Table of Contents
The ability to detect events and determine their intent — good versus bad — is crucial to information security and network defense. Whether an event occurs due to employee error, accidental misconfiguration, intentional policy violation, or outright attack, security teams must be able to understand what is happening in their environment and determine how secure they are, or are not. Security has become a top priority for businesses as they consider buying new products or improving existing ones. While every enterprise has varying levels of system and network complexity, competing priorities, and unique customer expectations to meet, they cannot be perceived as having neglected security, especially when confronted with a breach. Apart from reputational damage or theft of competitive intellectual property (IP), the sheer distraction from a breach can cause companies to miss quarters and project deadlines, fail to deliver products to valuable customers, and burn out.
The need for security awareness led to the development of the first generation of Security Information Event Management (SIEM) systems. Though helpful, these first SIEMs suffered from scalability issues and were often difficult to reconfigure as technology evolved. While a second generation, led by tools such as Splunk and the ELK Stack, offered greater flexibility, scalability, and telemetry collection, the analytics capabilities still fell short of the needs of security teams.
In this report, we examine the latest generation of SIEMs — aka Advanced Behavioral Analytics and Threat Detection (ABA/TD) solutions — and their use of threat intelligence, in combination with analytics and situational awareness, to drive earlier breach detection. We discuss how these new solutions can speed up the mean time to detect a compromise by using indicators of compromise (IoCs); understanding adversaries’ tactics, techniques, and procedures (TTPs); and leveraging sound network and system instrumentation.
- Security teams have been overwhelmed with point solutions which lead to tool sprawl and fatigue. ABA/TD vendors consolidate point solutions like AV and Intrusion Prevention Systems/Intrusion Detection Systems (IPS/IDS) and provide a platform capable of advanced analytics with the intention of providing more accurate intelligence with less risk of false positive alarms.
- Threats change, as do enterprise networks, systems, and priorities. The last generation of SIEM was brittle and unable to keep up with the constant flux found in most enterprises. This group of companies are keenly aware of this and have built platforms to address these gaps.
- The balance of privacy and security, in conjunction with the resources cloud brings, is a key differentiator in this space. Many companies, once unwilling to hazard having their analytics (which might show they had been breached) off-prem, have reached the point where the value of quickly detecting a breach outweighs the risks.
- Burnout from excessive false positive alarms is as real as an actual attack. If the same alarm goes off repeatedly and after investigation, it was determined to be a false positive with no actual breach, then the next alarm might easily be ignored as more noise even though it could be a real threat. The accuracy of the alerts is an important consideration these new tools seek to address.