Hey SIEM: What Have You Done for Me Lately?
By Michael Adler, Vice President, Product, NetWitness Suite
For years, SIEM solutions have dutifully delivered just what security teams need to detect and investigate cyber threats. But with threats constantly taking new forms and coming from new places, in far greater volume than ever before, a SIEM solution has to do a lot more to help security teams keep up. Here are three questions to ask of your SIEM system as you work to address today's security issues.
Is visibility limited to logs?
Logs don't provide much more than a trail of bread crumbs to show where an attacker has been. If you want to see what that attacker was actually doing, you're going to need visibility into network packet data, too. And if you want to close the last mile of an investigation and see what process on a particular endpoint is at the root of an attack, you'll need some way to inspect what's happening at the endpoints where threats dwell. Moreover, you need a single platform to deliver views into the data you're getting from logs, packets and endpoints, so that you're not wasting time trying to switch tools and manually correlate everything coming in.
Is there support for prioritization?
When you're dealing with multiple alerts, you must be able to discern quickly which are the most urgent and set your priorities accordingly. Has an attacker found a way into the server where all the source code is stored, or just the one with the weekly cafeteria menu? How can you tell? Every minute you have to spend looking for information to prioritize your response is another minute an attack continues. You need a solution that's integrated with business risk information so that it understands critical users and systems and can provide prioritization of incidents for determining which to respond to first.
Is it easy to scale?
If your organization is like most, you're doing business in more places and more ways than ever before. That makes scalability non-negotiable in systems you rely on for threat detection and response. Does your SIEM architecture make it easy and affordable to scale across multiple sites and to different IT environments (physical, virtual, cloud)? Or will it force you to re-architect your entire approach every time you make a major change?
Here's the big question: Does your SIEM solution provide the visibility, insights and scalability you need to respond effectively to cyber threats? If not, find one that does. Look for a solution that:
- Collects data all the way to endpoints, or the "last mile" of cyber investigations
- Correlates security data across logs, network packets and endpoints
- Provides multiple technologies including behavioral analytics to detect anomalies
- Knows which users and systems are critical so you can prioritize alerts
Let's face it: when it comes to threat detection and response, your SIEM solution isn't all you need it to be anymore. To see what your SIEM could be doing for you, check out RSA NetWitness Suite in action in the Black Hat USA 2017 NOC and in booth 907.