Industry Perspectives

Good Insight from Gartner on How to Do SIEM Right: Part 1

Apr 14, 2016 | by RSA |

In a recently released report from Gartner titled, SIEM Technology, Market and Vendor Assessment, ( client access needed to get the full report), Gartner analysts Anton Chuvakin and Augusto Barros gave their latest take on the SIEM market, as well as provided eight specific recommendations for organizations that are looking to acquire a solution. While all eight are extremely valuable recommendations and highlight where the rest of the market needs to catch up, in this blog I am going to discuss the first four recommendations to help security teams make improvements in their security monitoring program; I will cover the second set of four recommendations in "Part II" of this two part blog.

  1. "In Addition to SIEM, Use Network Forensic Tools (NFT) and Endpoint Detection and Response (EDR) for Comprehensive Security Monitoring and Enterprise Visibility"*

    Our customers are going one step further in bringing together SIEM and NFT fused with EDR monitored from a single console. Doing this can speed understanding of the full scope of an attack and accelerate incident response. One console that helps prioritize what needs to investigated, ties together related events and provides drill down from high-level views to low-level details, matching the analyst's expertise and role, and fitting how organizations are looking to use these tools to ease the burden of threat detection and response. Why deploy multiple separate tools that are barely integrated (and certainly not best of breed), if you don't have to? Traditional SIEMs which rely on logs and related correlation rules are essentially blind to today's more sophisticated and targeted attacks. Only the combination of logs, network packets, Netflow, and endpoint data, complemented with external threat intelligence, can automate the detection of threats, giving the security monitoring teams the necessary visibility to investigate today's more advanced attacks. Many SIEM or packet capture tools are missing this combination or provide a weak add-on and pretend they have a full solution.

  2. "Evaluate SIEM Solutions Based on Both Threat and Compliance Use Cases, but Weigh Threat Use Cases Higher"*

    The market has evolved where enterprises understand that compliant organizations are not necessarily secure, but secure organizations are well-positioned to be compliant. Compliance regulations and standards provide a good framework for the right minimum checklist needed (to not get penalized), but this hardly guarantees your information is protected. SIEMs came of age for compliance purposes, and most are just learning how to be truly effective in security. However, if you are responsible for making sure that threats are unable to cause damage to your business versus being concerned about log retention and audit reports, you probably want to rely on a tool that has security as the core of its mission..

  3. "Review Your Use Cases in Depth Before Deciding on a SIEM Tool"*

    What are you trying to achieve? Log collection, or stopping the bad guys from disruption and theft? If you see a single alert for an unauthorized login attempt a few times on a single application is that a big deal? How about that same set of events, and another five from the same external IP address across different parts of the network over a few weeks aggregated into a single incident? Which would you rather have? How about tying together that single rolled up incident into a whole set of investigative steps and workflows to more easily manage and speed the response? It sure makes it a lot easier for the junior security analyst to do the job rather than have to sift through thousands of logs, and hundreds if not thousands of alerts every day. Advanced attacks are hard to find, especially those that take advantage of dwell time. Dwell time is when an attacker sits quietly for an extended period so analysts have a hard time tying together the malicious activity with the compromised systems. To see what I mean, check out this content on the detection of Webshells, Spear Phishing, and Gh0st RAT.

  4. "Review Sourcing Options for SIEM Tools"*

    Deploying and using SIEM systems these days are about much more than deploying a system and setting it to "ring" when something bad happens. A security monitoring system is an extension of the people and the processes that they follow. What customers really need is a tool that can be very effective in enhancing an organization's ability to detect and respond to threats, requiring the need for something more than a traditional SIEM. The need for advanced analytics and behavioral techniques beyond what traditional SIEM can offer is based on the need to focus on detecting and responding to complex threats exploiting dwell time to compromise enterprises.

Finding a security company that is experienced and focused on helping you build or optimize your security practice, without just pushing their "box", can accelerate the success of your security program and keep you ahead of the attacker..

At RSA we've been focused for many years on threat detection and response as the most important component of implementing a successful security strategy and program for our customers. RSA's Advanced Security Operations Center (ASOC) solution provides the platform and expertise to rapidly detect, investigate and respond to threats that target enterprises via their networks, endpoints and public cloud-based systems. RSA ASOC gives security teams the ability to detect early, investigate comprehensively, and respond effectively to commodity and advanced attacks by fusing together multiple internal and external security data streams, intelligence, and context, while applying behavioral analytics and data science techniques to help surface the threats. The solution, via both the platform and associated professional services, gives security teams the information to detect, investigate and respond quickly and understand the full scope of an attack to minimize the potential impact to the organization. RSA's trusted expertise enables organizations to build and mature their Security Operations Center (SOC) holistically from a people, process, and technology perspective.

Learn more about RSA's solutions that can provide the most comprehensive capabilities to detect and respond to threats.

*Gartner, SIEM Technology, Market and Vendor Assessment, Anton Chuvakin & Augusto Barros, February 10, 2016