1. Collect and manage data from all available sources

Modern threats typically originate across multiple data sources. To be effective, a next-generation SIEM must be able to access any data source, analyze and correlate data (see Figure 1). This includes cloud service data, on-premises (own company) log data (security controls, databases, application logs), network data (flows, packets, etc.).

Figure 1: A next-generation SIEM must have easy access to any data source

It also requires centralized and remote management of data. Once all connectors are configured and running, they can be easily managed (started, stopped, updated, reconfigured) from anywhere.

2. A well-examined big data architecture

Many traditional SIEMs were built in the early 2000s and use proprietary technology. There is a big difference technically between then and now. Platforms like Hadoop, Mongo, Elasticsearch and Spark didn't even exist then.

Given the amount of data being collected, what we need now is a big data architecture that can scale the data, pivot within it, and leverage advanced data science algorithms.

3. Flat billing for log ingestion

多くの従来型SIEMは従量課金制を採用しています。データを多く収集すればするほど、組織にかかるコストが高くなります。つまり、図2に示すように、データソースの数を増やさなくても、おそらくわずか数年でコストが大幅に増加することになります。

Figure 1: A next-generation SIEM must have easy access to any data source

For example, updating a firewall to the latest model can increase logs by a factor of 10. Pay-as-you-go billing also automatically increases your SIEM license fee. Rather than pick and choose what data you bring in, our flat-rate model allows you to bring in data from any source and still stay within your budget.

4. User and Asset Context Enrichment

You need advanced enrichment that extracts useful results from any data you collect. Advances in data science provide a wealth of insights that were previously only available to experienced analysts through correlation, including:

• Dynamic Peer Grouping
• Association of IP addresses with users, machines and timelines
• Asset ownership tracking
• Associating user and machine types with activities
• Service account identification
• Correlating individual email addresses with employees
• Correlating Badge Station log activity with user accounts and timelines

A SIEM that understands context and intent can be used to find asset ownership, user login locations, peer groups, and other information to help uncover anomalous behavior.

5. User and Entity Behavior Analysis

Modern SIEMs define behavioral standards through machine learning, statistical analysis, and behavioral models. This is called UEBA (User and Entity Behavior Analytics).

Once normal behavior is assessed by UEBA, it can assign a risk score to abnormal behavior and expose activities and behaviors that exceed specified thresholds. For example, if a user who normally logs in from the US logs in from China for the first time, such anomalous behavior could indicate an attack is underway.

Figure 3: Surfacing of anomalous user behavior based on VPN access

6.Automatic tracking of lateral movement

A study of past incidents found that approximately 60% of attacks involve "lateral movement." Attackers switch credentials, IP addresses, and assets in an attempt to evade detection or gain greater access. To effectively track lateral movement from start to finish, a SIEM must have the ability to pull together such related events.

7. Improved security information model

Traditional SIEMs largely employ a security model based on individual events. Manually translating a series of events into a structured timeline of actions can be very time consuming. Security data must be stored in a useful format for advanced analysis. For example, it should be saved in a timeline that includes the entire scope of each user or entity being monitored. Organizing all the necessary information in this way allows the expert system to immediately provide complete context when uncovering anomalous events.

8. Pre-built incident timeline

一般的に、従来型のSIEMを利用する際には複雑なクエリを組み合わせ、その後で各ソースから共通ファイルに大量のコピー＆ペーストを行う必要があります（リポジトリとして、テキストエディタがよく使われます）。このような調査を行うには、非常に多くの時間、セキュリティ分野に関する深い専門知識、クエリ言語の習熟、結果を解釈する能力が必要です。これらのスキルを備えたエンジニアは人件費が高いうえに、人数も不足しています。

A modern SIEM can bring all available context together in a concise and friendly UI on a single screen, provided the enriched data is rich in the right information model.

Figure 4: Pre-built timelines that integrate all events, including lateral movement,
Significant streamlining of investigations

9. Incident Prioritization

The amount of data that a SOC needs to analyze is enormous. It's not uncommon for large companies to generate hundreds of millions of log entries every day.

Figure 5: A modern SIEM that works well filters millions of logs,
Only good security tickets can be generated for investigation

Modern SIEMs are designed to reduce the signal-to-noise ratio to the point where administrators can regain control of their domains. Eliminating false positives and allowing you to focus only on unusual behavioral events is critical for robust security, efficient staff performance, and cost containment.

In a normal day, a best-in-class SIEM solution can reduce 500 million log entries to a 60,000 session timeline, and only expose less than 50 notable events. From here, a dozen or so tickets may be generated for investigation.

10. SOAR (Security Orchestration, Automation, and Response)

SIEM vendors use various acronyms for this feature. This feature consists of two main areas.

• orchestration
• 1. Deploy pre-built connectors into your IT and security infrastructure without having to script your own connectors
  2. Easily move data in and out of access control systems, firewalls, mail servers, network access controllers and other management tools

• automation
• 1. Use response playbooks to code the best responses to specific threat types
  2. Achieving workflow automation in addition to the orchestration mechanism
  3. 従業員の労力を削減しつつ、脅威対応の自動化を実現
  4. Manage all your tools from one place

Advanced SOAR solutions enable highly skilled analysts to author playbooks and less experienced analysts to execute playbooks. Reduce effort for full-time employees while accelerating time to resolution.

Upgrading to a SIEM solution that delivers these 10 key capabilities without the ever-increasing cost of highly skilled security analysts and outdated log-heavy billing models. , can respond to ever-growing threats.

ORION CASSETTO
Exabeam, Inc. Director, Product Marketing

Contact information