Upload
others
View
1
Download
0
Embed Size (px)
Citation preview
1
Seceon.com
“The information in the logs is useful but is
context limited. It’s similar to phone bill, lets you know when a phone call made, to which number and for how long, but doesn’t tell you about the conversation. Similarly, a Proxy server or Firewall logs can provide information about what PC (End-device) accessed what website or URL. Doesn’t provide who was on the PC at that time, and what specific application was riding on top of the URL, again forcing security teams to look at relevant logs, and correlate the information manually"
PopularSIEMvsaiSIEM
You cannot flip a page in any
Cybersecurity magazine, or scroll
through security blogging sites
without a mention of “Next Gen
SIEM”. You can understand why
traditionalSIEMvendorsarepushing
this concept, given all high profile
security breaches in the last few
years, how long it took for
organizations to detect breaches in
spiteofhavingmultitudeofsecurity
solutions and many with SIEM
solutions deployed in their
environment.
WhypopularSIEMshaven’tliveduptoexpectation?
Asweknow,today’sSIEMscollectandaggregatelogsfromdifferentsources,and
alertsecurityteamsbyrunningcorrelationrules.Thereitselfistheproblem.The
informationinthelogsisusefulbutis limited. It’ssimilartophonebill, letsyou
knowwhenaphonecallmade, towhichnumberandforhow long,butdoesn’t
Inreality,SIEMsarenotarchitectedtohandlelargevolumeandhigh-velocitydatainreal-time,theystillrelyonrulestocorrelateandraisealerts,theystill
useageolddataindexing,storageandcomputetechnologiesthatareinflexibleanddoesn’tsupportmodernHybrid-cloudITInfrastructure,containerizationand
orchestrationprinciples.
tell you about the conversation. Similarly, a Proxy server or Firewall logs can
provide informationaboutwhatPC (End-device)accessedwhatwebsiteorURL.
Doesn’t providewhowas on the PC at that time, andwhat specific application
wasridingontopoftheURL,againforcingsecurityteamstolookatrelevantlogs,
and correlate the information manually. The conversation and additional
contextual details has the most important information, that is if there is an
incident of compromise worth spending time on, and what your short-staffed
securityteamsshouldfocuson.Today’sSIEMsaregoodatcollectingandindexing
modest amounts of data and security teams can write basic rules to correlate
known indicators. These SIEMs are not good at detecting unknown attacks,
analyzing massive amounts of data real-time, ingesting network session and
packet information, understanding network and user behaviors, monitor and
protect hybrid-cloud infrastructures, and more importantly take an immediate
action to contain and eliminate threats automatically before the damage is
inflicted.
SIEMvendors’answertoaddressingtheselimitationsisthroughadd-onmodules.
Amoduleforingestingandprocessingnetworktraffic;Amodulefordeeppacket
inspection(DPI);AUEBA(UserandEntityBehavioralAnalytics)module;Amodule
for IaaS, PaaS, Saasmonitoring; Playbooksmodule for threat remediation. And
loosecollectionofthesemodulesismarketedasNext-GenorModernSIEM.
3
1.
Seceon.com
Moreover,bythetimeyouaredoneaddingallthemodules,youwillend-upwith
asystemwithincreasedcomplexitythatishardtodeploy,operationalize,monitor
andmanage.
Andtheresultisasolutionwithhighcostofownershipthatmakesitinaccessibleandunusableformanyorganizations.
“Automaticthreatcontainmentandremediationshouldn’trequirebuildingplaybooksthattakesmonthsandyearstoimplement,butbeavailableout-of-theboxfromtheget-go.Moreover,itshouldbeaccessibletobothFortune5-millionandFortune100enterprises”
aiSIEM:Modern,AdaptiveandIntelligentAt Seceon, we believemodern SIEM cannot be built on antiquated technology
andarchitectures.SOCteamsdeserveasolutionthatisfundamentallydifferentin
its approach. A good solution shouldn’t become burdensome but improve SOC
teams’ efficiency and effectiveness in defending against new-age cyber threats.
Machine Learning and AI cannot be an afterthought, but a core foundation of
SIEM thatbuildspath towardAIassistedSOC.Network flow forensics shouldn’t
be an add-on, but an integral part of holistic threat analysis and detection.
Automatic threat containment and remediation shouldn’t require building
playbooksthattakesmonthsandyearstoimplement,butbeavailableout-of-the
boxfromtheget-go.Moreover,itshouldbeaccessibletobothFortune5-million
andFortune100enterprises.
Drivenbythissingle-mindedfocusandstrongdesire tohelporganizationsofall
sizes, we embarked on building a Cybersecurity solution for Digital-ERA that
encompasses:
• Most advanced, efficient and extremely flexible data source collection,
processingandparsingengine.
• Highly scalable data ingestion bus that is capable of handling 50B events
perday.YetsmallenoughtobedeployedonasingleVM/Cloudinstance.
• Real-time streamprocessing in-memory computeenginebenchmarked to
handle150Meventspersecond.
• Machine Learning engine built to adapt to any new environment quickly
withitsUnsupervised,SupervisedandDeeplearningAI.
• Correlation engine with dynamic threat detection models that becomes
moreintelligentovertimeindetectingbothknownandunknownthreats.
• Big-datadatabasethatisbenchmarkedtohandle400Kopspersecondand
canstoreandarchiveyearsworthofdata.
• Search and in-memory database to assist in executing dynamic threat
models real-time and find that needle in the haystack by eliminating the
noise.
• Built-in integration withmost IT and Network Infrastructure components
(Identity systems, Firewalls, Routers/Switches etc.,) for automatic threat
containmentandelimination.
• Container and Micro-services architecture driven; offering flexibility to
deploythesolutionacrossmyriadofmodernandlegacyITinfrastructures.
• Built-inmulti-tenancyarchitecture.
5
1.
Seceon.com
TheresultisSeceonaiSIEM,whichis:
• Most advanced SIEM with Actionable intelligence and automatic threat
containment&elimination
• AnintegratedMDRandMSStechnologystack.
• A solution easy to install, implement, and operationalize with minimal
configurationandmanagement.
• Ahighlyscalable,cloud,virtualizationandbare-metalnativesolutionwith
built-inhorizontalclusteringandorchestration.
• AsolutionthatcanmonitorandsecureHybrid-cloudinfrastructures.
Figure1:aiSIEMinAction
BenefitsofaiSIEM™
aiSIEMalignstotheGartner’sCARTAapproachtoprovidethesefivemajorbenefitstoenterprises:
• Reduced MTTI (Mean-Time-To-Identify). Detecting threats near-realtime,
notdays,weeksormonthsafter.
• ReducedMTTR (Mean-Time-To-Resolve) by containing threats as soon as
theyaredetectedwithout-of-theboxautomaticremediation.
• MoreefficientandeffectiveSOCteams focusingon“Threat thatMatter”;
Notiteratingthroughthousandsofalertsperday.
• Continuouscomplianceandriskmonitoring.
• ComprehensiveVisibilityofEnterprise’securityposture.
AndManagedSecurityServiceProviders(MSSP)inthefollowingtwoways:
• IntegratedsolutiontoofferMDRandMSSwithminimalinvestment.
• Single pane of glass security posture visibility and monitoring across
tenants.
AccordingtoGartner’snewstrategicapproachContinuousAdaptiveRiskandTrustAssessment(CARTA)(refer:UseaCARTAStrategicApproachtoEmbraceDigitalBusinessOpportunitiesinanEraofAdvancedThreats),continuousdataanalyticsisabsolutelyamusttoconstantlyassessorganization’ssecurityposture,provideadaptiveaccess,predictandanticipatethreatsinreal-timeandrespondtothreatsthatmatterinreal-time
7
1.
Seceon.com
HowaiSIEMdifferentfromtheTraditionalSIEMs:
ConclusionaiSIEM is a truly modern SIEM with ML & AI as core foundations for threatdetectionwithno rules todefine, is adaptive and intelligent to changing threatlandscape, contains and eliminates threats without user intervention. It isdesignedformodernITHybrid-cloudinfrastructuresandhelpsorganizationswithcontinuouscomplianceandriskassessment.
Findoutmoreatwww.seceon.com