Modern SIEM system
It’s time to get acquainted with a smart SIEM system
In today’s reality, where the map of cyber threats is growing, there is a need for a SIEM system that can study the threats in a smart and automatic way.
Rapid7’s InsightIDR is a security breach detection and response system Smart user analytics and endpoints , Provides user-level visibility and identification of the attacker’s action patterns.
In addition, the system uses deception techniques, along with a simple visual investigation that chronologically follows the stages of the attack and thus Shortens the response time 20 times .
SIEM systems – the importance of the known and the unknown
Most SIEM tools are capable of detecting static and known threats based on general threat intelligence, which compares previously seen attacks against logs in the system, in order to detect the existence of a signature for that threat.
To be successful in implementing this concept, the SIEM system must include high-quality threat intelligence with signature recognition, in order to build rules.
However, as organizations better secure their critical infrastructure (servers) – attackers look for other network entry points, and turn to endpoints and the people who use them, as the initial hacking point for the enterprise network.
Almost all information security breaches involve an end station as a step in an attack. This type of exposure cannot be detected by signature or constitutional basis.
Today, malware allows attackers to gain access to internal networks, seize computing resources for profit, such as cryptocurrencies, or use admin permissions to move across the corporate network (Lateral Movement) and scan stations and servers for more sensitive information.
A modern and powerful SIEM threat detection system should incorporate:
- Security event threat detection technology, which includes the aggregation of information from network events
- Endpoint threat detection technology, capable of providing detailed information on malicious activity
- Clear alerts and relevant context information that will allow IT professionals to quickly analyze the event and act accordingly
Outdated SIEM systems have no ROI in the modern threat landscape
Security is much more than complying with rules of regulation and logistics management. However, many information security teams still rely on traditional and heavy SIEM systems.
These traditional SIEM systems consume quite a few resources to deploy and operate, consume quite a bit of information to manage logs, rules, information templates and actually manage a kind of Big Data for information security events and analytics.
Most often, security teams find themselves chasing alerts between different tools, while potential attackers infiltrate the network even more easily. What’s worse is that previous generation SIEM systems focus on perimeter activity to prevent intrusion (Perimeter) and thus miss important information, which may be in modern network sources, such as endpoints and users, SaaS applications, cloud servers and more.
The inability of traditional systems to apply broad vision and get a broad picture, leads to quite a few false positives. Teams are left drowning in data and missing out on the real threats lurking elsewhere on their network.
Modern threat detection requires a two-pronged approach
Identifying threats based on a set of rules, which tend to meet certain and expected patterns, are still an important component in the SOC array. Brute-force attacks or phishing, for example, can usually be easily identified, and must be stopped early in the attack chain before it becomes critical.
However, the modern network has evolved. And so is the space of threats.
Fewer and fewer attacks are predictable based on rules. For example, a link between internal threats and malware is more complex to detect and may evade traditional SIEM systems.
Recognizing these threats in the system requires a combination of behavioral anomaly detection capabilities with human analysis, in order to detect an event and take action.
There is no single tactic that can protect against all threats – the best solution for attack defense is a combination of constitution-based disclosures, exceptional disclosure with investigation support and rapid action processes.