Page 60 - index
P. 60
How to move beyond the SIEM
Defending against and detecting cyber threats depends on understanding the full threat
landscape
by Mark Bevilacqua, VP, Customer Success at IKANOW
Like a patrolman walking his beat, your SIEM software keeps an eye on what's happening in
your network and reports any unusual activities. But just as you wouldn't rely on a security
guard as the sole means of protecting your physical property, you shouldn't rely on SIEM as the
sole means of providing cyber security. While SIEM provides a great deal of information, SIEM
alone isn't enough to make your systems secure.
They are great at aggregating events from perimeter systems and providing a dashboard view
into this information but to be truly effective in combating threats, organizations must be able to
go beyond a perimeter overview. They must be able to detect and predict threats based on
outside data and internal behavior across all of their systems - which SIEMs can’t currently do -
and a more complex data analytics platform, like IKANOW, is required to accomplish this.
Make sure you understand the capabilities and limitations of SIEM and know where you need to
utilize other threat intelligence feeds and threat analytics methodologies to ensure you protect
your network fully.
SIEMs focus on local & noisy data
A SIEM can capture a large amount of internal, or structured, data from multiple sources,
including your network, databases, services, and applications. Years ago, this provided a fairly
complete picture of your cyber posture. However, with today’s dynamic, ever-changing threats,
this isn’t nearly good enough.
It takes time to analyze the data, and it's difficult to separate the important information from the
background noise. Few firms can keep resources focused on the analysis task; there aren't
enough experts to hire, even if funds were unlimited.
While automated triggers can be established, they can generate false alerts, one of the biggest
complaints with SIEMs, that divert resources from important but subtle events that require a
response. Tuning the SIEM to avoid generating too many false alerts may require vendor-
specific knowledge that in-house teams lack. How can you make the most of this raw data?
A SIEM tells you what's going on in your network, but much security is gained by shared
information. Knowing the threats experienced by other businesses lets you preemptively secure
your network before hackers turn their attention to your business.
60 Cyber Warnings E-Magazine – May 2015 Edition
Copyright © Cyber Defense Magazine, All rights reserved worldwide
