Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Attacks/Breaches

11/12/2018
09:00 AM
Aarij M. Khan, VP Marketing, Securonix.
Aarij M. Khan, VP Marketing, Securonix.
Sponsored Article
50%
50%

How to Successfully Hit Reset on your (Underperforming) SIEM

These 7 tips outline the capabilities organizations need in a security information and event management solution for the modern datacenter.

Plenty has been written about the frustration that security teams have with their legacy SIEM deployments. These solutions, which have been around since the late 1990s, promised to deliver early detection of hacking attempts, malicious activity and data breaches by applying correlation rules to disparate data generated across the enterprise.

Unfortunately, SIEM projects have largely failed to fulfill this promise because the corporate data center has shifted away from being largely an on-premise environment housing it’s own hardware and software. Modern data centers include employee-owned devices, mobile endpoints, SaaS applications, cloud storage and hosted infrastructure components. As a result, organizations are taking a hard look at ripping and replacing their legacy SIEM with a more modern security management platform. Here are a seven pointers to consider as you evaluate the possibilities.

1. Adjust to the new data paradigm
A big challenge for legacy SIEM products is coping with the explosion of data that has occurred across enterprise datacenters since the early 2000s. With the advent of cloud environments, the mobile revolution, SaaS applications and social networks, hackers no longer rely on simple tactics. Today, they deploy sophisticated techniques to achieve their goals. For example, the cybersecurity correlation of yesterday was based on static rules in legacy SIEM, or signature-based malware detection. The SIEM for the modern era requires advanced machine learning and artificial intelligence to defend against sophisticated adversaries who take advantage of massive increases in data volume.

2. Track unused accounts
Access credentials to user accounts on key systems are the new currency for hacking and data theft. One particularly vulnerable area are the abandoned user accounts that exist on critical servers and systems after employees have left the organization, moved to a different role, or via cloud resources they spun up temporarily. Hackers exploit these leftover accounts to uncover, silently attack, and use as a base for lateral movement across enterprise hardware and software resources. To stand a chance, SOC analysts must be keenly aware of the access granted to users across the organization. Behavior based analysis to find unused accounts that are being used for malicious purposes is a good technology for this task.

3. Monitor attacks in the cloud
The rapid adoption of cloud services, applications and resources adds a unique challenge. The latest attacks, and often the hardest to detect, are now coming from the enterprise’s exploding use of cloud services.  A recent report from the Cybersecurity Insiders indicates that the risk of security breaches in cloud environments is almost 50% higher than in traditional IT environments. Consequently, your next gen SIEM must be able to closely monitor enterprise usage of cloud services by directly integrating with these cloud-based resources. You must ensure that employee activity across cloud infrastructure, cloud storage, and cloud applications doesn’t provide a hiding spot for malicious actors.

4. Find and remediate compromised accounts
In the enterprise environment, regular employees — or more specifically their access privileges — can be compromised and used without the legitimate user’s knowledge. These compromised accounts, while hard to detect by legacy SIEM products, are relatively easily found by next gen SIEMs. These modern solutions bring the relevant data, context, and behavior-based techniques to identify employee accounts that are victims of compromise.

5. Ensure visibility across the enterprise and cloud
Legacy SIEM products suffer from scale issues as they are stretched to cover the data volumes of modern IT environments. This means that many on-prem and cloud resources go unmonitored across enterprise IT resources, users, and data. Hackers rely on IT resources that are unmonitored by the SOC. In order to reduce the risk, your next gen SIEM must be able to provide enterprise-wide visibility for collecting and analyzing the vast amounts of data generated by the modern enterprise.

6. Where is your data?
To protect sensitive data stored across file servers, databases, and hard-drives, security and IT teams must have knowledge of where all such data is stored. In many cases, sensitive data often resides on machines and resources of which the IT or security team is completely unaware. Therefore one of the key activities of your next gen SIEM project must be a comprehensive data discovery and classification exercise. You can’t protect what you don’t know exists. Once the location and types of sensitive data in your organization is known, you can put the appropriate controls around it.

7.  Build or Buy?
The modern data center is extremely complex. As the security team goes about planning and building your cybersecurity program, resist the temptation to develop a home grown SIEM, UEBA and security data lake system cobbled together with various IT and security tools within your enterprise that haven’t been tried and tested in the real world. The failure rate of these projects, according to Gartner, is shockingly high and they usually end with a massive data breach.

Aarij M. Khan is vice president of marketing at Securonix. Aarij combines a deep understanding of the security market and security requirements with over 15 years of technology and marketing leadership at high growth, innovative cybersecurity vendors. Previously, Aarij let marketing efforts at RiskIQ. He also led product and solution marketing at Tenable Network Security, Threatmetrix, and spent over 4 years at ArcSight/HP where he was instrumental in the rapid adoption of ArcSight SIEM products.

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
News
A Startup With NSA Roots Wants Silently Disarming Cyberattacks on the Wire to Become the Norm
Kelly Jackson Higgins, Executive Editor at Dark Reading,  5/11/2021
Edge-DRsplash-10-edge-articles
Cybersecurity: What Is Truly Essential?
Joshua Goldfarb, Director of Product Management at F5,  5/12/2021
Commentary
3 Cybersecurity Myths to Bust
Etay Maor, Sr. Director Security Strategy at Cato Networks,  5/11/2021
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win an Amazon Gift Card! Click Here
Latest Comment: Google Maps is taking "interactive" to a whole new level!
Current Issue
2021 Top Enterprise IT Trends
We've identified the key trends that are poised to impact the IT landscape in 2021. Find out why they're important and how they will affect you today!
Flash Poll
How Enterprises are Developing Secure Applications
How Enterprises are Developing Secure Applications
Recent breaches of third-party apps are driving many organizations to think harder about the security of their off-the-shelf software as they continue to move left in secure software development practices.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2020-18194
PUBLISHED: 2021-05-17
Cross Site Scripting (XSS) in emlog v6.0.0 allows remote attackers to execute arbitrary code by adding a crafted script as a link to a new blog post.
CVE-2020-18195
PUBLISHED: 2021-05-17
Cross Site Request Forgery (CSRF) in Pluck CMS v4.7.9 allows remote attackers to execute arbitrary code and delete a specific article via the component " /admin.php?action=page."
CVE-2020-18198
PUBLISHED: 2021-05-17
Cross Site Request Forgery (CSRF) in Pluck CMS v4.7.9 allows remote attackers to execute arbitrary code and delete specific images via the component " /admin.php?action=images."
CVE-2020-21831
PUBLISHED: 2021-05-17
A heap based buffer overflow vulnerability exists in GNU LibreDWG 0.10 via read_2004_section_handles ../../src/decode.c:2637.
CVE-2020-21842
PUBLISHED: 2021-05-17
A heap based buffer overflow vulnerability exists in GNU LibreDWG 0.10 via read_2004_section_revhistory ../../src/decode.c:3051.