The following is a guest post by a 2016 Secure360 Twin Cities Gold Sponsor Rapid7.
If there is one thing we do well in security it’s the proliferation of acronyms. The current count on abbreviations.com for security terminology is 1,617 (makes you wonder whether Vegas would take a bet on that surpassing 2,000 by end of year). Perusing the acronyms feels like reading through the last few decades in the security industry. Some technologies took off, some didn’t, and a few are continuously evolving.
Another thing our industry loves to do is declare a technology ‘dead’, and then celebrate its demise by birthing a new acronym – think of it as a phoenix technology that rises from the ashes. The latest to undergo the death knell has been a longtime stalwart in the security acronym game, the SIEM. The debate is currently raging amongst vendors, customers, and industry analysts whether the era of SIEM is dead. Some say that User Behavior Analytics (UBA) is the final nail in the SIEM coffin, while others redefine the space by bolting on “next-gen”, or “2.0”, to make the acronym even longer.
What this nebulous noise misses is the fact that for those on the security front lines, they don’t care what the acronym is, they care about a solution that solves their problems. Instead of looking at what these acronyms “should cover”, the focus should be on solving the problems every security team faces daily.
Give us confidence in detection and remediation. That’s what we want!
Let’s consider the top problems companies face in their security programs today:
- Overwhelmed by too much information and alerts.
- Understaffed to cover all the needs of the organization.
- Unclear that the actions taken are accurate and helpful.
Sound familiar? Let’s flip the script and be more positive – what would you want your security program to look like today?
- Focused on the right information that generates prioritized alerts.
- Solutions that amplify the staff you have and shows progress across the company.
- Confidence that you are remediating threats quickly and completely.
That feels better. Of course, the true purpose of a SIEM was to achieve those aspirations, but the requirements were also conceived in a dreamy world. Heavy hardware deployments, professional services for initial deployment, and then full-time staff to watch, maintain, and run the system. And now; 62% of organizations receive more alerts daily from their SIEM than they can actually investigate. Many of us aren’t even confident in our ability to detect the number one attack vector behind breaches, compromised credentials. In order to achieve the above bullets, key functionalities must include analytics and search, familiar integrations from endpoint to cloud, and most importantly, a process that doesn’t require a mammoth of resources to keep the train moving.
Analytics is always a tricky term because it brings up the dated ‘rules’ terminology… that manifests in a ton of work for your team and the need for dedicated data specialists. Fortunately, in 2016, we now can choose analytics solutions that don’t require a data degree in order to siphon through the mountains of network data and only alert on what you really care about.
Using accessible analytics, yes, often referred to as UBA, your team can correlate data from your entire ecosystem to detect internal & external threat actors. Correlating the millions of events on your network back to the users slashes threat validation and scoping times, meaning faster incident investigations.
As we understand that data is more and more useful in our lives, and analytics help to filter it into intelligence, we still have the immediate need to search, but do it in a way that we are accustomed to in everyday life. When we want to find a recipe for tonight’s dinner, we hit Google, find a result, watch a video, and download the ingredients. The same has to go for your ability to search through machine data. It should be immediately apparent what you are looking for during an incident investigation, while allowing you the ability to hunt for new threats or relieve compliance headaches.
CYA from Cloud to Endpoint
When considering analytics of any sort for incident investigation, it is important to consider how you will analyze events from both the endpoint and managed cloud environments. In our world of BYOD and IoT (there we go again!) it has become paramount to correlate behavior taken on cloud services with happenings occurring on individual endpoints. When you have that complete lifecycle of information in an investigation you have a full dossier that allows you to confidently remediate problems, faster and more completely.
This is only the foundation to an incident detection and response program, but the above harken back to our original desires from SIEM. Rather than declare a technology dead, or simply tack on a ‘next-gen’ marketing gimmick, we should focus on building these elements in the form and function we always wanted.
So regardless of the name you choose, let’s hope it solves the problems you and your team have today!