alphaspirit - Fotolia
Many organizations primarily rely on security information and event management technologies for periodic, centralized security reports. These reports are generated for compliance purposes and after-the-fact detection and investigation of compromises. However, most SIEM platforms are also capable of performing real-time analytics.
This means that they receive the latest security-event log data as soon as it's available, continuously monitor and analyze all recently collected data, and identify events that require further action. This could involve monitoring a particular network connection more closely, generating an alert for security operations center personnel to respond to, or directing other enterprise security controls to stop an attack in progress.
Organizations are taking advantage of the real-time analytics capabilities of SIEM products to detect and stop attacks more quickly, which helps reduce major data breaches and other compromises. Look for the following three things when evaluating SIEM systems for real-time analytics use.
A variert of analysis techniques. Different circumstances necessitate different analysis techniques or combinations of techniques. For example, detecting an attack using a signature-based technique may be faster than an alternative, but it may also be easily evaded by attackers, making it useless in some cases.
SIEM platforms should support techniques that look for anomalous events, changes in user behavior patterns, statistical anomalies and other unexpected activity. In addition, any SIEM product should also use the right techniques for each circumstance.
Event correlation capabilities. One of the biggest advantages of SIEM is that it can see the big picture by finding related pieces of a single event or related events in multiple logs and putting those pieces together. For example, a network intrusion prevention system might detect that a server is being attacked, but access to the server's operating system and application logs is necessary to determine if the attack succeeded and, if so, what happened.
SIEM platforms can automatically analyze all of these logs together. Thus, they can produce a much richer picture of what happened. In some cases, SIEM platforms can identify a whole series of related events, allowing a human analyst to trace the actions an attacker performed throughout the company.
Threat intel support and use. A threat intelligence feed provides information on the latest detected threats, such as the IP addresses of devices being used to attack others. SIEM use of information from threat intelligence feeds can significantly improve its real-time analytics by making attack detection faster and more accurate and by giving the SIEM platform a stronger basis for prioritizing its actions.
Some SIEM platforms use threat intelligence feeds that the vendor provides; others support the use of third-party feeds. The quality of the information in the feed itself is certainly important. Quality includes how often it is updated, how comprehensive it is and how accurate it is. But it's also important to consider how the SIEM product uses the threat intelligence. It should be just one factor of many considered by real-time analytics. An unbalanced approach may significantly increase false positives or false negatives, potentially making real-time analytics less effective.
Which SIEM tools are other security pros now considering?
Compare the top tools to manage security risks
Why data analytics are important now