In 1860, Belgian inventor Jean Joseph Etienne Lenoir created a gas-fired internal combustion engine; it was the first internal combustion engine to be mass-produced in large numbers. The design wasn't perfect by any means, but it was a large step forward, and countless engineers have continued to iterate on the concept even to this present day. One such engineer was Alfred Büchi, who focused his efforts on improving the power and efficiency of the engine. In 1905, this Swiss engineer and inventor was granted patent #204630 by the German patent office. The patent was granted for a "highly supercharged compound engine" or what would later be known as a turbocharger. The idea was simple enough –compress more air into the cylinder, thereby increasing the efficiency and output of an engine. Interestingly enough, it was another twenty years before the technology was available for him to put this idea into action.
Much like that first internal combustion engine, SIEM is in need of a turbo boost. While the first log-based SIEMs came to market roughly about twenty years ago in the mid-90s, this focus on logs continues to be a fundamental constant even today. Logs are important – no doubt – but, unfortunately, this log-centric approach tends to ignore other technologies and data sources that can act as force multipliers to add powerful business context, provide important data correlation, and help reduce inefficiencies.
So, how can we take a page out of Büchi's book and turbocharge our SIEMs? One way is by leveraging endpoint telemetry. Endpoints are both the first and most vulnerable line of defense for an organization as well as the proverbial "last mile" of an incident investigation. Thus, it's vitally important for security teams to understand how a threat attacked an endpoint, what was running on that endpoint at the moment of attack, and what happened after the attack.
In an attempt to tackle this problem, many organizations implement different types of endpoint security – from NGAV and vulnerability management to endpoint detection and response. While sounding just fine on paper, the outcome is less than optimal. There are inherent challenges for modern security operations with this approach. First, organizations are unable to get the right data and depth of visibility from their endpoint security to help them effectively detect, understand, and respond to endpoint threats. Secondly, when they do actually get some endpoint visibility, the data is housed in a disparate platform that isn't fully integrated into their SIEM for proper data correlation.
Like Büchi, many security professionals are recognizing these challenges and are looking at ways to build ONTO (i.e., integrated with) their SIEM "engine". They have recognized that they need expanded visibility to see threats wherever they reside in a modern IT infrastructure – especially on endpoints. But equally important is having the capabilities to seamlessly correlate all data points that comprise an incident (from logs to NetFlow to endpoint data) in order to more accurately identify the real threats to an organization and respond more rapidly. Additionally, security and risk professionals are looking to vendors who can provide real, meaningful integrations between endpoint security and SIEM, whether it is through tightknit 3rd party partnerships or 1st party, complementary products. The desired end state reduces human processes and elevates the highest risk incidents to the forefront from an ocean of alerts. As an example, ideally, a security analyst could pinpoint exactly when an endpoint was compromised, reconstruct the phishing email that delivered the payload, understand the effect that the attack had on the endpoint, determine where the threat spread to in an organization…and then contain the compromised endpoints and take action to quarantine the entire threat. How's that for turbocharged output?
Security teams have an extremely difficult job in protecting their organizations. Ultimately, if, together, we can find ways to interweave business context and risk with advanced cybersecurity capabilities (i.e., SIEM, endpoint, cloud) into one finely tuned engine, that job will be easier and less taxing. Additionally, this turbocharged security engine will better enable the entire organization – from the CEO to the SOC – to make stronger decisions to protect themselves from threats, minimize attacker dwell time and mitigate negative business consequences.
If your organization's security operations are in need of a turbo boost, I encourage you to learn more about how our RSA NetWitness® Platform can SEE more and DO more.
Author: David D'Aprile
Category: RSA Fundamentals, Blog Post
Keywords: SIEM, Endpoint, Endpoint Detection and Response, Endpoint Security