especially when maxed out on events per second (EPS). This is certainly not ideal given that attackers
            only need seconds to exploit a vulnerability. Visibility into threats - both emerging and existing - in as
            close to real-time as possible is essential.

            Additionally SIEM pricing models can be problematic, as price often inflates massively as data volumes
            increase, while security budgets are only increasing incrementally. Here, it’s important to remember that
            all security log data is not created equal. Certain logs are typically the most likely to contain meaningful
            information, while other logs may contain information helpful for event correlation.

            An example of this would be an intrusion detection system that records malicious commands issued to a
            server from an external host; this would be a primary source of attack information. A firewall log could
            then be reviewed to identify other connection attempts from the same source IP address, reinforcing that
            the IP address in question is in fact likely to be a malicious actor.

            Intelligent event correlation is one of the most powerful features of SIEM systems, and the richer and
            more comprehensive the data, the better the results. Security operations teams therefore find themselves
            facing a dilemma. They can include the majority (or all) log data - including a high volume of logs with
            little to no value - which often leads to an overstuffed SIEM that eats through their budget. Or, they can
            make predictions on what logs they really need while neglecting others, which may keep the team in-
            budget but creates significant blindspots and vulnerabilities. Such an approach may be deemed too risky
            since threats can be lurking anywhere.



            Finding A Balance

            The “centralize and analyze” approach to SIEM evolved at a time when organizations prized one true
            copy of logs in one highly secure location, often totally separated from production environments and
            completely inaccessible to hackers, malicious insiders and other employees. Given the significant rise in
            the  number  and  variety  of  cybersecurity  threats,  combined  with  the  volume  of  security  logs  being
            generated, such an approach is no longer optimal from a speed or cost perspective.

            A new approach is needed that entails analyzing all data at its source - separating where data is analyzed
            from where it is stored. Some call this approach “Small Data” - processing smaller amounts of data in
            parallel. Once logs are analyzed at their source, they can then be relegated as higher-value (and routed
            to a higher-cost, lower volume SIEM repository) or lower value and routed to a lower-cost storage option).
            Additionally, when analytics are pushed upstream, security operations teams can sidestep indexing for
            the moment and identify anomalies and areas of interest even faster than with an SIEM alone, which is
            critical in the constant race with adversaries.

            Today, this can be achieved in a way that maintains maximum security, availability and confidentiality of
            logs. Enterprises can therefore afford to have eyes on all their data while not compromising the security
            benefits of an SIEM.









            Cyber Defense eMagazine – September 2022 Edition                                                                                                                                                                                                         77
            Copyright © 2022, Cyber Defense Magazine. All rights reserved worldwide.