Top-Down SIEM: An Interview with Avi Chesla of Empow

Top-Down SIEM: An Interview with Avi Chesla of Empow

Enterprises still struggle to understand the implications and proper deployment of SIEM. In fact, of all the branches of modern cybersecurity, SIEM often poses the most challenges. However, the advent of top-down SIEM could change all of that.

To find out more, we spoke with Avi Chesla of empow in an in-depth interview which covered top-down SIEM technology and MITRE attack languages. Here’s our conversation, edited slightly for clarity.

  

Solutions Review: How do you feel about the evolution of SIEM technology in the new decade, especially this year (given the circumstances surrounding 2020)?

Avi Chesla: SIEM technologies have existed for more than 15 years. The main idea behind SIEM, in the beginning, was to centralize all the security events in one place and create reports that provide insights.

Look what happened after that. The main milestone we saw involved organizations generating more data than ever before. In the last 5 or 6 years enterprises began facing a situation in which there are so many rules that need to be created manually; more advanced rules may involve correlation to connect the dots and find events that are not false positives.

As a result, with most SIEM technologies they become expensive and reactive tools. In other words, they represent a bottom-up approach to SIEM. The solutions require defined rules, most of which must be done manually to reach the top data and the most dangerous threats. This becomes expensive as it requires extensive manpower and is reactive as it demands knowing about cyber threats ahead of time.

Regarding the evolution of SIEM, we might see the name of this technology change as demands change. Customers may not want event management, because that is too much—there may be millions of events in some enterprises. Now it is about switching the direction: top-down SIEM rather than bottom-up. Top-down SIEM starts with the top risks in your enterprise, the entities (users, devices, databases) most at risk, and then looks down at the specific logs connected to those entities.

In fact, we’re seeing security operations centers (SOCs) try to develop that top-down approach.

SR: So you think that SIEM might change so much we’ll need a new name for it in the future? What kind of name do you think we’ll use?

AC: Here’s what our customers are saying: “SIEM is broken. We don’t need this, there is too much information, too many events. We need something that will bring us the most relevant events and information; we’re looking for relevance and need a solution that can find the most relevant information according to our security policies and risks.”

So the name might change to reflect those demands. I’m not sure what name we’ll use in the future. “Security Operation Management,” perhaps?

SR: We were going to talk about this a little later, but it bears discussion now with this talk of top-down SIEM. What about SOAR (security orchestration, automation, and response)? Will that replace SIEM in the future? Will the two merge, will the two influence each other? What do you see moving forward?

AC: SOAR is a collection of features—workflows—that take best practices in the SOC and try to automate them. It tries to answer the question: “what do I need to do manually so that I can just automate instead?”

I believe that SOAR, as a collection of features, is part of the solution, and should be consolidated with the SIEM and behavioral analytics technologies in order to really provide the top-down SIEM. We’re already seeing that happening through acquisitions such as Palo Alto Networks acquisition of Demisto. Specific SOAR capabilities can work top-down, but enterprise can’t rely on SOAR alone.

When we founded empow around 5 years ago, we knew that the problem wouldn’t be a lack of cybersecurity tools—there are plenty of those—or lack of data. Instead, we predicted that customers would need something to abstract the complexity of SIEM, something that could take the information, languages, and events and classify it into one language—a language of cybersecurity, a language of attacks. A language that would allow analysts to understand real risk.

In the last two years, a trend has emerged: The MITRE ATT&CKTM framework, which is basically that language of attacks, which can definitely serve as the “words” of that predicted one language

Once you have that, SOAR works really well as you can define your response automation workflow based on attack behaviors rather than on logs or events.

Think about this as well: working from the bottom up, you can say that “if X event occurs, I want Y automatically operations to be conducted.” But that doesn’t scale, especially if you have millions of events. First, enterprises need to reduce all of this noise—the data—by classification and correlation and placing it in a language of attacks like MITRE.

Now, instead of millions, your business may have only 20 or 30 attack behaviors (or attack campaigns) to analyze. You can tell the SOAR to start automating response with focus on a phishing attack behavior, or on a privileges escalation attack behavior etc., rather than triggering it on every event or log your cybersecurity system (or SIEM) is generating.

SR: So, with all of this in mind, with top-down SIEM and with MITRE as a language of cybersecurity, what capabilities now matter to optimal SIEM for businesses?

AC: Businesses need to think about the following: they need to make sure they can work from the top down. They need a SIEM solution that can prioritize automatically the highest risk entities they have in their organization. Also, they need technologies that can speak MITRE—a universal language to communicate with organizations, verify threats, and trigger well-focused automated, or manual, response processes

Also, businesses need to make sure that when they deploy a SIEM solution, they don’t use a commercial licensing model based on data consumption. Enterprises could create so much data that it makes the SIEM platform very, very expensive if they license based on data consumption. The licensing should instead be based on something like the number of users—something predictable and stable.

SR: So we’ve spoken before a few years, in an article about No-Rules SIEM, we discussed the big rules epidemic. How do you feel about this problem now, especially in the context we’ve discussed so far? How do you feel about No-Rules SIEM now as compared to a few years ago?

AC: Yes, I think that we still feel good about that prediction, because rules are really a problem. What we see supports that—many vendors offer No-Rules SIEM, even if they don’t have the technology to do it.

We did predict something that did not happen, which may still happen in the following years. We thought that there would be a strong requirement for collaboration of defense strategies in organizations’ cybersecurity. In collaboration and information sharing today, it involves indication of compromised patterns, and known vulnerabilities but not defense strategies. Defense strategies are more than just knowing vulnerabilities; it must also involve the best practices of detection (in the form of correlation and triage), investigations, and response procedures.

We thought there would be a platform that would allow you to do it—sharing defense strategies and asking for advice on defending against the next threat. It’s not something available today in that way. Using the MITRE ATT&CKTM framework, I think we are pretty close to getting there.

Thanks to Avi Chesla of empow for his time and expertise. To learn more about SIEM, check out our free Buyer’s Guide.

Ben Canner

Ben Canner is an enterprise technology writer and analyst covering Identity Management, SIEM, Endpoint Protection, and Cybersecurity writ large. He holds a Bachelor of Arts Degree in English from Clark University in Worcester, MA. He previously worked as a corporate blogger and ghost writer. You can reach him via Twitter and LinkedIn.
Ben Canner