Is there another way to deploy, manage, and maintain SIEM solutions?
It’s a question more and more enterprises are asking as threat detection becomes the Archstone of modern cybersecurity platforms. To learn more, we spoke with Avi Chesla, Founder and CTO of SIEM solution provider empow, about no-rules SIEM and what it could represent for enterprises around the world.
Solutions Review: In our preliminary communications, you mentioned your concerns about the “big rules epidemic” in modern SIEM solutions. Can you explain what you mean by this? What caused this epidemic? And how does it affect enterprises’ security?
Avi Chesla: The original promise of SIEMs, more than 15 years ago, was seductive. If you follow their evolution, however, you see how the security landscape evolved in a way that made the original promise of those first-generation SIEMs difficult to achieve:
- SIEM began as a centralized log repository and retention tool responsible for consolidating data and “normalizing” it for better visibility.
- Immediately afterward, the need for security-alert rules arose. SIEM vendors responded with a log-correlation language that allowed it to customize alerts and flag possible incidents.
- Then came a bigger change—the dot.com boom—and an exploding internet dependency. Businesses became juicy hacking targets, and the frequency of attacks grew sky-high. In response, organizations deployed more and more security tools, each generating streams of alerts and information. The result? A massive big data problem that had a disastrous impact on SIEMs’ effectiveness. The existential question became: “How many events per seconds (EPS) and data can the SIEM process?”
- SIEM vendors responded by attempting to create more robust and scalable databases, along with search engines to allow sorting and finding logs quickly. But the system was still based on the same old manual log parsers (to classify logs into security behavior categories), and static correlation rules to detect pre-defined attack sequences.
- In this new reality, the number of rules required to cover all the attack patterns grew exponentially—based on the number of logs and constantly changing threat data.
Imagine being a SIEM administrator having to create and maintain thousands of rules to keep up with constantly changing cyber threat data and attack patterns—talk about a thankless job!
So here is the one critical challenge SIEM vendors ignored (including the ones currently calling themselves “next-generation” SIEM): The need to create and maintain the vast array of log-parser and security-correlation rules to detect new and unknown attack sequences faster and faster than ever before.
This is the “BIG RULES” problem that makes SIEM a passive (rules-based) log aggregation and reporting tool, rather than an active cyber defense system. How does it affect enterprises?
Too Reactive – The SIEM is a purely reactive security system that simply misses new or unknown attack sequences.
Too Complex – Typical large (and even medium-sized) organizations are burdened with thousands of log-source parser and security correlation rules that are simply impossible to maintain given how fast the threat landscape is changing.
Too Expensive – SIEMs require massive ongoing investment to cope with the “Big Rules” problem, which results in a very high total cost of ownership.
Does this mean that SIEMs are destined to disappear from the security arsenal? Absolutely not—but it does mean that a new kind of SIEM needs to emerge: one that requires no human-written rules.
SR: What is a “no rules” SIEM system? What does it look like?
AC: The “Big Rules” problem can be solved by a “no rules” SIEM system. This type of SIEM is constructed with a stack of intelligence layers. The first (and most fundamental) layer is responsible for automatically classifying logs and data feeds into security “intent” – that is, separating benign activity from activity demonstrating malicious intent. The overall no-rules SIEM process looks like this:
Data collection: A no-rules SIEM needs to be open for use with any database for collecting structured and unstructured data, including logs, network flows, intelligence feeds, user and account activities, and more. This enables them to work with existing commercial databases and open source options, which prevents the massive cost escalations that can occur with big data projects locked into a single commercial database vendor.
Intent classification: A no-rules SIEM needs to be able to decipher the security intent of each collected log and data feed using machine learning (ML) and Natural Language Processing (NLP) algorithms. The algorithms emulate the actions done today by security analysts: reading logs and data feeds, seeking out relevant information from the log itself and from third-party data sources outside the organization, and identifying attack intent. This process runs continuously and automatically with virtually no human involvement, replacing the need for manual logs parsers.
Auto-Correlation: Finally, a no-rules SIEM needs an analytics module that includes user/entity behavioral analytics (UEBA), network traffic analysis (NTA), and cause-and-effect analytics engines. This module identifies cause-and-effect relationships between the collection of deciphered intents (intents that are generated by the UEBA and NTA engines, and the NLP-based data and log classification), grouping them together and creating a visual attack story. This engine also emulates human security expert processes: it decides in real-time, according to the attack intent, which investigation policies are required, and, according to the system’s risk assessment capabilities, decides which proactive response policies to employ.
SR: Are artificial intelligence and behavioral analytics sophisticated enough to allow for a no-rules SIEM platform?
AC: Artificial intelligence (AI) applications have made huge progress in certain areas. Siri and Alexa, for example, use NLP and speech recognition (speech-to-text translation applications), while Watson uses mainly NLP to answer questions. These applications get smarter and smarter all the time.
Unsupervised AI applications, for example, can learn from the environment and adapt accordingly, creating new patterns on the fly. These applications study and process their environments to create new classes of behaviors. They then adapt, independently, to better execute various decision-making functions, mirroring human thinking patterns and neural structures – which is precisely what made Stephen Hawking so nervous. Some examples include applications capable of learning an individual’s text message or email style, browsing behavior, and interests. Facebook and Google employ this approach to study user behaviors and adjust their results (and advertisements) accordingly.
Having said all this, AI is not yet in the stage that it can replace humans, which brings up another important point: Commercial security solutions that are deployed in production environments can never be dependent on AI/ML only. They should include heuristics rules that wrap it (and are developed based on security domain expertise) and can filter out non-relevant results (noise and false positives) that AI/ML algorithms can and do generate. These heuristic rules should allow control of the sensitivity of the algorithms and adjust it to various environments and business needs. A no-rules SIEM should include some level of heuristics rules to be an effective system.
SR: Can you share some of your thoughts on the utility and role of UEBA in a typical SIEM platform? How important is it to enterprise security in the context of the modern threat landscape?
AC: In general, an integrated UEBA capability enables the SIEM to provide automated detection and adaptive response to threats across the entire cyber kill chain. It’s important to note that UEBA does not do this on its own, but as part of a complete no-rules SIEM. User and account activity logs are important inputs for detecting attacks by insiders or external intruders who have already compromised user account credentials. Therefore, UEBA is mainly useful in the middle and late phases of the cyber kill chain, but not in the earlier stages of the attack.
A proactive, no-rules SIEM should use AI and UEBA to digest security logs and network-flow logs—as well as user and account activity logs—to automatically detect and respond to malicious activity across all phases of the attack life cycle, accurately.
When UEBA is integrated into a SIEM, it should take unusual user, entity and account behavior into consideration – along with many other factors and indicators – when identifying and validating attacks. Unusual user behavior is one indicator of an attack, but not the only indicator, and by itself is not necessarily sufficient for making a clear actionable decision.
SR: What is the next stage of SIEM’s evolution, in your expert opinion?
AC: It’s an assembly of the following key capabilities:
- Flexible data ingestion from all log and data sources, either directly from the security infrastructure or indirectly (via intermediate open log and data storage, without requiring the development of plugins and complex parsers for new data sources).
- AI-driven classification of security events, which leverages NLP on both machine- and human-readable threat intelligence from internal and external sources, to understand the intent behind each event.
- Auto-correlation using cause-and-effect analytics to automatically validate and prioritize attacks and reveal the complete “attack story” – without requiring static correlation rules.
- Adaptive orchestration using the capabilities of the existing security infrastructure to actively investigate and mitigate (block) attacks, without requiring scripts.
Thanks again to Avi Chesla of empow for his time and expertise!
Latest posts by Ben Canner (see all)
- The 5 Key Lessons for Enterprise SIEM in 2019 - September 12, 2019
- 5 Issues SIEM’s Visibility Capabilities Can Help You Find - September 10, 2019
- The Top 10 Enterprise SIEM Use Cases - September 5, 2019