SIEMs have been the primary workhorse for safety operations facilities, consistently scaled up all through the years to accommodate the elevated quantity of safety knowledge. However as a substitute of buffing a single horse to deal with this workload, can we distribute it throughout a number of horses?
At GigaOm we’ve been following this house for a number of years now, and as I’ve been researching the house for the third iteration of the Radar Report, I got here throughout the identical challenges and narratives from distributors, which boil right down to “do extra with much less”.
That’s: extra logs, extra threats, extra integrations, with much less time wanted to resolve incidents, much less tolerance for undetected occasions or false positives, and fewer analysts wanted to investigate incidents. This pattern will proceed. IT techniques are solely getting extra complicated and the assault floor continues to extend.
An IBM examine discovered that it took a median of 277 days—about 9 months—to establish and comprise a breach. So, SIEMs have to retailer knowledge for roughly one 12 months to assist menace searching actions.
As a primary, apparent response, distributors are facilitating extra storage. Cloud Knowledge Lakes are an inexpensive and scalable possibility to do that, and seem like more and more frequent.
A second, simply as apparent response, entails SIEM distributors rising the effectivity of their answer to detect threats sooner and automate as many workflows as potential. To do that natively, you could usher in outdoors capabilities. Low-hanging fruit are SOAR, UEBA, and XDR. SOAR, for instance, was basically a response to resolving SIEM’s inefficiencies. SOAR capabilities inside SIEM make sense—automate response processes contained in the field.
Nonetheless, log ingestion and alert curation remains to be a core SIEM operate, no matter what number of extra options you cram below one roof. Integrating different instruments’ capabilities in SIEM is an efficient answer proper now, however tackling billions and trillions of logs, with or with out ML, would merely turn into inefficient from a compute, networking, and storage standpoint. It’ll turn into just about inconceivable to handle a distributed setting with a centralized answer.
Traditionally, when options turn into too giant and ponderous to handle, we’ve seen enhancements shifting in direction of a distributed structure that may assist horizontal scalability.
Can we do the identical to a SIEM? How wouldn’t it look? I think about it as follows :a centralized administration airplane or orchestrator will management light-weight, distributed SIEM brokers deployed throughout completely different log sources. Every agent will gather and retailer knowledge regionally, correlate and establish suspicious actions, and use alarm guidelines outlined particularly for the forms of logs it’s analyzing.
OpenText’s ESM has first introduced a Distributed Correlation function way back to 2018. In essence, enterprises can add a number of cases of correlators and aggregators that run as particular person companies and distribute the correlation workload throughout these companies.
As an alternative of simply distributing the correlation engine, we are able to think about the entire answer and its parts in lighter deployments, which embody log ingestion, storage, filtering, alert guidelines and the like, even perhaps specialised for a selected sort of occasion supply. For instance, we are able to have SIEM brokers solely accountable for worker gadgets, community site visitors, server logs, end-user net purposes purposes, and so forth. Or, have brokers devoted for cloud environments, on-premise deployments, or colocation amenities.
Let’s not overlook that one of many most important promoting factors of SIEMs is the aforementioned correlation function, which entails making apparent or non-obvious connections throughout a number of knowledge sources. Right here, the orchestrators can coordinate correlations by pairing solely related info from completely different sources. These may be filtered for one thing as primary as timestamps, be guided by pre-trained ML algorithms, or leverage the MITRE ATT&CK framework for frequent patterns.
There’s lots of engineering and ingenuity required in scaling techniques, and all distributors are scaling as much as accommodate a whole lot of 1000’s of occasions per minute in a method or one other. If present developments are serving to to scale SIEM techniques incrementally, a brand new structure might assist accommodate future ingestion necessities. When centralized techniques can not accommodate, maybe a distributed one ought to be thought of.