In this article, we’ll take a look at SIEM technology and how it’s evolving to better serve our security needs within a changing IT landscape.
The classic method
SIEM (Security Information and Event Management) provides a company with an overview of its network. It ingests and normalises events (logs) from all the sources within the network. It makes it possible to detect incidents if they happen by correlating these logs. It’s also possible to perform a reconstruction of an incident after it happened.
The classic SIEM method uses correlation rules to flag possible threats. This relies heavily on security personnel wading through alerts and finetuning the rules to cancel out false positives. It can become very time consuming. This reliance on correlation rules also means the system might not flag unknown threats and attacks that spread across different credentials and devices.
Counting on machine learning
On the other hand, an UEBA (User and Entity Behavioural Analytics) tool, like Exabeam
, uses behavioural analysis to detect attacks. It saves time for security analysts by including lateral movement within the network in a single user timeline. Machine learning is used to baseline a user’s behaviour and subsequent timelines are compared to these baselines to detect anomalies.
Exabeam offers unlimited log storage. This means that the price of the solution isn’t dependent on the amount or size of logs that is registered. It’s possible to log all your data for a predictable price. The more data you keep, the more Exabeam can analyse.
To allow easy enrolment of all your data sources, Exabeam created out-of-the-box integrations for 350 IT infrastructure, security and cloud products. These include data source integrations for logging and SOAR (Security Orchestration and Automated Response) products, that automate incident response.
- For example, Exabeam offers pre-built cloud data log collectors for cloud providers like AWS, Microsoft 365, etc. Cloud connectors make it possible to easily add cloud resources as data sources for Exabeam, like AWS IAM or CloudTrail and VPC network flows. If the cloud service provider changes its API, Exabeam cloud connectors will update automatically so logging can continue without any manual interventions. This enables organisations to centralise data coming from their cloud services. It makes it possible to gain insight into the entire hybrid infrastructure within Exabeam.
Turn your bird’s eye view on
- An example of a SOAR integration is SentinelOne’s behaviour-based Endpoint Protection. Exabeam integrates with SentinelOne to ingest threat and incident data, in order to feed the Exabeam analysis model. Moreover, this integration also allows the automation of SentinelOne actions from within Exabeam. When Exabeam picks up on a threat, related to a specific endpoint, it can make use of SentinelOne’s API. It will automatically gather this device’s process data and trigger a scan of the host.
Now let’s consider a modern multi-cloud environment. Within this structure, every island has its own (often very high-end) security controls and even monitoring instances:
- On-prem firewalls, monitoring for on-prem landscape;
- Data centre security, hypervisor security options in private cloud;
- A wide range of security controls in public cloud.
All of them are focused on their own landscape and thus creating islands in the multi-cloud environment. It is extremely important that organisations consider this structure and include it in their overall defence strategy.