Responding to advanced threats with a SIEM is like playing ‘Where’s Waldo’ with your Network

When alerts get escalated, what’s your go-to solution to validate and track the threat? When monitoring a recognized breach to see what happens next, what do you rely on to make sure you see the attacker’s every move throughout your network?

If you’re like most enterprises, you were sold a bill of goods with Security Information and Event Management (SIEM) – and it failed miserably to help with your critical security operations and incident response.

Let’s not ignore SIEM’s value for compliance reports and accumulating logs to support those regulatory requirements. But those logs provide little value when security operations or incident response teams are under pressure to quickly understand a threat, track it real time and make critical decisions about mitigating risk.

It’s not that a SIEM doesn’t have useful data to help with this, but it lacks the ability to empower users with this data in real time. Much of the data you need is there, but good luck getting to it in time to make intelligent decisions and take action to eliminate the threat.

Without speedy results to custom queries of the SIEM logs, security teams are left playing Where’s Waldo – looking to make intelligence of raw data in a sea of logs, events and irrelevant data points.

Analysis at the Speed of Thought

Security operations teams are drowning with alerts and SIEMs are failing to help them make fast decisions about these potential attacks. When an alert jumps to the top of the queue, analysts need immediate intelligence to define who’s involved in the alert, identify what systems and data are at risk, and spot unusual activity pre- or post-alert.

While SIEMs can provide useful intelligence if you pre-configure them to run complex correlations, today’s advanced attacks constantly evolve and consistently provide new means successful breaches. There’s no way for an enterprise to have their SIEM constantly updated with the complex correlations and rules BEFORE the attacker triggers the rule.

Security operations teams need analysis at the speed of thought to follow the artifacts and clues surrounding an alert and make fast decisions to escalate, dismiss, or put on the back burner.

Real-time Attack Time Lines

Once an alert has been escalated, real-time insights and tracking of the threat becomes critical. This is where SIEM especially fails. SIEMs aggregate logs; they can’t watch the threat in real time as it spreads across the network.

Incident response teams need real-time visibility to a suspected host or user’s every action on the network. Instead of squashing it immediately to cause the attacker to go dormant, enterprises must sit quietly observing the extent of the attack and effected systems. And of course, they must make critical decisions about when to act – when they know enough about the threat or in time to prevent successful data extraction.

In the end, having data isn’t the same as making intelligent decisions based on data. Today’s enterprise security teams need more than just storing off logs. Stop playing Where’s Waldo with your SIEM.

Leave a Reply

Your email address will not be published. Required fields are marked *