Skip to main content

Posts

Next-Generation SIEMs

Intelligence, Speed, Simplicity, AutomationOverviewMajor network and security trends, including exponentially increasing network traffic, cloud architectures, complex attack surfaces, and advanced adversaries, have created new challenges for security operations in adapting to this changing threat landscape.
Increased Traffic, Hybrid Cloud Architectures, and Sophisticated Adversaries Are Overwhelming SOCs
The Security Operations Center is faced with alert overload, often paralyzed with too much information to filter, prioritize, and act upon. The end result is an inability to find the true risk amongst thousands of alerts every day with the largest of organizations easily facing millions of alerts per day.Incident responders are challenged at finding relevant information or seeing the relationships amongst disparate indicators of compromise that are buried within logs, causing delays in assessing, understanding, and mitigating incidents.T…
Recent posts

Sift Security vs. Elastic Graph

We are often asked, “What is the difference between Sift Security and Elastic Graph?” This is a great question that typically comes from folks who are already familiar with Elasticsearch [0] and Elastic Graph [1]. The answer boils down to the following: Elastic Graph is a tool for visualizing arbitrary aggregate search results. Sift Security uses a graph database to simplify and accelerate specific security use cases. In this blog post, we describe the advantages of each of these approaches, and conclude with a discussion of when to use each.
Advantages of Sift Security Query speed Sift Security builds a property graph to represent security log events at ingestion time.  We do this work at ingestion time for one reason:  to speed up common investigative queries.  When investigating alerts and incidents, analysts ask questions like: Did this user/host/IP address generate any other alerts?Was there any lateral movement from this host?What users were logged in to this host when this ale…

Cloud Hunter Release

I just wanted to take some time to post some details on our recent release of Cloud Hunter, which allows customers to visually explore and investigate their AWS cloud infrastructure.  At Sift, we felt this integration would be important for 2 main reasons:Investigating events happening in AWS directly from Amazon is painful, unless you know exactly what event you're looking for.There are not many solutions that allow customers to follow chains of events spanning across the on-premises network and AWS on a single screen.At Netflix, we spent a lot of time creating custom tools to address security concerns in our AWS infrastructure because we needed to supplement the AWS logs, and created visualizations based on that data.  The amazing suite of open source tools from Netflix are the solutions they used to resolve their own pain points.  Hosting microservices in the cloud with continuous integration and continuous deployment can be extremely efficient and robust.  However, tracking ev…

Applying Machine Learning to Cybersecurity

In a recent article on the OPM hack, the author describes a pretty typical security situation for a large enterprise:The Office of Personnel Management repels 10 million attempted digital intrusions per month—mostly the kinds of port scans and phishing attacks that plague every large-scale Internet presence—so it wasn’t too abnormal to discover that something had gotten lucky and slipped through the agency’s defenses.Enormous pressure at scale from criminals makes automated systems essential for security. While humans can inspect packages coming into the building, only a computer can work quickly enough to inspect packets. Firewalls are the prototypical example: you allow certain traffic through according to a set of rules based on the source and destination IPs and the ports and protocols being used.In recent years, there's been a lot of buzz about machine learning in cybersecurity--wouldn't it be great if your automated system could learn and adapt, stop threats you don’t ev…

Anomaly Detection White Paper

We are pleased to release a new Data Science White Paper, focused on our approach to Anomaly Detection. This paper, which is available upon request, picks up where our October 2015 Data Science White Paper left off, describing in detail our approach and the use cases we support.The paper starts with a motivating example, describing the traces a sophisticated attacker leaves behind and how the traces can be detected. We then describe our algorithms within the context of the example and provide other use cases covered by our approach. We finish with a summary of the strategic advantages of the platform.Read this paper to learn more about:Our unsupervised anomaly detection approach, including detection of rare events, spikes, and out of context events.Entity level alert roll-ups, which help users prioritize investigations.The specific security use cases we address, which we map to the Lockheed cyber kill chain.The key advantages of our approach and algorithms.To learn more, get your own…