Popular SIEM vs aisiem You cannot flip a page in any Cybersecurity magazine, or scroll through security blogging sites without a mention of Next Gen SIEM. You can understand why traditional SIEM vendors are pushing this concept, given all high profile security breaches in the last few years, how long it took for organizations to detect breaches in spite of having multitude of security solutions and many with SIEM solutions deployed in their environment. The information in the logs is useful but is context limited. It s similar to phone bill, lets you know when a phone call made, to which number and for how long, but doesn t tell you about the conversation. Similarly, a Proxy server or Firewall logs can provide information about what PC (End-device) accessed what website or URL. Doesn t provide who was on the PC at that time, and what specific application was riding on top of the URL, again forcing security teams to look at relevant logs, and correlate the information manually" Why popular SIEMs haven t lived up to expectation? As we know, today s SIEMs collect and aggregate logs from different sources, and alert security teams by running correlation rules. There itself is the problem. The information in the logs is useful but is limited. It s similar to phone bill, lets you know when a phone call made, to which number and for how long, but doesn t 1
tell you about the conversation. Similarly, a Proxy server or Firewall logs can provide information about what PC (End-device) accessed what website or URL. Doesn t provide who was on the PC at that time, and what specific application was riding on top of the URL, again forcing security teams to look at relevant logs, and correlate the information manually. The conversation and additional contextual details has the most important information, that is if there is an incident of compromise worth spending time on, and what your short-staffed security teams should focus on. Today s SIEMs are good at collecting and indexing modest amounts of data and security teams can write basic rules to correlate known indicators. These SIEMs are not good at detecting unknown attacks, analyzing massive amounts of data real-time, ingesting network session and packet information, understanding network and user behaviors, monitor and protect hybrid-cloud infrastructures, and more importantly take an immediate action to contain and eliminate threats automatically before the damage is inflicted. SIEM vendors answer to addressing these limitations is through add-on modules. A module for ingesting and processing network traffic; A module for deep packet inspection (DPI); A UEBA (User and Entity Behavioral Analytics) module; A module for IaaS, PaaS, Saas monitoring; Playbooks module for threat remediation. And loose collection of these modules is marketed as Next-Gen or Modern SIEM. In reality, SIEMs are not architected to handle large volume and high-velocity data in real-time, they still rely on rules to correlate and raise alerts, they still use age old data indexing, storage and compute technologies that are inflexible and doesn t support modern Hybrid-cloud IT Infrastructure, containerization and orchestration principles.
Moreover, by the time you are done adding all the modules, you will end-up with a system with increased complexity that is hard to deploy, operationalize, monitor and manage. And the result is a solution with high cost of ownership that makes it inaccessible and unusable for many organizations. Automatic threat containment and remediation shouldn t require building playbooks that takes months and years to implement, but be available out-ofthe box from the get-go. Moreover, it should be accessible to both Fortune 5- million and Fortune 100 enterprises aisiem: Modern, Adaptive and Intelligent At Seceon, we believe modern SIEM cannot be built on antiquated technology and architectures. SOC teams deserve a solution that is fundamentally different in its approach. A good solution shouldn t become burdensome but improve SOC teams efficiency and effectiveness in defending against new-age cyber threats. Machine Learning and AI cannot be an afterthought, but a core foundation of SIEM that builds path toward AI assisted SOC. Network flow forensics shouldn t be an add-on, but an integral part of holistic threat analysis and detection. Automatic threat containment and remediation shouldn t require building playbooks that takes months and years to implement, but be available out-of-the box from the get-go. Moreover, it should be accessible to both Fortune 5-million and Fortune 100 enterprises. 3
Driven by this single-minded focus and strong desire to help organizations of all sizes, we embarked on building a Cybersecurity solution for Digital-ERA that encompasses: Most advanced, efficient and extremely flexible data source collection, processing and parsing engine. Highly scalable data ingestion bus that is capable of handling 50B events per day. Yet small enough to be deployed on a single VM/Cloud instance. Real-time stream processing in-memory compute engine benchmarked to handle 150M events per second. Machine Learning engine built to adapt to any new environment quickly with its Unsupervised, Supervised and Deep learning AI. Correlation engine with dynamic threat detection models that becomes more intelligent overtime in detecting both known and unknown threats. Big-data database that is benchmarked to handle 400K ops per second and can store and archive years worth of data. Search and in-memory database to assist in executing dynamic threat models real-time and find that needle in the haystack by eliminating the noise. Built-in integration with most IT and Network Infrastructure components (Identity systems, Firewalls, Routers/Switches etc.,) for automatic threat containment and elimination. Container and Micro-services architecture driven; offering flexibility to deploy the solution across myriad of modern and legacy IT infrastructures. Built-in multi-tenancy architecture.
The result is Seceon aisiem, which is: Most advanced SIEM with Actionable intelligence and automatic threat containment & elimination An integrated MDR and MSS technology stack. A solution easy to install, implement, and operationalize with minimal configuration and management. A highly scalable, cloud, virtualization and bare-metal native solution with built-in horizontal clustering and orchestration. A solution that can monitor and secure Hybrid-cloud infrastructures. Figure 1: aisiem in Action 5
Benefits of aisiem According to Gartner s new strategic approach Continuous Adaptive Risk and Trust Assessment (CARTA) (refer: Use a CARTA Strategic Approach to Embrace Digital Business Opportunities in an Era of Advanced Threats), continuous data analytics is absolutely a must to constantly assess organization s security posture, provide adaptive access, predict and anticipate threats in real-time and respond to threats that matter in real-time aisiem aligns to the Gartner s CARTA approach to provide these five major benefits to enterprises: Reduced MTTI (Mean-Time-To-Identify). Detecting threats near-realtime, not days, weeks or months after. Reduced MTTR (Mean-Time-To-Resolve) by containing threats as soon as they are detected with out-of-the box automatic remediation. More efficient and effective SOC teams focusing on Threat that Matter ; Not iterating through thousands of alerts per day. Continuous compliance and risk monitoring. Comprehensive Visibility of Enterprise security posture. And Managed Security Service Providers (MSSP) in the following two ways: Integrated solution to offer MDR and MSS with minimal investment. Single pane of glass security posture visibility and monitoring across tenants.
How aisiem different from the Traditional SIEMs: Conclusion aisiem is a truly modern SIEM with ML & AI as core foundations for threat detection with no rules to define, is adaptive and intelligent to changing threat landscape, contains and eliminates threats without user intervention. It is designed for modern IT Hybrid-cloud infrastructures and helps organizations with continuous compliance and risk assessment. Find out more at www.seceon.com 7