The Importance of Network Data in Your Security Information Event Management (SIEM)

But with this process of ingesting log data comes challenges, including:

• It provides limited context, making incident response and threat hunting a slow process
• It requires a high quantity of ingest sources, which are costly to maintain and store

With these challenges in mind, why add network data into the mix? Network data is delivered by a Network Detection and Response (NDR) technology analyzing copied traffic.  A NDR solution provides visibility (context) along with live traffic alerts that do not require predefined use cases or logic. This rich data integrated with a SIEM allows a SOC to:

• Reduce false positives minimizing distractions
• Respond to incidents and conduct threat hunting faster reducing the impact of real threats
• Reduce the quantity of SIEM integrations saving time and money

The Drawbacks of SIEMs

SIEMs commonly make grand promises about how they will revolutionize a SOC by eliminating false positives and providing analysts with much-needed context and access to data when investigating and responding to potential threats. However, these promises rarely come with a detailed description of how an organization will achieve and maintain this ideal state.

Complex Configuration

SIEMs collect security alerts and log data from the various solutions in an organization’s security architecture, log files from endpoints, and other information from across the enterprise.  Unfortunately, SIEMS don’t come with these connections out of the box. Security personnel need to choose which data sources to collect and set up the links needed to collect that data.

This is a complex process and requires significant knowledge of an organization’s network and cyber threats. Failing to collect data from a particular source can leave an organization blind to attacks; however, collecting data from the wrong sources can result in data overload and a lack of visibility when it comes to real threats.

Limited Analytics

SIEM tools are designed to work based on use cases. If an organization wants to identify a specific attack, then it can write a rule identifying that attack. For example, a SIEM may be designed to identify ransomware attacks by looking for behavioral features such as frequent modifications to files, use of cryptographic libraries, or the techniques used by ransomware to spread to additional computers and drives or to delete shadow copies.

SIEMs’ focus on rules and use cases means that they perform limited analytics on their own. While the SIEM may be configured to collect data from certain sources, it has little or no built-in knowledge of what to do with that data.

Alert Overload

Alert overload is one of the most common reasons that organizations invest in a SIEM. The average organization has deployed 76 security solutions, and each of these solutions produces alerts sent to the SOC. Since these solutions only have visibility into a portion of an organization’s attack surface, these alerts commonly contain false positives that waste analysts’ time.

Due to the complexity of corporate security infrastructure, the average SOC receives tens of thousands of security alerts per day. A SIEM is intended to address this issue by collecting, aggregating, and analyzing alerts to provide SOC analysts with a lower number of higher-quality alerts.

A SIEM can easily make the alert overload and false-positive problems worse. If a SIEM is not properly configured and managed, it will just exacerbate the problem by escalating false positives while ignoring true threats.

Looking to a NDR to Overcome SIEM Challenges

Many of the limitations of a SIEM arise from the fact that they are designed to augment capabilities rather than provide value themselves. A SOC analyst could perform all of the data collection, aggregation, and analysis that a SIEM does – the SIEM is just intended to make it faster and more efficient. But the SIEM can only do what it is told how to do, dramatically limiting its capabilities and the value that it provides to the organization.

For organizations looking to realize the benefits of a SIEM, modern solutions providing network data are available. BluVector’s NDR platform is built on top of Zeek and Suricata providing data sources to easily enable the benefits of a SIEM, including:

• Broad Network Visibility:BluVector provides real-time visibility into all of an organization’s network event traffic.  With most cyberattacks occurring over the network, this provides the potential to identify and respond to threats rapidly, minimizing the risk and impact to the organization.
• MITRE ATT&CK Coverage: MITRE ATT&CK details the various methods by which cyber threat actors achieve their objectives at the various stages of an attack campaign. BluVector solutions offer broad coverage of MITRE ATT&CK, allowing organizations to detect common attack techniques without writing rules and use cases themselves.
• AI/ML-based Threat Detection:Signature-based detection misses zero-day threats, and false positives are common with a SIEM. BluVector uses signatureless threat detection based on artificial intelligence/machine learning (AI/ML) to identify threats with a 99% threat detection rate with minimal false positives.

A single technology that provides context, along with alerts that do not require definition, allow a SIEM to achieve its goals. A successful SIEM can drive down costs while increasing operational efficiency.

Going Beyond a SIEM for Optimal Network Security

Organizations that invest in and purchase a SIEM rarely get to take full advantage of the benefits that it promises.  SIEMs are time-consuming, labor-intensive, and require significant security expertise and knowledge of an organization’s infrastructure to provide actual value. For organizations with limited resources and overstretched security teams, the care and feeding required by a SIEM are often more than they can afford.

BluVector A.I. and Machine Learning-based solutions take a different approach, building deep security knowledge and subject matter expertise into industry-leading solutions like Zeek and Suricata. With BluVector, organizations can enable the results that a SIEM promises, while increasing the speed and efficacy of their SOC team by reducing false positives, minimizing distractions, and helping cyber experts respond to threats faster.