Laura
30/05/2023
Security information and event management (SIEM) tools do a huge amount of security heavy lifting. A central record of millions of events, security operation centres (SOCs) rely on SIEMs for everything from compliance to threat detection and response.
But as anyone who has ever worked in a SOC will testify, SIEMs have blindspots and problems—lots of them (Read our Head of Technology, Brad Freeman’s account of using a SIEM).
SIEMs can be extremely noisy. Legacy SIEM systems cannot handle the data thrown at them from a typical modern enterprise IT environment made up of on-prem, remote and hybrid teams. Plus, without augmentation, SIEMs cannot see much of the complex threat behaviour inside a network or give security teams holistic context. They also miss threats that don’t match their pre-configured rule books and need constant configuration.
Workflow is another problem. Over a third of SOCs that use SIEMs say that poor workflow makes their SIEMs ineffective. Few companies run SIEMs that give them everything they need in one place, and analysts have to jump from one solution to another. It’s even worse with low-cost SIEMs.
To make SIEMs more effective, security teams need to augment them. Here are four SIEM augmentation tools that SOCs rely on.
UEBA for Spotting Insider Threats
User and entity behaviour analytics (UEBA) is a security technology that uses machine learning to spot threats based on deviations from “normal” behaviour. When a user or entity starts behaving in a way that is atypical (i.e., a user accessing files outside their workflow or a device connecting to an external IP), a UEBA system notices something is up.
UEBA doesn’t rely on set rules or triggers but instead gains an understanding of how the network works through machine learning.
Learn more: UEBA and other insider threat detection tools.
This is useful because SIEMs cannot natively understand anything. Instead, they must be configured to alert security teams to potential threats based on combinations of rules (like a change in permissions for a file or folder) that add up to a likely threat. SIEMs are great at keeping a record of system changes but combined with UEBA, they can become a much smarter security tool.
UEBA technology can look at real-time behaviour, such as a series of failed login attempts or an employee downloading more data than normal and act accordingly. This is a powerful capability for spotting insider threats – a type of security threat that doesn’t follow the rules.
NDR for Understanding Network Behaviour
SIEM tools help security teams correlate events on devices and system assets. But they cannot give SOCs any insight into network information and data flows. This is a weakness security teams cannot ignore.
Over 91% of malware arrives through encrypted HTTPS traffic, and attack chains featuring fileless aspects are becoming increasingly common. Lateral movement is a feature of at least 25% of all attacks. If your SOC cannot see what’s happening in your network, these risks are not properly addressed.
Learn more: Why remote and hybrid teams need NDR.
Augmenting a SIEM with network detection and response (NDR) means that security teams can plug these gaps. Monitoring the east-west traffic that flows inside a network, NDR shows analysts how devices talk to each other and external IPs.
NDR solutions can give SOCs a way to superimpose network information on event data from endpoints and dramatically improve their meantime-to-detect (MTTD) and mean-time-to-respond (MTTR).
SOAR for Automating SIEM Processes
SIEMs can be incredible security resources. But they can also destroy security efficiency.
Unfortunately, the latter is increasingly the reality for companies that rely on SIEMs – over 70% of security professionals say they are overwhelmed by managing alerts. This issue is caused primarily by SIEMs sending analysts more false positive alerts than they can handle. To protect analysts and security teams, automation is critical.
Learn more: SOAR and security automation.
Plugged into a SIEM, security orchestration, automation and response (SOAR) solutions can automate a lot of the investigation and response workload that SIEMs create. For example, with a SOAR tool, attachments on a suspected phishing email could be automatically extracted and scanned through AV; if anything suspicious was found, the sending IP address could be blocked, and attachment execution stopped.
SOAR solutions bridge gaps between security solutions, helping build the context SOCs need to investigate threats.
SenseOn for Insight, Noise Reduction, and Lower Costs
The biggest SIEM challenge and opportunity can be summed in one word – data. SOCs either have too much data (without context) or need more insight into what is happening around their environment.
After a software-only installation, SenseOn delivers three core out-of-the-box (OOTB) benefits – dramatic cost savings, reduced noise and accelerated MTTR.
Built to solve the data problem by putting all the information SIEMs create through a patented machine learning model, SenseOn is a proven SIEM augmentation solution. Security teams in companies, including leading law firms and national F&B manufacturers, use SenseOn to reduce noise, automate responses, and combine alerts into useful threat analysis cases.
Learn more: How organisations like Yeo Valley use SenseOn.
With more than 600 OOTB detections inside a unified data model (that takes information from endpoints and networks), SenseOn boosts SIEM performance by detecting advanced threats without complex engineering or tuning, allowing SIEMs to use data far more effectively.
Try a demo of SenseOn today.