Author: Martin Tolboom, Sales Solution Architect / Security Consultant
Many companies rely on a Security Information and Event Management (SIEM) solution to monitor and analyse security information and to detect security incidents and data breaches within their infrastructure.
And yes, a SIEM solution is a very useful and powerful tool to implement a good security monitoring environment. Combining a SIEM solution with a good Breach Detection solution like RedSocks Malicious Threat Detection can strongly improve the security monitoring of a SIEM by adding valuable threat intelligence, improve the detection rate, help prioritize and with that lower the TCO.
According to research done by the Enterprise Strategy Group (ESG) almost a thirty of the organisations using a SIEM solution feel that the SIEM solution lacks “context” around security information, it is difficult to perform queries and it generates too many false positives.
Source: ESG Solution Showcase- An Analytics-based Approach to Cybersecurity, May 2015.
An effective, proactive breach detection solution takes a layered approach. SIEM systems can be invaluable for anomaly detection, but the challenge lies in that the SIEM/Threat Intelligence correlation process is too manual, management is time-consuming and leaves room for too many false positives.
Breach detection solutions enable organisations to improve security monitoring efforts by streamlining the discovery of at-risk and compromised systems to detect breaches before data is lost, damaged or stolen.
Enhance Security Analytics
With the use of a SIEM solution logging of different security components, can be correlated and analysed of time. This requires normalizing log data of the different security components. This normalisation process enables the SIEM solution to correlate the logs and to identify incidents to be investigated in more details.
To enhance the security analytics capabilities of the SIEM solutions additional Threat Intelligence (commercial) feeds can be added and imported in the SIEM solution. But, what threat intelligence feeds are you going to use? How much additional effort is required to combine these threat intelligence feeds with the security correlation rules in the SIEM solution? What are the additional costs for these feeds?
The RedSocks Malicious Threat Detection (MTD) solution uses very rich threat intelligence to analyse flow data. The RedSocks Threat Intelligence is based on 15 commercial feeds and over thirty security analytics labs (and growing) run by the RedSocks Malware Intelligence Team. The RedSocks Threat Intelligence feed is updated 24 to 48 times per day, minimizing the number of false positives and updating tens of millions bad IP-addresses.
RedSocks uses focussed threat intelligence and heuristics to alert on any Indications of Compromise (IOCs). These IOC alerts can be sent to the SIEM solution to further correlate and analyse the threat within your infrastructure. The RedSocks MTD solution provides the early, near real-time, alerting of a breach. In combination with SIEM solution you can analyse the root cause of the problem by combining the IOC data of the breach detection solutions with security logging from other preventive countermeasures.
Helps to Prioritize
As stated in the ESG Solution showcase, many organizations mostly use SIEM for regulatory compliance and monitoring, rather than security analysis and investigation. This makes it difficult to leverage these legacy systems to address the requirements for defending and responding to targeted multidimensional attacks.
SIEM solutions provide a dizzying array of charts, graphs and dashboards based on sophisticated event correlation analysis, but completing these tasks requires a separate job function from analysing the alarms as it takes truly dedicated resources to ensure the data from your network is relevant, accurate, and properly categorized within the SIEM. Adding breach detection to SIEM make response more efficient and accessible as you enable them to respond rapidly to real threats and data breaches.
The RedSocks Malicious Threat Detection solution will help to correctly prioritize the on what incidents to respond first. Using multiple threat levels and real time analysis the incident response team can focus on the real threats and possible data leakages.
This will dramatically minimize the time malware can be active on the network and with that the potential damage that can be caused by the security incident.
Maintenance of a SIEM solution is an intensive and time-consuming task. The normalisation of log data from the different security components has to be kept up to date and specially build for specific solutions within the organisation.
Next step is to define correlation rules; seeing and combining multiple events simultaneously or over time, that when combined, are an indication of
an issue. This task requires skilled and knowledgeable security professionals. Cyber criminals develop each day new types of attacks. These have to be analysed and converted into new correlation rules in the SIEM solution.
The use of a breach detection solution like the RedSocks MTD can take over the detection of malicious activities and with that minimize the activities needed to build and maintain the security correlation rules in the SIEM solution; saving valuable time.
When combining the SIEM solution with the RedSocks MTD solution you automatically make use of high quality Threat Intelligence of RedSocks. This eliminates the need to buy separate threat intelligence feeds to import in the SIEM solution.
By having a unified view of security-related activity on network devices, firewalls, servers, desktops antivirus and breach detection, an automated SIEM provides security operations teams with a much richer and more accurate knowledge base from which to observe, interpret and react to possible threats to the organization.
If you are looking to improve capabilities to detect and analyze Advanced Persistent Threats, Breach Detection and Threat Intelligence integrated with SIEM, you can easily do this with the RedSocks platform