Skip to main content

Next-Generation SIEMs

Intelligence, Speed, Simplicity, Automation

Overview

Major network and security trends, including exponentially increasing network traffic, cloud architectures, complex attack surfaces, and advanced adversaries, have created new challenges for security operations in adapting to this changing threat landscape.


Increased Traffic, Hybrid Cloud Architectures, and Sophisticated Adversaries Are Overwhelming SOCs

The Security Operations Center is faced with alert overload, often paralyzed with too much information to filter, prioritize, and act upon. The end result is an inability to find the true risk amongst thousands of alerts every day with the largest of organizations easily facing millions of alerts per day.

Incident responders are challenged at finding relevant information or seeing the relationships amongst disparate indicators of compromise that are buried within logs, causing delays in assessing, understanding, and mitigating incidents.

Threat hunting teams struggle with where to start, where to look, and how to analyze a massive amount of data. Log search tools and SIEMs do little to assist in finding new and unknown risk and require the user to have a strong understanding of low-level log data in order to know what to search for.

Traditional measures such as log management, event management, and SIEMs have failed to adapt to the changing threat landscape. These dated technologies are drastically less effective with the huge volumes of data collected from the network, servers, and applications, leading to false positives, false negatives and difficulty in tuning. Most customers continue to struggle to find a way to reduce the noise down to a small number of relevant alerts.

When advanced adversaries attack thinly-stretched security teams using sophisticated methods, it makes it difficult if not impossible for security professionals to protect their organizations in a proactive manner.

A new breed of tools and approaches are needed that have: cloud-enablement, new security intelligence, faster detection and response, scalability in performance and cost, and simplicity in deployment and use.

Challenges

Today's IT and Security Operations teams are faced with numerous challenges: exponentially increasing network traffic, complex cloud architectures, growing attack surfaces, sophisticated adversaries, and costly and complicated security solutions that require a lot of expertise and time to maintain and use. Further, security teams don't know what they don't know, making the finding of new threats too much of a haphazard exercise. With a scarcity of skilled security professionals, existing teams are overtaxed, making it near-impossible to be proactive in planning security measures.

Each year has brought exponentially increasing volumes of network traffic, web content, messaging (email, chat, IM, VoIP), network traffic (TCP/IP), and application traffic (web services, web applications) to not only on-premise infrastructure, but also growing cloud infrastructures. The amount of traffic or events at the network level has made it difficult or impossible to assess, comprehend, analyze, and react to cyber adversaries, let alone take proactive defensive measures.

This has resulted in several adverse impacts:

  • Higher number of false positives leading to wild goose chases
  • Higher chance for false negatives passing by undetected
  • Difficulty in focusing on true risk amidst an overwhelming number of alerts

Production infrastructures now include a hybrid of on-premise and cloud deployments, but cannot be treated the same as on-premise architectures. Their technology stacks include sophisticated javascript UIs, backend messaging, multi-layered identity/authorization systems, distributed data stores, and elastic application servers and load-balancers. These opaque cloud architectures and complicated web applications have increased the attack surface, made it more complex to understand, and much harder to secure. Security teams have less control and visibility into these highly dynamic environments with elastic application and networking instances, and understanding what is going on in an organization's cloud architecture can be extremely difficult, resulting in missed alerts for availability and performance problems, and undiscovered or misunderstood security incidents.

Adversaries continue to grow more sophisticated, not only in their use of exploits that include polymorphic malware, ransomware, and Zeus bot strains, but also in their organizational capabilities around executing espionage and fraud. The authorities' hunt for the Zeus bot author is just one example of both the technical and organizational sophistication of today's cyber criminals, which in the case of Zeus, has resulted in financial fraud of banks of conservatively 70 to 80 million dollars. (1) The Bangladesh bank heist of $81M via the SWIFT network and possible insider assistance is another example of the evolving sophistication of cyber criminals.(2) Not only is the financial impact larger than ever before, the technical sophistication has also increased.

These attacks showed technical sophistication with redundant command-and-control bot networks, use of DoS traffic (knowing that high volumes of data overwhelm today's networks, tools and SoCs) to obfuscate the true attacks. Additionally, there is even business model sophistication in the renting of the Zeus botnets to other criminal groups for other purposes.

And although there are many high-profile breaches publicized almost on a weekly basis, there are many more that go undetected. As of 2016, the time to detect breaches remains anywhere from 5 months to over a year.(3)

Today's security approaches continue to fall short in adapting to these challenges. Existing tools and approaches lack the intelligence and analytics to identify and respond to true risk amidst the rising flood of expected network traffic, not to mention the distributed denial of service attacks that can be easily created in today's botnets-for-rent world.

SIEMs and log search tools have not adapted to evolving cloud architectures. With their dynamic, API-driven behavior and highly elastic runtime environments, a log-based, event-based view of cloud architectures can result in so much confusing noise, that it can completely obscure any real problems around availability, performance, or compromise.

The rigid frameworks of applying signatures and rules to voluminous data, whether it be packet captures or terabytes of log data is not working for either prevention or detection. Storms of red, priority one alerts continue to plague the SOC. Decreasing false positives often increases false negatives and vice-versa. And one can only create rules for known bad, so new attacks slip through.

Rules-based correlation approaches are also ineffective and unscalable as the rules have obtuse and arcane syntax, many ordering dependencies, and require exorbitant amounts of people time to define, tune, and maintain the logic. This results in security policies that are unclear and unmanageable by the very security professionals who are trying to secure the organization.


Rules-Based Correlation obfuscates, confuses, misses the unknown bad, and requires heavy maintenance.

Read more: https://siftsecurity.com/papers/Sift-Security-Next-Generation-SIEMs.html


References
(1) "Inside the Hunt for Russia's Most Notorious Hacker," Graff, Wired, 3/21/17.
https://www.wired.com/2017/03/russian-hacker-spy-botnet/

(2) "Hackers' $81 Million Sneak Attack on World Banking," Corkery, New York Times, 4/30/16.
https://www.nytimes.com/2016/05/01/business/dealbook/hackers-81-million-sneak-attack-on-world-banking.html?_r=0 

(3) "Breach Detection Time Improves, Destructive Attacks Rise: FireEye," Lennon, Security Week, 2/25/16.
http://www.securityweek.com/breach-detection-time-improves-destructive-attacks-rise-fireeye 

Comments

Popular posts from this blog

Cloud Hunter Release

I just wanted to take some time to post some details on our recent release of Cloud Hunter, which allows customers to visually explore and investigate their AWS cloud infrastructure.  At Sift, we felt this integration would be important for 2 main reasons:Investigating events happening in AWS directly from Amazon is painful, unless you know exactly what event you're looking for.There are not many solutions that allow customers to follow chains of events spanning across the on-premises network and AWS on a single screen.At Netflix, we spent a lot of time creating custom tools to address security concerns in our AWS infrastructure because we needed to supplement the AWS logs, and created visualizations based on that data.  The amazing suite of open source tools from Netflix are the solutions they used to resolve their own pain points.  Hosting microservices in the cloud with continuous integration and continuous deployment can be extremely efficient and robust.  However, tracking ev…

Sift Security Launch!

We are excited to announce the launch of Sift Security's Threat Hunting and Incident Response Platform.Our team has been working for more than two years to design the next generation of security operations technology. Our mission is to make it easier and faster for security operations teams to get their jobs done.We take care of a few major headaches, helping you get to the real work.Gathering data
With out-of-the-box support for a dozen data sources and a simple tool for incorporating more, we get all the data you need for an investigation in one place, ready for when you need it.Integrating data
Our relational graph structure enables you to track entities across data types, quickly following a chain of events from the network to endpoints and applications.Evaluating data
Machine learning algorithms developed at Stanford and MIT help bring the most important events to your attention, so you can focus on what’s strange or new.Our team enjoyed making the platform, which builds on some…

Applying Machine Learning to Cybersecurity

In a recent article on the OPM hack, the author describes a pretty typical security situation for a large enterprise:The Office of Personnel Management repels 10 million attempted digital intrusions per month—mostly the kinds of port scans and phishing attacks that plague every large-scale Internet presence—so it wasn’t too abnormal to discover that something had gotten lucky and slipped through the agency’s defenses.Enormous pressure at scale from criminals makes automated systems essential for security. While humans can inspect packages coming into the building, only a computer can work quickly enough to inspect packets. Firewalls are the prototypical example: you allow certain traffic through according to a set of rules based on the source and destination IPs and the ports and protocols being used.In recent years, there's been a lot of buzz about machine learning in cybersecurity--wouldn't it be great if your automated system could learn and adapt, stop threats you don’t ev…