SIEM Is A Great Tool But It's Administrative Challenges Are A Barrier

Infosecurity | February 20, 2020

  • Sumo Logic's survey finds 38.5% of users found administration was the biggest struggle of SIEM complexity, whilst 32% cited deployment.

  • SIEM engineering and management require a dedicated team that is accustomed to the platform and its internal infrastructure and operations.

  • Many bad actors have learned how to get by the static SIEM rules whether by evasion techniques or otherwise

SIEM solutions help IT teams to be more proactive in the fight against security threats by providing a holistic view of what is happening on a network in real-time. The software has been in use in various guises for over a decade and has evolved significantly during that time. And while the platforms can be remarkably powerful defensive tools, their power is tempered by a long list of challenges that, as often as not, make them as much of a hindrance as a benefit.

A Twitter poll hosted by Sumo Logic revealed, that 40.3% of SIEM users valued it as a “security control” while, less than a quarter saw it used for threat detection or data collection. Threat detection accounted for 23.3% of responses,  while data collection accounted for 24.3%.

Talking about risk management at the Crypsis Group, Michael Thoma said that a SIEM can be used as a form of security control as some SIEMs can detect if a user was added to a domain admin account without a ticket and use APIs to disable that user automatically.

There are many tools that can supplement threat detection in lieu of a SIEM. In fact, a SIEM is typically centralization of the technology platforms that alert and log in the first place. For instance, you may have an Intrusion Prevention System (IPS) that is sending events and alerts to your SIEM based on malicious network activity. The SIEM can allow for additional correlation and retention of system logs, but the IPS by itself can still provide alerts on what is happening within your environment..

- Michael Thoma, Principal Consultant, Crypsis Group

In another Twitter vote, of 621 respondents, 38.5% said that administration was the biggest struggle of SIEM complexity, whilst 32% cited deployment and 29.5% opted for operations. Thoma said that SIEM is “absolutely one of the most valued security controls for security operations and IT teams; however, it's only as useful as its implementation.”

READ MORE: Why complexity issues persist in SIEM and cybersecurity

Thoma said the SIEM engineering and management require a dedicated team that is accustomed to the platform and its internal infrastructure and operations. He explained, “A SIEM is not an off-the-shelf product, and too many teams implement a SIEM for a fraction of the capabilities offered. There are likely just as many teams using it for the full effectiveness as there are those hoping to use it as a silver bullet.”

He further said a better SIEM solution was not likely soon explaining that “SIEMs are inherently complex as they must be able to integrate with a multitude of technology stacks across many business verticals and allow for the creation of custom metrics and alerts specific to an organization's environment.”

Sumo Logic is going to announce the availability of its new Cloud SIEM Enterprise offering, which will ease the burden on security operations center personnel. The latest offering that has new capabilities will help identify and prioritize high fidelity threats and automate the analyst workflow, allowing SOC personnel to better manage real security events and effectively enforce security and compliance policies.

About Sumo Logic's new offering, Greg Martin, general manager, security business unit, Sumo Logic, said, “With the industry’s fast-moving transformation to the public cloud, we wanted to give security teams a cloud-native solution with robust features they can use to navigate today’s cloud-centric world.”

Despite the central role SIEM plays, the research indicates that SOC teams use additional tools beyond SIEM for threat detection and response, investigations and query, threat intelligence analysis and process automation and orchestration. Sumo Logic’s Cloud SIEM Enterprise can help bridge this gap with a broader set of automation capabilities targeted directly at the modern SOC.

- Jon Oltsik, Senior Principal Analyst, ESG

SIEM’s ability to bring together security tools and give a comprehensive look at real-time threats as they happen is dependent on static rules. Many bad actors have learned how to get by these rules whether by evasion techniques or otherwise.



READ MORE: What is SIEM and how to choose the right tool

Spotlight

"In this age of rapidly expanding data, highly-skilled threat actors and technological advancements present great opportunity and great risks. Your data, a key asset that differentiates your organization, is under constant attack. It's impractical to completely """"lock it down"""" and yet its open use threatens your organization's very existence.

This threat report provides advice, actionable intelligence and guidance in dealing with existing and emerging threats, taking into account the need for companies to grow and innovate."


Other News
DATA SECURITY

Security Tops Retailers’ Wish Lists this Holiday Season

Futurex | November 17, 2021

Record sales expected in 2021, along with hackers; Futurex recommends point-to-point encryption for retailers to protect cardholder data BULVERDE, Texas, November 17, 2021 — As we enter the biggest retail season of the year, transactions are increasing, as are the numbers of hackers and skimmers — targeting shoppers’ cardholder data. The last thing retailers need to worry about is cyber threats that lead to ransomware or data breaches, as they welcome shoppers and juggle supply chain disruptions. Futurex, a leader in hardened, enterprise-class data security solutions, recommends retailers implement point-to-point encryption (P2PE) to encrypt cardholder data at the point of sale to keep it safe from malware that might be spying on network traffic and capturing credit card numbers. Futurex secures transactions for several of the nation’s largest retailers, protecting shoppers’ sensitive cardholder data and payment information. U.S. retail sales now through December are expected to grow 10.5% to a record $859 billion, compared to 2020, according to the National Retail Federation. Meanwhile, the FBI and the Cybersecurity and Infrastructure Security Agency (CISA) have warned about the increase of cyber threats, including ransomware, around the holidays. “Behind every gift, every purchase, and every payment, retailers and consumers depend on secure transactions to protect payment information,” said Ryan Smith, vice president, global business development, at Futurex. “As the critical security backbone of the global financial ecosystem, we work with the world’s largest retailers and financial institutions to safeguard data in transit and at rest." The use of hardware security modules (HSMs) in transaction processing is critical, as payment HSMs provide the cryptographic functions needed to support end-to-end data security, including encryption and cryptography key management. In a compliant P2PE environment, sensitive data is encrypted from the point of interaction and decrypted only within the secure boundary of a FIPS 140-2 Level 3 or PCI HSM-validated HSM. Learn more about point-to-point encryption. About Futurex For more than 40 years, Futurex has been a trusted provider of hardened, enterprise-class data security solutions. More than 15,000 organizations worldwide, including financial services providers and corporate enterprises, have used Futurex’s innovative hardware security modules, key management servers, and enterprise-class cloud solutions to address their mission-critical systems, data security, and cryptographic needs. This includes the secure encryption, storage, transmission, and certification of sensitive data. For more information, please visit futurex.com.

Read More

INFOSEC PROJECT MANAGEMENT

TestArmy Partners with HUB Security for Advanced Cyber Security Solutions

HUB Security | April 28, 2022

Today, HUB Security , a secure computing solutions provider, announced it has signed a strategic partnership with testing and cyber security leader, TestArmy, to offer HUB Security's Advanced DDoS Simulation Platform - D.Storm. HUB Security will be TestArmy cyber security partner to enhance current offerings and work together to reach ransomware resilience in the polish and central European market. TestArmy Group is one of the fastest growing testing companies in Central Europe. Specializing in cyber security and quality assurance of digital products. "With organizations challenged with increasing and new cyber incidents, we see great value in partnering with TestArmy and developing together future cyber solutions for the European market." Eyal Moshe, CEO and co-founder of HUB Security "With the growing list of customers we help protect and require the most advanced security solutions to maintain their operations," said Wojciech Humiński, CEO at TestArmy. "HUB Security's solutions will allow our customers a higher level of cyber readiness facing current and new cyber threats." About HUB Security HUB Security was established in 2017 by veterans of the 8200 and 81 elite intelligence units of the Israeli Defense Forces. The company specializes in unique Cyber Security solutions protecting sensitive commercial and government information. The company debuted an advanced encrypted computing solution aimed at preventing hostile intrusions at the hardware level while introducing a novel set of data theft prevention solutions. HUB operates in over 30 countries and provides innovative cybersecurity computing appliances as well as a wide range of cybersecurity professional services worldwide. About TestArmy TestArmy Group is one of the fastest growing testing companies in Central Europe according to the Deloitte ranking (2019). Security, UX and Quality Assurance testing company with 80+ professional IT software testers/pentesters who possess ISTQB or other world renowned certificates.

Read More

DATA SECURITY

Wipro to Acquire Edgile to Strengthen its Leadership in Strategic Cybersecurity Services

Edgile | December 24, 2021

Wipro Limited, a leading global information technology, consulting and business process services company, today announced it has signed an agreement to acquire Austin, Texas headquartered Edgile, a transformational cybersecurity consulting provider that focuses on risk and compliance, information and cloud security, and digital identity. Edgile is recognized by security and risk leaders for its unique business-aligned cybersecurity capability, deep understanding of the changing regulatory environment and enabling cloud transformations that help secure the modern enterprise. In addition, the company’s “strategy-first” approach and “Quick Start” solutions will allow the combined entity to deliver enhanced value in strategic cybersecurity services. Together, Wipro and Edgile will develop Wipro CyberTransform™, an integrated suite that will help enterprises enhance boardroom governance of cybersecurity risk, invest in robust cyber strategies, and reap the value of practical security in action. In collaboration with an extensive roster of alliance partners from Wipro and Edgile, Wipro CyberTransform™ will enable organizations to accelerate their digital transformation and operate in virtual, digital supply chains all in a highly secure manner. “Adding Edgile’s strategic consulting capabilities and launching Wipro CyberTransform™ are significant milestones on our journey to becoming the trusted partner to security leaders and boardroom stakeholders. I see the team blending very well with Wipro’s CyberSecurists to deliver transformational cybersecurity on a global scale.” Tony Buffomante, Senior Vice President & Global Head – Cybersecurity & Risk Services, Wipro Don Elledge, Chief Executive Officer, Edgile, said, “We are immensely thrilled to join Wipro, a company we admire for its values and deep technology capabilities. Our collective full spectrum of cybersecurity risk consulting and security management capabilities will help our global customers to continue to securely embrace their digital transformation journey and sustain their on-going risk management priorities.” Earlier this year, Wipro strengthened its cybersecurity business by acquiring Ampion, a leading provider of cybersecurity services in Australia, and the cybersecurity practice at Capco, a leading consultancy in the BFSI sector in Europe and the US. Additionally, through its Wipro Ventures arm, the company continues to invest in innovative cybersecurity start-ups, demonstrating the firm’s strong commitment towards providing industry leading cybersecurity solutions across sectors and regions. Abry Partners, a minority private equity investor in Edgile, will fully exit its investment in Edgile as a result of this transaction. Piper Sandler acted as financial advisor to Edgile and Stone Key Partners LLC acted as financial advisor to Wipro for the transaction. About Wipro Limited Wipro Limited (NYSE: WIT, BSE: 507685, NSE: WIPRO) is a leading global information technology, consulting and business process services company. We harness the power of cognitive computing, hyper-automation, robotics, cloud, analytics and emerging technologies to help our clients adapt to the digital world and make them successful. A company recognized globally for its comprehensive portfolio of services, strong commitment to sustainability and good corporate citizenship, we have over 220,000 dedicated employees serving clients across six continents. Together, we discover ideas and connect the dots to build a better and a bold new future. About Edgile Edgile is the trusted leader in cybersecurity transformation and risk services partnering with the world’s leading organizations, including 31% of the Fortune 100 and 20% of the Fortune 500. Our strategy-first model optimizes today’s enterprise journey to the cloud and modernizes identity and security programs through a risk lens and expert compliance knowledge. We secure the modern enterprise by transforming risk into opportunity with solutions that increase business agility and create a competitive advantage for our clients.

Read More

SOFTWARE SECURITY

Thrive Integrates SOAR Technology into their Security Operations to Enhance Real-Time Cyber Threat Detection

Thrive | May 20, 2022

Thrive, one of the leading Managed Security Services Providers (MSSPs) in the world, has made a significant investment to upgrade their 24x7x365 eyes-on-glass Security Operation Center (SOC) by integrating a Security Orchestration, Automation, and Response (SOAR) engine. The SOAR capabilities will enable the Thrive global security team to better navigate today's complex, risk-laden environment for clients via tool aggregation and coordinated response, unified operations, reduced alert fatigue, and Artificial Intelligence (AI). This will result in a significant reduction of incident response times for client threats and provide higher quality information for the Thrive SOC to combat intricate cyber risks in real time. By 2025, the amount lost to cyber theft is expected to reach $10.5 trillion annually, which is the single greatest transfer of wealth in history, according to a report from AT&T. These glaring statistics indicate why cybersecurity has become imperative in the world of commerce. "Cybersecurity threats and vulnerabilities are constantly multiplying, due to not only more sophisticated social engineering but also a rise in micro-ransomware incidents, That means vigilance against attacks of all kinds must also evolve. Incorporating a SOAR into our robust global security operations unit will allow Thrive clients to have a stronger defense system in place against cybersecurity attacks and enable our team to respond more expeditiously to any issues should they arise." Mike Gray, CTO of Thrive Thrive's integrated managed cybersecurity solutions provide a proactive and expert approach to security management for identifying and remediating security issues. Powered by next-gen technology, proven frameworks and service-driven experts, Thrive's unified cybersecurity platform enables Thrive's 24x7x365 SOC to automatically address critical security issues without client intervention. By creating a stress-free experience that solves for the technical complexity and talent shortage mid-market enterprises face, Thrive's cybersecurity solutions fortify the digital transformation initiatives that propel business growth. About Thrive Thrive is a leading provider of NextGen managed services designed to drive business outcomes through application enablement and optimization. The company's Thrive5 Methodology utilizes a unique combination of its Application Performance Platform and strategic services to ensure each business application achieves peak performance, scale, uptime, and the highest level of security.

Read More

Spotlight

"In this age of rapidly expanding data, highly-skilled threat actors and technological advancements present great opportunity and great risks. Your data, a key asset that differentiates your organization, is under constant attack. It's impractical to completely """"lock it down"""" and yet its open use threatens your organization's very existence.

This threat report provides advice, actionable intelligence and guidance in dealing with existing and emerging threats, taking into account the need for companies to grow and innovate."

Resources