Last updated at Fri, 14 Aug 2020 13:18:10 GMT
From endpoints and VPN networks to cloud applications that support remote workforces, the modern attack surface has expanded—but does your solution stack reflect this?
One of the crucial pain points for today’s security teams is the difficulty in keeping up with the demand to continually invest (and re-invest) in technology that adequately responds to new and evolving threats. More than likely, your tech environment includes pieces that didn’t even exist when traditional SIEMs were first introduced.
Data alone means nothing. But traditional SIEMs tend to focus on log ingestion, which translates to data without additional context—including the data that is most relevant and reliable when it comes to understanding security threats. This leaves the burden of figuring out how to deliver tangible results to security teams.
Enter the next generation of SIEMs. Cloud-native SIEMs like Rapid7’s own InsightIDR unite typically disparate data sources into one solution. This allows you to view essential information all in one place, and transform logs (and more) into insights.
How exactly does this happen? Read on for how modern SIEMs transform data ingestion.
Bringing your data together for a comprehensive view
Previously, SIEM tools required onsite storage to gather data from various, distant sources that did not naturally communicate. Even then, users had to toggle between those sources to come up with their own actionable takeaways—a time-consuming process that becomes all the more challenging as infrastructure balloons to accommodate any new influx of information.
By contrast, today’s solutions compress log data in the cloud. This results in increased visibility, allowing you to run advanced queries that better correlate user activity. Security can generate more reliable reporting, minus the old pain points like lost time and resources.
Newer SIEMs also swap heavy onsite agents for their more agile cloud-native counterparts, which provide real-time insights without compromising system integrity.
Alert management: Minimizing false alarms for improved visibility of genuine threats
We all know just how crafty, creative, and persistent attackers can be. In the age of the virtual workforce, there’s even more opportunity for malicious actors to slip in via insufficiently guarded remote endpoints by disguising hostile intrusions as innocuous activity. Yet manually monitoring every access point—VPNs, endpoints, firewall logs, DNS tools, switches, routers—can be painfully time-consuming. Not to mention the myriad false positives.
To better sift through the alert landslides some of the more advanced attack vectors can generate, modern SIEMs aggregate data through core collection points. The idea is to avoid alert-monitoring fatigue by empowering security professionals with deeper insights into how attack patterns operate.
Going beyond the “what” to connect with the “how” and “why”
This concept may sound a little touchy-feely, but this isn’t anything like self-help or a morale-boosting workplace retreat. It’s about translating log data into actionable security insights, for the sake of protecting your own data.
This is why it’s incumbent upon security teams to learn about and address their own core vulnerabilities in anticipation of attacks. Step one to adopting the right security mindset is to do your homework, and encourage others to do the same. Nothing is more attractive to malicious actors than a poorly defended system.
So, that’s part of the victim system’s defense. However challenging it may be to discern the obscure motives behind most attacks, some key insights about attack vectors may be gleaned from centralized log monitoring. For instance, having studied attack patterns, we may find that activist attackers typically favor worms and malware, while data thieves prefer phishing and Trojan horses. Remember that attackers don’t approach their targets as complex human beings, but as exploitable resources. When data is correlated, it becomes easier to sidestep these attacks over time.
At Rapid7, we’ve championed a cloud-native version of SIEM since its inception as a user behavior analytics tool in 2013. Are you ready to upgrade to a cloud-based SIEM? Learn more about Rapid7 InsightIDR.