![\"No-Rules](\"https:\/\/solutionsreview.com\/security-information-event-management\/files\/2017\/09\/Questions-mod.jpg\")
<\/p>\n<\/p>\n
Is there another way to deploy, manage, and maintain SIEM solutions? <\/span><\/p>\n It\u2019s a question more and more enterprises are asking as threat detection becomes the Archstone of modern cybersecurity platforms. To learn more, we spoke with Avi Chesla, Founder and CTO of SIEM solution provider <\/span>empow<\/span><\/a>, about no-rules SIEM and what it could represent for enterprises around the world. \u00a0<\/span><\/p>\n Avi Chesla: The original promise of SIEMs, more than 15 years ago, was seductive. If you follow their evolution, however, you see how the security landscape evolved in a way that made the original promise of those first-generation SIEMs difficult to achieve: \u00a0\u00a0<\/span><\/p>\n Imagine being a SIEM administrator having to create and maintain thousands of rules to keep up with constantly changing cyber threat data and attack patterns\u2014talk about a thankless job!<\/span><\/p>\n So here is the one critical challenge SIEM vendors ignored (including the ones currently calling themselves \u201cnext-generation\u201d SIEM): The need to create and maintain the vast array of log-parser and security-correlation rules to detect new and unknown attack sequences faster and faster than ever before.<\/span><\/p>\n This is the \u201cBIG RULES\u201d problem that makes SIEM a passive (rules-based) log aggregation and reporting tool, rather than an active cyber defense system. How does it affect enterprises?<\/span><\/p>\n Too Reactive<\/b> – The SIEM is a purely reactive security system that simply misses new or unknown attack sequences.<\/span><\/p>\n Too Complex<\/b> – Typical large (and even medium-sized) organizations are burdened with thousands of log-source parser and security correlation rules that are simply impossible to maintain given how fast the threat landscape is changing.<\/span><\/p>\n Too Expensive<\/b> – SIEMs require massive ongoing investment to cope with the \u201cBig Rules\u201d problem, which results in a very high total cost of ownership.<\/span><\/p>\n Does this mean that SIEMs are destined to disappear from the security arsenal? Absolutely not\u2014but it does mean that a new kind of SIEM needs to emerge: one that requires no human-written rules.<\/span><\/p>\n AC: The \u201cBig Rules\u201d problem can be solved by a \u201cno rules\u201d SIEM system. This type of SIEM is constructed with a stack of intelligence layers. The first (and most fundamental) layer is responsible for automatically classifying logs and data feeds into security \u201cintent\u201d – that is, separating benign activity from activity demonstrating malicious intent. The overall no-rules SIEM process looks like this:<\/span><\/p>\n Data collection<\/b>: A no-rules SIEM needs to be open for use with any database for collecting structured and unstructured data, including logs, network flows, intelligence feeds, user and account activities, and more. This enables them to work with existing commercial databases and open source options, which prevents the massive cost escalations that can occur with big data projects locked into a single commercial database vendor. \u00a0<\/span><\/p>\n Intent classification<\/b>: A no-rules SIEM needs to be able to decipher the security intent of each collected log and data feed using machine learning (ML) and Natural Language Processing (NLP) algorithms. The algorithms emulate the actions done today by security analysts: reading logs and data feeds, seeking out relevant information from the log itself and from third-party data sources outside the organization, and identifying attack intent. This process runs continuously and automatically with virtually no human involvement, replacing the need for manual logs parsers.<\/span><\/p>\n Auto-Correlation:<\/b> Finally, a no-rules SIEM needs an analytics module that includes user\/entity behavioral analytics (UEBA), network traffic analysis (NTA), and cause-and-effect analytics engines. This module identifies cause-and-effect relationships between the collection of deciphered intents (intents that are generated by the UEBA and NTA engines, and the NLP-based data and log classification), grouping them together and creating a visual attack story. This engine also emulates human security expert processes: it decides in real-time, according to the attack intent, which investigation policies are required, and, according to the system\u2019s risk assessment capabilities, decides which proactive response policies to employ.<\/span><\/p>\n AC: Artificial intelligence (AI) applications have made huge progress in certain areas. Siri and Alexa, for example, use NLP and speech recognition (speech-to-text translation applications), while Watson uses mainly NLP to answer questions. These applications get smarter and smarter all the time.<\/span><\/p>\n Unsupervised AI applications, for example, can learn from the environment and adapt accordingly, creating new patterns on the fly. These applications study and process their environments to create new classes of behaviors. They then adapt, independently, to better execute various decision-making functions, mirroring human thinking patterns and neural structures – which is precisely what made Stephen Hawking so nervous. Some examples include applications capable of learning an individual\u2019s text message or email style, browsing behavior, and interests. Facebook and Google employ this approach to study user behaviors and adjust their results (and advertisements) accordingly.<\/span><\/p>\n Having said all this, AI is not yet in the stage that it can replace humans, which brings up another important point: Commercial security solutions that are deployed in production environments can never be dependent on AI\/ML only. They should include heuristics rules that wrap it (and are developed based on security domain expertise) and can filter out non-relevant results (noise and false positives) that AI\/ML algorithms can and do generate. These heuristic rules should allow control of the sensitivity of the algorithms and adjust it to various environments and business needs. A no-rules SIEM should include some level of heuristics rules to be an effective system.<\/span><\/p>\n AC: In general, an integrated UEBA capability enables the SIEM to provide automated detection and adaptive response to threats <\/span>across the entire cyber kill chain<\/span>. It\u2019s important to note that UEBA does not do this on its own, but as part of a complete no-rules SIEM. User and account activity logs are important inputs for detecting attacks by insiders or external intruders who have already compromised user account credentials. Therefore, UEBA is mainly useful in the middle and late phases of the cyber kill chain, but not in the earlier stages of the attack. \u00a0<\/span><\/p>\n A proactive, no-rules SIEM should use AI and UEBA to digest security logs and network-flow logs\u2014as well as user and account activity logs\u2014to automatically detect and respond to malicious activity across all phases of the attack life cycle, accurately. \u00a0<\/span><\/p>\n When UEBA is integrated into a SIEM, it should take unusual user, entity and account behavior into consideration \u2013 along with many other factors and indicators \u2013 when identifying and validating attacks. Unusual user behavior is one indicator of an attack, but not the only indicator, and by itself is not necessarily sufficient for making a clear actionable decision.<\/span><\/p>\n AC: It\u2019s an assembly of the following key capabilities:<\/span><\/p>\n Thanks again to Avi Chesla of <\/b>empow<\/span> <\/b><\/a>for his time and expertise!<\/b><\/p>\n Other Resources:\u00a0<\/strong><\/p>\n The 10 Coolest SIEM and Security Analytics CEO Leaders<\/a><\/p>\n 5 Tips for Setting Up a Security Operations Center (SOC)<\/a><\/p>\n Get Your Employees to Embrace SIEM Best Practices!<\/a><\/p>\n 4 Tips to Make Data Breach Detection Easier For Your Enterprise<\/a><\/p>\n Enterprises: Don\u2019t Become Complacent in Your Cybersecurity!<\/a><\/p>\n How to Make Your SIEM Solution Deployment Easier for Your Enterprise<\/a><\/p>\n Comparing the Top SIEM Vendors \u2014 Solutions Review<\/a><\/p>\n How UEBA Can Prevent Insider Threats in your Enterprise<\/a><\/p>\n SIEM vs Security Analytics: What\u2019s the Difference?<\/a><\/p>\n Should Risk Analytics Bridge the Cybersecurity Talent Gap?<\/a><\/p>\n What\u2019s Changed? The Gartner 2017 Security Information and Event Management (SIEM) Magic Quadrant<\/a><\/p>\n The 25 Best Security Analytics and SIEM Platforms for 2018<\/a><\/p>\n\t\t\t![](\"https:\/\/solutionsreview.com\/security-information-event-management\/files\/2018\/10\/PM_Forrester_Wave_Display_C.jpg\")
<\/a><\/p>\n<\/div>\n\t\t<\/div><\/div>\nSolutions Review: In our preliminary communications, you mentioned your concerns about the \u201cbig rules epidemic\u201d in modern SIEM solutions. Can you explain what you mean by this? What caused this epidemic? And how does it affect enterprises\u2019 security?<\/b><\/h4>\n
\n
SR: What is a \u201cno rules\u201d SIEM system? What does it look like?<\/b><\/h4>\n
Widget not in any sidebars
\nSR: Are artificial intelligence and behavioral analytics sophisticated enough to allow for a no-rules SIEM platform?<\/b><\/h4>\n
SR: Can you share some of your thoughts on the utility and role of UEBA in a typical SIEM platform? How important is it to enterprise security in the context of the modern threat landscape? \u00a0<\/b><\/h4>\n
SR: What is the next stage of SIEM\u2019s evolution, in your expert opinion?<\/b><\/h4>\n
\n