Page 77 - Cyber Defense eMagazine September 2022
P. 77
especially when maxed out on events per second (EPS). This is certainly not ideal given that attackers
only need seconds to exploit a vulnerability. Visibility into threats - both emerging and existing - in as
close to real-time as possible is essential.
Additionally SIEM pricing models can be problematic, as price often inflates massively as data volumes
increase, while security budgets are only increasing incrementally. Here, it’s important to remember that
all security log data is not created equal. Certain logs are typically the most likely to contain meaningful
information, while other logs may contain information helpful for event correlation.
An example of this would be an intrusion detection system that records malicious commands issued to a
server from an external host; this would be a primary source of attack information. A firewall log could
then be reviewed to identify other connection attempts from the same source IP address, reinforcing that
the IP address in question is in fact likely to be a malicious actor.
Intelligent event correlation is one of the most powerful features of SIEM systems, and the richer and
more comprehensive the data, the better the results. Security operations teams therefore find themselves
facing a dilemma. They can include the majority (or all) log data - including a high volume of logs with
little to no value - which often leads to an overstuffed SIEM that eats through their budget. Or, they can
make predictions on what logs they really need while neglecting others, which may keep the team in-
budget but creates significant blindspots and vulnerabilities. Such an approach may be deemed too risky
since threats can be lurking anywhere.
Finding A Balance
The “centralize and analyze” approach to SIEM evolved at a time when organizations prized one true
copy of logs in one highly secure location, often totally separated from production environments and
completely inaccessible to hackers, malicious insiders and other employees. Given the significant rise in
the number and variety of cybersecurity threats, combined with the volume of security logs being
generated, such an approach is no longer optimal from a speed or cost perspective.
A new approach is needed that entails analyzing all data at its source - separating where data is analyzed
from where it is stored. Some call this approach “Small Data” - processing smaller amounts of data in
parallel. Once logs are analyzed at their source, they can then be relegated as higher-value (and routed
to a higher-cost, lower volume SIEM repository) or lower value and routed to a lower-cost storage option).
Additionally, when analytics are pushed upstream, security operations teams can sidestep indexing for
the moment and identify anomalies and areas of interest even faster than with an SIEM alone, which is
critical in the constant race with adversaries.
Today, this can be achieved in a way that maintains maximum security, availability and confidentiality of
logs. Enterprises can therefore afford to have eyes on all their data while not compromising the security
benefits of an SIEM.
Cyber Defense eMagazine – September 2022 Edition 77
Copyright © 2022, Cyber Defense Magazine. All rights reserved worldwide.