May 30, 2019 / by Siddhant Mishra / In siem /

Combat Cyberthreats With Next Gen SIEM

“Next gen SIEM” remains a buzzword in the cybersecurity market, with many organizations and vendors realizing that the traditional approach to detecting threats is no longer enough. The multitude of high-profile breaches over the last few years, combined with how long it took for the affected organizations to understand just what hit them, clearly indicate that the mere use of a threat hunting tool doesn’t guarantee anything. As we often say at DNIF, SIEM is not a set-and-forget tool. For it to perform optimally, it needs constant optimization and oversight in terms of managing rules, incident and threat hunting models.

Such data breaches have forced security executives around the globe to put on their thinking hats and analyze what kinds of functionality they need in their SIEM. Meanwhile, SIEM remains an integral part of security operations, driving core security objectives and security analytics for organizations.

The evolving nature of cyberthreats

As the volume and sophistication of malware strains distributed on the internet continue to increase on a daily basis, organizations are exposed to an ever-increasing number of risks.

Every day, the AV-TEST Institute registers over 350,000 new malicious programs (malware) and potentially unwanted applications (PUA). - AV-TEST Institute

Remember the Marriott data breach?

Brian Krebs from krebs on security on mariott data breach

Around November 2018, Marriott International announced that hackers had stolen the data of approximately 500 million customers. The breach actually occurred on systems supporting Starwood-branded hotels starting in 2014. The attackers remained in the system after Marriott acquired Starwood in 2016 and were not discovered until September 2018.

As security teams continue to learn from history and adapt their defenses to the latest threats, are traditional SIEM platforms enough to detect these kinds of data breaches and vulnerabilities? Does the problem lie with the people who are managing SIEM platforms?

The current state of SIEM

SIEM continues to be an integral part of many organizations’ security strategies. SIEM platforms excel at ingesting and indexing modest volumes of data, and performing basic correlations with known indicators of compromise (IOCs). However, they are unable to understand and adapt to user behavior.

For zero-day threats or unknown attacks, SIEM is not able to flag suspicious or anomalies that don’t align with normal patterns of use. Traditional SIEM platforms were not built to solve these challenges.

Let’s look at a list of other challenges facing traditional SIEM solutions.

Challenges with traditional SIEM

  • Schema limitations make handling disparate data sources and large volumes of data difficult.
  • Signature-based detection and static correlation rules generate a lot of false positives, as baselines and usage patterns change over time.
  • Use cases need to be constantly updated or fine-tuned for improved accuracy.
  • Inflexible architectures make scaling difficult.
  • New features, threat hunting capabilities and detection updates are poorly integrated into the architecture. Some traditional SIEM vendors try to overcome this limitation with “plug and play” module-based integration. For example, additional modules might be required to ingest and process network flow-based data, perform user and network behavior analysis, create and manage automation playbooks, and so on. As the number of add-ons grows, they become difficult to manage. Fundamentally, these SIEM platforms are still unable to address the problem of ingesting huge volumes of data in varied formats.

What’s different about next-gen SIEM

  • Instead of relational database technologies like MySQL, whose schema limitations are inconvenient when adding new data sources, next-gen SIEM platforms use technologies like Hadoop and ElasticSearch for the same tasks. These modern data ingestion and processing technologies are better suited to the volumes of data and varied data formats present in security operations.
  • When it comes to SIEM, horizontal scaling is better than vertical scaling. The volume of logs collected by a SIEM platform can vary over time, and horizontal scaling makes it easy to leverage distributed computing features present in next-gen solutions. The “rip-and-replace” strategy that characterizes vertical scaling is expensive and hard for organizations to manage: replacing an entire machine is very costly (and leads to significant downtime, too) compared to simply adding an additional node to a clustered setup.
  • Core threat hunting capabilities are built into the platform, rather than being made available as “add-ons.” This approach facilitates smooth and robust integration.
  • Many next-gen platforms include built-in machine learning capabilities as part of their architectures.

Ready to get started?

DNIF is an all-in-one SIEM platform that combines traditional threat hunting features with advanced technologies like security analytics, SOAR and UEBA to bring power and efficiency to security operations centers of all sizes. Here are just a few of the things that make DNIF unique:

  • Distributed architecture and computation: Data retrieval and processing are fast and hassle-free.
  • High availability and load balancing: Easily churn up clusters to facilitate high throughputs during data ingestion and storage.
  • Horizontal scaling: Add or remove storage, and compute automatically as needed. Ingest any data, in any format: A schema-less architecture ensures no device is left out when it comes to monitoring your IT infrastructure.
  • Blazing fast query response: Data is stored in indexes, rather than traditional databases — so you can retrieve data in 1/30 of the time it used to take.
  • Back up and restore data in a matter of minutes.

Want to see DNIF in action? Request your demo now.