Posted by Sunil K. Kotagiri
You cannot flip a page in any Cybersecurity magazine, or scroll through security blogging sites without a mention of “Next Gen SIEM”. You can understand why traditional SIEM vendors are pushing this concept, given all high profile security breaches in the last few years, how long it took for those organizations to realize they have been breached in spite of having multitude of security solutions and many with SIEM solutions deployed in their environment.
Why traditional SIEMs haven’t lived up to expectation?
As we know, today’s SIEMs collect and aggregate logs from different sources, and alert security teams by running correlation rules. There itself is the problem. The information in the logs useful but is limited. It’s similar to phone bill, lets you know when a phone call made, to which number and for how long, but doesn’t tell you about the conversation. Similarly, Proxy server or Firewall logs can provide information about what PC (End-device) accessed what website or URL. Doesn’t provide who was on the PC at that time, and what specific application was riding on top of the URL, again forcing security teams to look at relevant logs, Identity and Firewall logs in this case, and correlate the information manually. The conversation and additional contextual details has the most important information, that is if there is a incident of compromise worth spending time on, and what your short-staffed security teams should focus on. Today’s SIEMs are good at collecting and indexing modest amounts of data and security teams can write basic rules to correlate known indicators. These SIEMs are not good at detecting unknown attacks, analyzing massive amounts of data real-time, ingesting network session and packet information, understanding network and user behaviors, monitor and protect hybrid-cloud infrastructures, and more importantly take an immediate action to contain or eliminate threats automatically before the damage is inflicted.
SIEM vendors’ answer to addressing these limitations is through add-on modules. A module for ingesting and processing network traffic; A module for deep packet inspection (DPI); A UEBA (User and Entity Behavioral Analytics) module; A module for IaaS, PaaS, Saas; Playbooks module for threat remediation, and call this solution patched with modules, a Next-Gen or modern SIEM. Though, this approach appear convincing on paper because it fits the popular narrative, though self-serving, which is more modules represents more flexibility, better scalability, with amenable price points etc.; In reality, that is not true and the argument is inherently flawed. It doesn’t solve the original issue where SIEMs are not architected to handle large volume and high-velocity data real-time, they still rely on rules to correlate and raise alerts, they still use age old data indexing, storage and compute technologies that are inflexible and doesn’t support modern Hybrid-cloud IT Infrastructure, containerization and orchestration principles. Moreover, by the time you are done adding all the so called Next-Gen SIEM modules, you will end-up with a system with increased complexity, hard to deploy, operationalize, monitor and manage with tremendously high cost of ownership, making it completely inaccessible and unusable for many organizations.
aiSIEM: Modern, Adaptive and Intelligent
At Seceon, we believe modern SIEM cannot be built on antiquated technology and architectures; we believe SOC teams deserve a solution that is fundamentally different in its approach; a solution that doesn’t become burdensome but rather enriches SOC teams, and improves their efficiency, effectiveness in defending against new-age cyber threats. We believe, Machine Learning and AI cannot be an afterthought, but a core foundation of SIEM that builds path toward AI assisted SOC; Network flow forensics shouldn’t be an add-on, but an integral part of holistic threat analysis and detection; automatic threat containment and remediation shouldn’t require building playbooks that takes months and years to implement, but rather be available out-of-the box from get go; Moreover, it should be accessible to Fortune 5-million enterprises, not just Fortune 100.
Driven by this single-minded focus and strong desire to help organizations of all sizes, we embarked on building a Cybersecurity solution for Digital-ERA that encompasses:
- Most advanced, efficient and extremely flexible data source collection, processing and parsing engine.
- Highly scalable data ingestion bus that is capable of handling 50B events per day. Yet small enough to be deployed on a single VM/Cloud instance.
- Real-time stream processing in-memory compute engine benchmarked to handle 150M events per second.
- Machine Learning engine built to adapt to any new environment quickly with its Unsupervised, Supervised and Deep learning AI.
- Correlation engine with dynamic threat detection models that becomes more intelligent overtime in detecting both known and unknown threats.
- Big-data database that is benchmarked to handle 400K ops per second and can store and archive years worth of data.
- Search and in-memory database to assist in executing dynamic threat models real-time and find that needle in the haystack by eliminating the noise.
- Built-in integration with most IT and Network Infrastructure components (Identity systems, Firewalls, Routers/Switches etc.,) for automatic threat containment and elimination.
- Container and Micro-services architecture driven; offering flexibility to deploy the solution across myriad of modern and legacy IT infrastructures.
- Built-in multi-tenancy architecture.
The result is Seceon aiSIEM, which is:
- Most advanced SIEM with Actionable intelligence and automatic threat containment & elimination
- An integrated MDR and MSS technology stack.
- A solution easy to install, implement, and operationalize with minimal configuration and management.
- A highly scalable, cloud, virtualization and bare-metal native solution with built-in horizontal clustering and orchestration.
- A solution that can monitor and secure Hybrid-cloud infrastructures.
Benefits of aiSIEM™
According to Gartner’s new strategic approach Continuous Adaptive Risk and Trust Assessment (CARTA) (refer: Use a CARTA Strategic Approach to Embrace Digital Business Opportunities in an Era of Advanced Threats), continuous data analytics is absolutely a must to constantly assess organization’s security posture, provide adaptive access, predict and anticipate threats in real-time and respond to threats that matter in real-time. aiSIEM aligns to the Gartner’s CARTA approach to provide these five major benefits to enterprises:
- Reduced MTTI (Mean-Time-To-Identify). Detecting threats near-realtime, not days, weeks or months after.
- Reduced MTTR (Mean-Time-To-Resolve) by containing threats as soon as they are detected with out-of-the box automatic remediation.
- More efficient and effective SOC teams focusing on “Threat that Matter”; Not iterating through thousands of alerts per day.
- Continuous compliance and risk monitoring.
- Comprehensive Visibility of Enterprise’ security posture.
And Managed Security Service Providers (MSSP) in the following two ways:
- Integrated solution to offer MDR and MSS with minimal investment.
- Single pane of glass security posture visibility and monitoring across tenants.
How aiSIEM different from the Traditional SIEMs:
Vendors may call their solutions, Modern SIEM, Next-Gen SIEM, Next-Next-Gen SIEM etc., But at Seceon, we consider a SIEM to be truly modern only when, ML & AI are core foundations of threat detection with no rules to define, a solution that is adaptive to environment and becomes more intelligent over time, a solution that automatically contains and eliminates threats without user intervention, a solution that is designed for modern IT Hybrid-cloud infrastructures and a solution that helps organizations with continuous compliance and risk assessment. And that is Seceon aiSIEM, a modern, adaptive and intelligent.