Modern SIEM system | DnA-IT
  • AI-based solution

  • Short response time

  • SaaS solution

  • One management interface

  • Real-time event detection

  • Safe response to attacks

It’s time to get acquainted with a smart SIEM system

In today’s reality, where the map of cyber threats is growing, there is a need for a SIEM system that can study the threats in a smart and automatic way.

Rapid7’s InsightIDR is a security breach detection and response system Smart user analytics and endpoints , Provides user-level visibility and identification of the attacker’s action patterns.

In addition, the system uses deception techniques, along with a simple visual investigation that chronologically follows the stages of the attack and thus Shortens the response time 20 times .

For the benefits of a smart SIEM system

SIEM systems – the importance of the known and the unknown

Most SIEM tools are capable of detecting static and known threats based on general threat intelligence, which compares previously seen attacks against logs in the system, in order to detect the existence of a signature for that threat.

To be successful in implementing this concept, the SIEM system must include high-quality threat intelligence with signature recognition, in order to build rules.
However, as organizations better secure their critical infrastructure (servers) – attackers look for other network entry points, and turn to endpoints and the people who use them, as the initial hacking point for the enterprise network.

Almost all information security breaches involve an end station as a step in an attack. This type of exposure cannot be detected by signature or constitutional basis.

Today, malware allows attackers to gain access to internal networks, seize computing resources for profit, such as cryptocurrencies, or use admin permissions to move across the corporate network (Lateral Movement) and scan stations and servers for more sensitive information.

A modern and powerful SIEM threat detection system should incorporate:

  • Security event threat detection technology, which includes the aggregation of information from network events
  • Endpoint threat detection technology, capable of providing detailed information on malicious activity
  • Clear alerts and relevant context information that will allow IT professionals to quickly analyze the event and act accordingly

Outdated SIEM systems have no ROI in the modern threat landscape

Security is much more than complying with rules of regulation and logistics management. However, many information security teams still rely on traditional and heavy SIEM systems.

These traditional SIEM systems consume quite a few resources to deploy and operate, consume quite a bit of information to manage logs, rules, information templates and actually manage a kind of Big Data for information security events and analytics.

Most often, security teams find themselves chasing alerts between different tools, while potential attackers infiltrate the network even more easily. What’s worse is that previous generation SIEM systems focus on perimeter activity to prevent intrusion (Perimeter) and thus miss important information, which may be in modern network sources, such as endpoints and users, SaaS applications, cloud servers and more.

The inability of traditional systems to apply broad vision and get a broad picture, leads to quite a few false positives. Teams are left drowning in data and missing out on the real threats lurking elsewhere on their network.

Modern threat detection requires a two-pronged approach

Identifying threats based on a set of rules, which tend to meet certain and expected patterns, are still an important component in the SOC array. Brute-force attacks or phishing, for example, can usually be easily identified, and must be stopped early in the attack chain before it becomes critical.

However, the modern network has evolved. And so is the space of threats.

Fewer and fewer attacks are predictable based on rules. For example, a link between internal threats and malware is more complex to detect and may evade traditional SIEM systems.

Recognizing these threats in the system requires a combination of behavioral anomaly detection capabilities with human analysis, in order to detect an event and take action.

There is no single tactic that can protect against all threats – the best solution for attack defense is a combination of constitution-based disclosures, exceptional disclosure with investigation support and rapid action processes.

    רוצים להתנסות ולראות איך זה עובד?

    The requirements of a modern SIEM system

    Smart analytics for detecting unusual patterns of action

    A system for detecting and responding to security vulnerabilities based on smart user analytics and endpoints, user-level visibility and identifying the attacker’s action patterns

    Use of advanced techniques to shorten response time

    Using deception techniques alongside a simple visual inquiry that chronologically follows the stages of the attack shortens the reaction time 20 times

    SaaS solution

    Advanced SIEM solution as a cloud service

    Consolidation of protected information

    One interface for managing all security incidents, in accordance with policy

    Detection of loopholes and abnormal behaviors in real time

    Detecting the use of stolen passwords, spyware and real-time phishing activity

    Safe response to attacks

    Quick response and stopping attacks based on a visual chronological view

    InsightIDR – SIEM system for modern threats

    Rapid7’s InsightIDR is the only SIEM system in the cloud that comes with full visibility even at the end unit level including a set of rules, network traffic detection and out-of-the-box user behavior analysis.

    The system is cloud-based and connects to the organization’s internal data sources, network activity and organizational information directly from the users, while reducing the time and effort required for maintenance and operation.

    The IT team will be able to detect attacks days after purchase, not weeks or months. The advantage of InsightIDR over traditional SIEM systems is in consolidating data from all sources of information including end units, network traffic, logs of alerts using true cloud service – all for identification
    Any attack vector is possible.

    This combination gives you real-time visibility and detection for malware, missing files and the use of stolen certificates.
    In fact, over 90% of all InsightIDR discoveries occur long before a significant effect of validity.

    The InsightIDR system combines the full power of forensic forensics, search logs and sophisticated dashboards into a single solution.

    It is a software tool provided as a service (SaaS), which collects data from all relevant network security systems in the organization, logs on verification and control of end devices.
    The system then collects the data and automatically processes a correlation into an event, if there is indeed a justification for it.

    The system runs analyzes on this data to coordinate users, accounts, authentication, alerts and permissions. The analysis provides insight into user behavior while looking for known indicators of exposure.

    As an enterprise concept, Rapid7 also recommends that the InsightIDR system maintain locally dedicated collectors to collect event data, log data, and end data. To collect endpoint data in real time, we will install Agent Insights on the relevant end devices and servers.

    insight IDR rapid7

    Why use Rapight7 InsightIDR?

    When you connect all the different sources of information in the InsightIDR system, you get all the following built-in features made with forethought:

    • Consolidate events from logs and data into a single security view
    • Analysis of raw logs, end data and network traffic
    • Receive alerts about suspicious activity
    • Prioritize events
    • Event Investigation
    • Monitoring Security Activities Activities

     

    InsightIDR in action

    An enterprise information security team (InfoSec) can trust and use InsightIDR on a daily and ongoing basis to maintain a secure network.

    To maintain network security, the UAV team can perform:

    • Check alert and confirm or reject suspicious behavior
    • Check the details and activities collected at the event, such as time, users, activities and assets involved
    • Gather evidence and oversight of users and assets using the watch list or restricted asset
    • Contextualizing (correlation between events) suspicious behavior by searching blogs, browsing through firewall activity, or scanning through IP addresses

     

    Response to the event

    Although many incidents can be false alarms, InsightIDR links to malicious events so that the UAV team can respond appropriately. They can delete an asset, reinstall a clean operating system and restart.

    Shall we talk?
    Leave your details and one of our experts will contact you
    [contact-form-7 404 "Not Found"]
    Shall we talk?
    Leave your details and one of our experts will contact you