![\"Top-Down](\"https:\/\/solutionsreview.com\/security-information-event-management\/files\/2019\/09\/AI-Eye.jpg\")
<\/p>\n<\/p>\n
Enterprises still struggle to understand the implications and proper deployment of SIEM. In fact, of all the branches of modern cybersecurity, SIEM often poses the most challenges. However, the advent of top-down SIEM could change all of that.<\/p>\n
To find out more, we spoke with Avi Chesla of empow<\/a> in an in-depth interview which covered top-down SIEM technology and MITRE attack languages. Here\u2019s our conversation, edited slightly for clarity.<\/p>\n Avi Chesla: SIEM technologies have existed for more than 15 years. The main idea behind SIEM, in the beginning, was to centralize all the security events in one place and create reports that provide insights.<\/p>\n Look what happened after that. The main milestone we saw involved organizations generating more data than ever before. In the last 5 or 6 years enterprises began facing a situation in which there are so many rules that need to be created manually; more advanced rules may involve correlation to connect the dots and find events that are not false positives.<\/p>\n As a result, with most SIEM technologies they become expensive and reactive tools. In other words, they represent a bottom-up approach to SIEM. The solutions require defined rules, most of which must be done manually to reach the top data and the most dangerous threats. This becomes expensive as it requires extensive manpower and is reactive as it demands knowing about cyber threats ahead of time.<\/p>\n Regarding the evolution of SIEM, we might see the name of this technology change as demands change. Customers may not want event management, because that is too much\u2014there may be millions of events in some enterprises. Now it is about switching the direction: top-down SIEM rather than bottom-up. Top-down SIEM starts with the top risks in your enterprise, the entities (users, devices, databases) most at risk, and then looks down at the specific logs connected to those entities.<\/p>\n In fact, we\u2019re seeing security operations centers (SOCs) try to develop that top-down approach.<\/p>\n AC: Here\u2019s what our customers are saying: \u201cSIEM is broken. We don\u2019t need this, there is too much information, too many events. We need something that will bring us the most relevant events and information; we\u2019re looking for relevance and need a solution that can find the most relevant information according to our security policies and risks.\u201d<\/p>\n So the name might change to reflect those demands. I\u2019m not sure what name we\u2019ll use in the future. \u201cSecurity Operation Management,\u201d perhaps?<\/p>\n AC: SOAR is a collection of features\u2014workflows\u2014that take best practices in the SOC and try to automate them. It tries to answer the question: \u201cwhat do I need to do manually so that I can just automate instead?\u201d<\/p>\n I believe that SOAR, as a collection of features, is part of the solution, and should be consolidated with the SIEM and behavioral analytics technologies in order to really provide the top-down SIEM. We\u2019re already seeing that happening through acquisitions such as Palo Alto Networks acquisition of Demisto. Specific SOAR capabilities can work top-down, but enterprise can\u2019t rely on SOAR alone.<\/p>\n When we founded empow around 5 years ago, we knew that the problem wouldn\u2019t be a lack of cybersecurity tools\u2014there are plenty of those\u2014or lack of data. Instead, we predicted that customers would need something to abstract the complexity of SIEM, something that could take the information, languages, and events and classify it into one language\u2014a language of cybersecurity, a language of attacks. A language that would allow analysts to understand real risk.<\/p>\n In the last two years, a trend has emerged: The MITRE ATT&CKTM<\/sup> framework, which is basically that language of attacks, which can definitely serve as the \u201cwords\u201d of that predicted one language<\/p>\n Once you have that, SOAR works really well as you can define your response automation workflow based on attack behaviors rather than on logs or events.<\/p>\n Think about this as well: working from the bottom up, you can say that \u201cif X event occurs, I want Y automatically operations to be conducted.\u201d But that doesn\u2019t scale, especially if you have millions of events. First, enterprises need to reduce all of this noise\u2014the data\u2014by classification and correlation and placing it in a language of attacks like MITRE.<\/p>\n Now, instead of millions, your business may have only 20 or 30 attack behaviors (or attack campaigns) to analyze. You can tell the SOAR to start automating response with focus on a phishing attack behavior, or on a privileges escalation attack behavior etc., rather than triggering it on every event or log your cybersecurity system (or SIEM) is generating.<\/p>\n AC: Businesses need to think about the following: they need to make sure they can work from the top down. They need a SIEM solution that can prioritize automatically the highest risk entities they have in their organization. Also, they need technologies that can speak MITRE\u2014a universal language to communicate with organizations, verify threats, and trigger well-focused automated, or manual, response processes<\/p>\n Also, businesses need to make sure that when they deploy a SIEM solution, they don\u2019t use a commercial licensing model based on data consumption. Enterprises could create so much data that it makes the SIEM platform very, very <\/em>expensive if they license based on data consumption. The licensing should instead be based on something like the number of users\u2014something predictable and stable.<\/p>\n AC: Yes, I think that we still feel good about that prediction, because rules are really a problem. What we see supports that\u2014many vendors offer No-Rules SIEM, even if they don\u2019t have the technology to do it.<\/p>\n We did predict something that did not happen, which may still happen in the following years. We thought that there would be a strong requirement for collaboration of defense strategies in organizations\u2019 cybersecurity. In collaboration and information sharing today, it involves indication of compromised patterns, and known vulnerabilities but not defense strategies. Defense strategies are more than just knowing vulnerabilities; it must also involve the best practices of detection (in the form of correlation and triage), investigations, and response procedures.<\/p>\n We thought there would be a platform that would allow you to do it\u2014sharing defense strategies and asking for advice on defending against the next threat. It\u2019s not something available today in that way. Using the MITRE ATT&CKTM<\/sup> framework, I think we are pretty close to getting there.<\/p>\n Thanks to Avi Chesla of empow<\/a> for his time and expertise. To learn more about SIEM, check out our free Buyer\u2019s Guide<\/a>.<\/em><\/p>\n Enterprises still struggle to understand the implications and proper deployment of SIEM. In fact, of all the branches of modern cybersecurity, SIEM often poses the most challenges. However, the advent of top-down SIEM could change all of that. To find out more, we spoke with Avi Chesla of empow in an in-depth interview which covered […]<\/p>\n","protected":false},"author":41,"featured_media":2769,"comment_status":"closed","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"inline_featured_image":false,"footnotes":""},"categories":[551,1],"tags":[843,353,95,1313,86,1320,1322,1323,21,57,22,373,1321],"acf":[],"yoast_head":"\n
Widget not in any sidebars
\u00a0\u00a0<\/span><\/p>\nSolutions Review: How do you feel about the evolution of SIEM technology in the new decade, especially this year (given the circumstances surrounding 2020)?<\/strong><\/h4>\n
SR: So you think that SIEM might change so much we\u2019ll need a new name for it in the future? What kind of name do you think we\u2019ll use? <\/strong><\/h4>\n
SR: We were going to talk about this a little later, but it bears discussion now with this talk of top-down SIEM. What about SOAR (security orchestration, automation, and response)? Will that replace SIEM in the future? Will the two merge, will the two influence each other? What do you see moving forward?<\/strong><\/h4>\n
SR: So, with all of this in mind, with top-down SIEM and with MITRE as a language of cybersecurity, what capabilities now matter to optimal SIEM for businesses? <\/strong><\/h4>\n
SR: So we\u2019ve spoken before a few years, in an article about <\/strong>No-Rules SIEM<\/strong><\/a>, we discussed the big rules epidemic. How do you feel about this problem now, especially in the context we\u2019ve discussed so far? How do you feel about No-Rules SIEM now as compared to a few years ago? <\/strong><\/h4>\n
<\/div><\/p>\n
Widget not in any sidebars
<\/span><\/p>\n","protected":false},"excerpt":{"rendered":"