This blog post was written by Karl Klaessig.
For more than a decade, in response to higher volumes of alerts, security information and event monitoring (SIEM) became an integral component of enterprise security programs. However, the increasing sophistication and complexity of attacks are driving the need for advanced analytics—beyond the log aggregation of older SIEM solutions. Security analytics, which uses Big Data technologies, has emerged to fill in the gaps.
In its recent report, “Security Analytics Team of Rivals,” consulting firm Securosis contends that security analytics solutions provide maximum value when integrated with advanced SIEM solutions and vice versa. One is not a replacement for the other, nor should they be viewed as competing solutions.
Most enterprises have had a SIEM in place for a number of years. Its main strengths include: data aggregation, correlation, forensics and incident response, and reporting. The data sets that are generally handled best by a SIEM are network data, endpoint activity, server and data logs and change control activity, identity data, application logs, and threat intelligence feeds.
One thing that some SIEMs struggle with is finding patterns in large volumes of data. Security analytics solutions, on the other hand, are intentionally designed to crunch through SIEM’s huge data sets, looking for indicators of malicious activity, such as anomalous patterns of activity, misconfiguration, or privilege escalation. The integrated solutions are particularly good at advanced threat detection and tracing insider attacks.
How do you benefit from integrating analytics solutions with your SIEM? For one thing, today’s security analytics solutions don’t allow you to search for an alert and then set in motion an incident response process—SIEMs handle that job and lend themselves well to easy and comprehensive threat activity visualizations and reporting. There are two key integration points where you’ll find the combination invaluable:
- Automated Data Analysis: SIEMs have been proficient at collecting and aggregating data for a long time. In order to extract this data for further analysis, ensure that your integration of SIEM and security analytics has sufficiently robust automated processes. This can save an enormous amount of time.
- Alert Prioritization: Both your SIEM and your security analytics tools will create and send out alerts. Bi-directional information sharing between the SIEM and security analytics solutions is essential so that your team can prioritize investigative actions and maintain context.
Let’s look at a scenario where SIEM and security analytics can complement one another to detect what appears to be an advanced insider attack. In this use case, the security team of a fast-growing retail operation receives an alert from its SIEM solution. It appears that an insider is probing the internal network, which is highly unusual activity for an employee. For a more complete picture of the situation, the team accesses its integrated SIEM and security analytics solution for additional insights on what the adversary is up to. The integrated investigation reveals several types of unusual activity—like privilege escalations and configuration changes on multiple devices. The SIEM reports the trajectory of the attacker, which results in compromise of the device that triggered the alert in the first place, and this enables smarter and faster remediation.
To learn more about how your SIEM and security analytics tool can coordinate and complement each other, read the Securosis report, “Security Analytics Team of Rivals.”