM referred to as “Stupidly Irrelevant Electronic Messaging” or “SIEM is dead.” This is partly due to other vendors trying to break into the analytics market, but it’s also our own failings as an industry. The truth is, SIEM is not dying or dead, but having a serious reawakening in today’s cloud-age.

So instead of a eulogy, we’ll start this discussion with the biggest technology transaction year to date, where Cisco Systems agreed to acquire cyber security firm Splunk in a $28bn deal (we know you’ve seen the meme). This should indicate to all that SIEM is not dead, obviously there is value ($28bn in Cisco’s case) in having a single security platform for correlation and incident response.

Cisco buys Splunk for $28bn
What has your SEIM done for you lately?

The real question is, what has your SIEM done for you lately? No doubt, Splunk and ArcSight were the SIEM race-horses of their day. But when it comes to legacy tools, you can’t put an old thoroughbred back into service, unfortunately. Security in our modern digital world requires fundamental re-architecture with best of breed technologies. Splunk was originally designed for on-premises deployment, so its cloud offering is a lift-and-shift version of the original with a SaaS management overlay. The architecture is fundamentally the same, and just understanding the Splunk architecture can be head splitting. The difficulty is evident when security professionals have built lucrative careers focused on being Splunk engineers.

So how does it work? Data sources send information to Splunk’s universal or heavy forwarder. Ideally each data source first parses and normalizes this data into the Spunk common data model before sending, otherwise the customer will not be able to leverage out-of-the-box detections. Note that this is done through TA’s (Technology Addons) the customer needs to keep updated. Once received, the universal or heavy forwarder prefilters the data before sending it to the Splunk indexers, which can only handle a few hundred GB a day of data each. They can be scaled horizontally at a cost, of course. Then search heads distribute searches to one or more indexers and search results are finally presented to the customer. All of this has to work, not only during normal load situations, but also has to be built (and billed) for peak ingest times, which may rarely occur — the build the church for Sunday approach, while it’s dormant most of the time. Does this sound like a modern cloud approach? Should customers really have to understand those complexities? In today’s SaaS delivery market, the complexities should be abstracted away from the users so they can focus on the value the tool brings.

Modern SIEM solutions have evolved profoundly to address the multifaceted challenges present in contemporary multi-cloud and hybrid ecosystems:
  • Essential Characteristics:
    • Cloud-Native & Not Cloud-Washed: Originating and built in the cloud, utilizing a microservices architecture.
    • Actionable Multi-Tenant Intelligence: Providing across-board, actionable insights to customers, even in multi-cloud contexts.
    • Robust Scalability: True elasticity without hidden costs, scaled without the inconvenience of additional communication or invoicing.
    • Data Pricing Flexibility: Align pricing with specific use cases and data volumes.
    • Potent Correlation Capabilities: Enabling entity-centric and chain detections with options for UEBA and adaptable tuning expressions.
    • Transparent Operation: No concealed or “black box” detection models.
  • Integration & Automation:
    • Threat Intelligence Synergy: Including MITRE ATT&CK and customizable tagging of entities & signals.
    • Machine Learning Assistance: Encompassing ML confidence scoring and tuning aid.
    • Inclusive Automation: Provided at no extra cost with extendable 3rd-party integrations.
  • Addressing Alert Fatigue:
    • Providing a thorough attack timeline, ensuring an entity-centric approach.
  • Unwavering Support:
    • Assuring a responsive vendor, always ready to assist when called upon.

Elevate your security posture with SIEM solutions that not only adapt to the modern digital landscape but are also predictive, integrative, and undeniably robust in safeguarding your digital assets. Sumo Logic’s Cloud SIEM Enterprise is the security solution we’ve always wished SIEM was: an intelligent tool that can ingest large volumes of machine data and provide meaningful, and actionable alerts across development, operational and security disciplines. All while providing the options and transparency to allow those hard-to-find security experts better and faster ways to detect, respond, and mitigate cyber threats.

Next Post: Let’s dive deeper into some of these must-have capabilities

Contact us: Lets discuss your environment

Share this post

Related Posts