Cyber threats are many—and they are a universal problem that organisations will have to deal with. What’s worse, these threats are far more troublesome now than they were before, and those responsible, run the gamut from tech-savvy rascals looking to make mischief, cybercriminals trying to make money illicitly and nation-state hackers with more devious plans.
“We’ve seen these [cyber threats] evolve from kids who want you to know what they did to genuine criminals who are hacking for financial gain,” notes Neil Campbell, Vice President for Asia Pacific & Japan (APJ) at Securonix. “And we can see today with nation-states that they’ll get involved in hacking to gain intellectual property and for commercially sensitive information and to disrupt the networks of their [country-level] competitors.”
In short, organisations have a lot to worry about when it comes to security, with threats everywhere and from anyone. That is the bad news.
“The average IT team, the average company, is fighting all those things, from almost vandalism-level events right through nation-state hacking,” explains Campbell. “Organisations have to deal with these threats ranging from simple to complex and massively resourced and, therefore, the biggest challenge is prioritising within a limited budget.”
SIEM: One of the Modern Approaches to Security
The good news is that there are now modern security approaches that adopt zero-trust principles and leverage Artificial Intelligence (AI), along with evolving data solutions that use advanced analytics, AI and Machine Learning (ML). There are also tools, like security information and event management (SIEM) systems that can help security teams proactively look for indicators of compromise (IOC).
But given the rise of the cloud and the world’s increasing reliance on it, traditional data centre based SIEM might not necessarily be the best option anymore. The reason for this, according to Campbell, is twofold. First, running a SIEM infrastructure is resource-intensive, requiring in-house skills, real estate, and a data centre. The infrastructure requirements are high to begin with because SIEM collects voluminous amounts of security event data, like passwords, successful log on/log off and unsuccessful log in attempts, and get seven bigger as the system performs ML-based security analytics. This is not a setup that many businesses are cut out for, and it makes cloud solutions an appealing alternative in most cases.
Second, the combination of today’s highly distributed workforce and organisations’ increasing reliance on software-as-a-service has necessitated a new security paradigm—that of cloud-native SIEM, which Campbell explains is the “only effective way to collect all that telemetry.” Cloud-native SIEM, Campbell adds, had already been gathering steam pre-pandemic but began entering the mainstream mostly due to the changes in work practices precipitated by the pandemic that pushed organisations to turn to cloud-native SIEM.
Analytics-Driven SIEM Drives Security Forward
Coinciding with the rise of cloud-native SIEM is the analytics-driven approach to SIEM. This approach, explains Campbell, is not as rules-based as conventional SIEM and is, thus, more agile, and capable of identifying new yet-identified threats.
“Traditionally, what you do with standard SIEM is that you have rules-based use cases: So, if this user does this thing—and rules and signatures suggest it is highly likely to be bad—then alert me. That’s just like an antivirus, and it can be good because you’re looking for something highly specific,” Campbell points out. “But it can also be bad because when you’re looking for something specific, you’re not going to see the new stuff. And you’re not going to see a pattern of behaviour that is obviously bad because you’re not looking for them with SIEM, but you’re looking at events… The problem with that is that you’re missing things you don’t know about because they’re new or outside the highly specific use cases you’ve built.”
This conventional way is also prone to sending security alerts one after the other, which can result in “alert fatigue” that can then cause security teams to “miss the needle in the haystack because they are overwhelmed by the haystack.” Analytics-driven SIEM can help solve these issues, as it is about identifying entities—people or devices, for instance—and baselining their behaviour in terms of what they normally do day-to-day before finally looking for “statistically anomalous behaviour or behaviour that is unusual for them across a significant period of time.”
Analytics-driven SIEM then combines this anomalous behaviour with other unusual behaviours as identified by the MITRE ATT&CK® framework—a globally-accessible knowledge base of adversary tactics and techniques based on real-world observations. In doing so, a pattern of behaviour is detected, and it gives security teams a higher level of certainty that an entity is, indeed, doing something malicious.
“The point is, it’s [analytics-driven SIEM] is not based on a signature, it’s not based on a rule you defined,” notes Campbell. “It’s based on your behaviour as a user of a system, as an identity in a system, and on departures from the norm—and then putting that in the context of ‘That’s an unusual piece of activity, does it have a security implication and is there a pattern emerging here?’ So, [there’s] high confidence alert and you don’t get alert fatigue.”
Campbell clarifies, though, that analytics-driven SIEM does not necessarily eschew the rules-based approach of conventional SIEM because it can be used in combination with security analytics. Campbell calls it a blended approach, and it helps better prepare security teams to fend off future attacks.
Analytics Comes Last
Perhaps surprisingly, Campbell advises organisations to think about analytics last when it comes to security. Instead, they need to focus on the basics first.
“The best thing you can do to protect yourself is get your fundamental security controls in place. Make sure you have a good password policy, implement multifactor authentication, have a firewall, have a secure web proxy—there are so many fundamental security controls that you need to put in place before you get really fancy,” explains Campbell. “If you haven’t done it, then don’t rush to the high-end when you haven’t yet implemented said controls.”
Once these controls have been put in place, organisations can then deploy SIEM, with Securonix as arguably one of the best SIEM vendors in the market. Founded in 2008, Securonix is among the first to have offered SIEM and has a wealth of experience with the technology. It also incorporates security automation and response (SOAR) into one cloud-native solution that will not cost a company a fortune.
The SIEM of choice notwithstanding, companies that leverage this technology—along with the basics of cybersecurity, of course—will be putting themselves in a better position to secure their networks and the assets in them.