By Mike Adler, VP Product, NetWitness Platform
If you're like a lot of IT security professionals, you've always been able to rely on your SIEM to provide log data for threat detection. But that's just not enough to keep up with all the new threats from new sources that are bombarding organizations today. Can your SIEM do everything required to detect and respond to these growing threats? What do you need to do to ensure that the solution you rely on for threat detection is up to the challenge?
Look beyond logs: Sure, logs can tell you where an attacker has been. That's useful to know, but it's not enough. What was the attacker doing? You need visibility into network packet data to answer that question. Where did the attack start? To close the last mile of your investigation and see what process on a particular endpoint is at the root of the attack, you have to be able to look at what's happening at the endpoints where threats dwell. If you don't have clear views into logs, packets and endpoints, you're missing what you need to defend against threats. "But I've got other tools to look at packets and endpoints," you say. That's good, but unless you have a single integrated platform to deliver views into more than one source of data, you'll find yourself wasting a lot of time manually switching between tools and correlating everything that comes in. And who knows what threats are going to get past you in the meantime?
Get support for prioritization: More threats mean more alerts - but not necessarily more qualified people on your team to detect and respond to them. That's why it's critical to have the ability to instantly assess which threats are the most urgent and set priorities accordingly. If you can't tell an attack on the server where all your source code is stored from an attack on the server with the cafeteria menu on it, and action is urgent, your team has no choice but to take their best guess. As a result, they may end up responding to the less critical threat while the other one continues to wreak havoc. This is why integration with business risk information is important, so that the solution has some understanding of which users and systems are critical. Otherwise, how can your team confidently respond to the most critical threats first?
Scale as you grow: With operations and people in more places (and in more kinds of IT environments) than ever, scalability is non-negotiable in systems you rely on for threat detection and response. Does your SIEM architecture make it easy and affordable to scale across multiple sites and to physical, virtual and cloud environments? Or will you be forced to re-architect your entire approach every time you make a major change?
You need a comprehensive, practical solution that provides the visibility, insights and scalability to respond effectively to cyber threats. Look for one that:
- Collects data all the way to endpoints, or the "last mile" of cyber investigations
- Correlates security data across logs, network packets and endpoints
- Provides multiple technologies including behavioral analytics to detect anomalies
- Knows which users and systems are critical so you can prioritize alerts
If your SIEM solution is no longer all you need it to be, it's time to demand more. Learn more about what you need today to improve visibility into threats, respond faster and increase your team's impact-and see what RSA NetWitness® Platform can do for you.
Author: RSA Research
Category: Research and Innovation, Blog Post