Skip to main content

Next-Generation SIEMs

Next-Generation SIEMs

Intelligence, Speed, Simplicity, Automation


Major network and security trends, including exponentially increasing network traffic, cloud architectures, complex attack surfaces, and advanced adversaries, have created new challenges for security operations in adapting to this changing threat landscape.

Next-Generation SIEMs
Increased Traffic, Hybrid Cloud Architectures, and Sophisticated Adversaries Are Overwhelming SOCs

The Security Operations Center is faced with alert overload, often paralyzed with too much information to filter, prioritize, and act upon. The end result is an inability to find the true risk amongst thousands of alerts every day with the largest of organizations easily facing millions of alerts per day.

Incident responders are challenged at finding relevant information or seeing the relationships amongst disparate indicators of compromise that are buried within logs, causing delays in assessing, understanding, and mitigating incidents.

Threat hunting teams struggle with where to start, where to look, and how to analyze a massive amount of data. Log search tools and SIEMs do little to assist in finding new and unknown risk and require the user to have a strong understanding of low-level log data in order to know what to search for.

Traditional measures such as log management, event management, and SIEMs have failed to adapt to the changing threat landscape. These dated technologies are drastically less effective with the huge volumes of data collected from the network, servers, and applications, leading to false positives, false negatives and difficulty in tuning. Most customers continue to struggle to find a way to reduce the noise down to a small number of relevant alerts.

When advanced adversaries attack thinly-stretched security teams using sophisticated methods, it makes it difficult if not impossible for security professionals to protect their organizations in a proactive manner.

A new breed of tools and approaches are needed that have: cloud-enablement, new security intelligence, faster detection and response, scalability in performance and cost, and simplicity in deployment and use.


Today's IT and Security Operations teams are faced with numerous challenges: exponentially increasing network traffic, complex cloud architectures, growing attack surfaces, sophisticated adversaries, and costly and complicated security solutions that require a lot of expertise and time to maintain and use. Further, security teams don't know what they don't know, making the finding of new threats too much of a haphazard exercise. With a scarcity of skilled security professionals, existing teams are overtaxed, making it near-impossible to be proactive in planning security measures.

Each year has brought exponentially increasing volumes of network traffic, web content, messaging (email, chat, IM, VoIP), network traffic (TCP/IP), and application traffic (web services, web applications) to not only on-premise infrastructure, but also growing cloud infrastructures. The amount of traffic or events at the network level has made it difficult or impossible to assess, comprehend, analyze, and react to cyber adversaries, let alone take proactive defensive measures.

This has resulted in several adverse impacts:

  • Higher number of false positives leading to wild goose chases
  • Higher chance for false negatives passing by undetected
  • Difficulty in focusing on true risk amidst an overwhelming number of alerts

Production infrastructures now include a hybrid of on-premise and cloud deployments, but cannot be treated the same as on-premise architectures. Their technology stacks include sophisticated javascript UIs, backend messaging, multi-layered identity/authorization systems, distributed data stores, and elastic application servers and load-balancers. These opaque cloud architectures and complicated web applications have increased the attack surface, made it more complex to understand, and much harder to secure. Security teams have less control and visibility into these highly dynamic environments with elastic application and networking instances, and understanding what is going on in an organization's cloud architecture can be extremely difficult, resulting in missed alerts for availability and performance problems, and undiscovered or misunderstood security incidents.

Adversaries continue to grow more sophisticated, not only in their use of exploits that include polymorphic malware, ransomware, and Zeus bot strains, but also in their organizational capabilities around executing espionage and fraud. The authorities' hunt for the Zeus bot author is just one example of both the technical and organizational sophistication of today's cyber criminals, which in the case of Zeus, has resulted in financial fraud of banks of conservatively 70 to 80 million dollars. (1) The Bangladesh bank heist of $81M via the SWIFT network and possible insider assistance is another example of the evolving sophistication of cyber criminals.(2) Not only is the financial impact larger than ever before, the technical sophistication has also increased.

These attacks showed technical sophistication with redundant command-and-control bot networks, use of DoS traffic (knowing that high volumes of data overwhelm today's networks, tools and SoCs) to obfuscate the true attacks. Additionally, there is even business model sophistication in the renting of the Zeus botnets to other criminal groups for other purposes.

And although there are many high-profile breaches publicized almost on a weekly basis, there are many more that go undetected. As of 2016, the time to detect breaches remains anywhere from 5 months to over a year.(3)

Today's security approaches continue to fall short in adapting to these challenges. Existing tools and approaches lack the intelligence and analytics to identify and respond to true risk amidst the rising flood of expected network traffic, not to mention the distributed denial of service attacks that can be easily created in today's botnets-for-rent world.

SIEMs and log search tools have not adapted to evolving cloud architectures. With their dynamic, API-driven behavior and highly elastic runtime environments, a log-based, event-based view of cloud architectures can result in so much confusing noise, that it can completely obscure any real problems around availability, performance, or compromise.

The rigid frameworks of applying signatures and rules to voluminous data, whether it be packet captures or terabytes of log data is not working for either prevention or detection. Storms of red, priority one alerts continue to plague the SOC. Decreasing false positives often increases false negatives and vice-versa. And one can only create rules for known bad, so new attacks slip through.

Rules-based correlation approaches are also ineffective and unscalable as the rules have obtuse and arcane syntax, many ordering dependencies, and require exorbitant amounts of people time to define, tune, and maintain the logic. This results in security policies that are unclear and unmanageable by the very security professionals who are trying to secure the organization.

Next-Generation SIEMs
Rules-Based Correlation obfuscates, confuses, misses the unknown bad, and requires heavy maintenance.

Read more:

(1) "Inside the Hunt for Russia's Most Notorious Hacker," Graff, Wired, 3/21/17.

(2) "Hackers' $81 Million Sneak Attack on World Banking," Corkery, New York Times, 4/30/16. 

(3) "Breach Detection Time Improves, Destructive Attacks Rise: FireEye," Lennon, Security Week, 2/25/16. 

Popular posts from this blog

Sift Security Tools Release for AWS Monitoring - CloudHunter

We are excited to release CloudHunter, a web service similar to AWS CloudTrail that allows customers to visually explore and investigate their AWS cloud infrastructure.  At Sift, we felt this integration would be important for 2 main reasons:
Investigating events happening in AWS directly from Amazon is painful, unless you know exactly what event you're looking for.There are not many solutions that allow customers to follow chains of events spanning across the on-premises network and AWS on a single screen. At Netflix, we spent a lot of time creating custom tools to address security concerns in our AWS infrastructure because we needed to supplement the AWS logs, and created visualizations based on that data.  The amazing suite of open source tools from Netflix are the solutions they used to resolve their own pain points.  Hosting microservices in the cloud with continuous integration and continuous deployment can be extremely efficient and robust.  However, tracking events, espec…

Sift Security and WannaCry

😢 The WannaCry ransomware attack has left security teams around the world scrambling to make sure they are protected and to assess whether they have been victimized. To protect themselves, organizations need to have visibility into which systems are vulnerable and be able to rapidly roll out patches.  To understand whether they have been targeted, they need visibility into the channels over which the ransomware is distributed.  To understand whether they have been infected, they need visibility into the endpoints.
Over the past weekend, I was bombarded with questions from current customers, potential customers, former colleagues, friends, and family.  Am I vulnerable? How do I protect myself? How do I know if I’ve been hit? What do I do if I’ve been hit? What can you do to help me?
This post focuses primarily on the last question. What can we at Sift Security do to help an organization respond to a massive ransomware attack? I break this down into four categories, visibility, analyt…