Is your SIEM smart?

A next-generation security operations centre (SOC) is, in brief, security with the smart built in.

Johannesburg, 11 Mar 2020
Read time 5min 00sec
Brett Skinner, Security Sales Manager, Micro Focus
Brett Skinner, Security Sales Manager, Micro Focus

Brett Skinner, security sales manager at Micro Focus South Africa, says a next-generation SOC is one that incorporates intelligent SIEM, or security information and event management. Traditionally, companies put a SIEM solution in place on the back of negative audit findings. It’s a system that identifies security events in systems and across networks. Previously, SIEM solutions didn’t include remediation or intelligence capabilities. They just logged and reported events, adding them to a list for analysts to verify and resolve.

A next-generation SOC automates remediation with built-in intelligence that includes elements such as threat hunting, threat investigation and anomaly detection. Skinner says: “When you consider that 83% of monetised breaches originate from an insider threat, you need some way of establishing whether the identity associated with the anomaly is in fact the person behind the threat and immediately freeze that account’s access.”

Gary de Menezes, Managing Director of Micro Focus South Africa, says: “SIEM first surfaced as a talking point some 12 years ago because people were seeing an increase in the number of incidents originating from outside the organisation. The SIEM technology that resulted included a proliferation of perimeter security measures. However, all it did was log the fact that a potential event could be happening somewhere in the environment.

“As the number of incidents grew, customers with old SIEM solutions found themselves with all these logs and events but unable to intelligently understand what was causing them. A single event or attack could trigger hundreds of logs.”

Gary de Menezes, ‎country general manager, Micro Focus South Africa.
Gary de Menezes, ‎country general manager, Micro Focus South Africa.

Companies came to realise that while they had adequate perimeter security measures in place, they were seeing a host of security events originating from within the environment that were a bigger risk than the external threats they were defending against. It became important to be able to identify whether the logs and events were being triggered internally or externally and by whom.

Neither a SIEM solution nor a traditional SOC is effective if it can’t understand or analyse the large number of events that it has to deal with. “That, combined with a general lack of IT security skills in South Africa, is a major challenge,” says Skinner. Companies need a solution that can automatically interpret these logs, introducing intelligence into their SOC – creating the next generation SOC – and that includes remediation tools. This means that when a log or event is created, the appropriate activity can be initiated automatically, such as locking down that account, if required.

De Menezes points out that in a market that’s experiencing a severe shortage of security analysts, it makes sense to use intelligence and automation to take away some of the more mundane and repetitive tasks to ensure limited resources aren’t bogged down with alert fatigue.

“The average large enterprise would need in the region of 450 people in its SOC to perform the tasks outlined above, and that’s just not feasible. You can, however, bridge the gap by implementing an intelligent automated platform based on best practice and that’s updated regularly.”

Another benefit of automating this process is that it integrates the entire company’s security logs and events, reducing the time to remediation. Previously, different departments took different lengths of time to go through the manual process of checking their logs, identifying an event and then remediating against it. Next-generation SOC opens the door to integrated operations management.

Less than 20% of businesses with a typical SIEM solution have embarked on the journey towards deploying intelligent SOCs, according to De Menezes. “Companies don’t need to replace their existing SIEM solution in order to move towards intelligent SOCs – it’s an evolution of what they already have and integrates with existing assets, operations and skills.”

Skinner concludes by making a final important point: “If you consider the ever-evolving nature of breaches and the many ways in which enterprises are being targeted, it’s a non-stop cycle. It’s just not possible to keep people current on the latest developments. The only way that this can be done is through the global sharing of best practices. You can’t deploy an intelligent SOC unless you partner with a global organisation that participates in and adds value to the global security industry. This is not a static environment.”

Benefits of intelligent SOCs

  • A user and entity behaviour analytics (UEBA) solution based on machine learning (ML) can help detect dangerous “unknown” threats, such as insider threats or APTs. But not all ML is created equal. Unsupervised machine learning in UEBA looks for patterns within unlabelled datasets to learn what’s “normal” for an entity and to uncover unusual events and anomalous behaviour from across your organisation. By applying this new lens to existing security data, SOCs can improve the fidelity of their alerts and focus their analysts on the top threats.
  • Pair powerful behavioural analytics with a powerful SIEM to give you a comprehensive and cohesive framework for detecting, investigating, and responding to threats quickly and accurately.
  • When done in real-time, event correlation gives you important context about the relationship between events and remains the most effective way to quickly identify and respond to known threats.
  • Improve the timeliness and effectiveness of response and enable your security team to handle the alert load quickly and efficiently, significantly cutting down response times.

Read more about machine learning in the SOC by downloading this white paper