On May 21, I spoke at the PHDays 9 conference. I talked about new methods of Vulnerability Prioritization in the products of Vulnerability Management vendors.
During my 15 minutes time slot I defined the problems that this new technology has to solve, showed why these problems could NOT be solved using existing frameworks (CVSS), described what we currently have on the market and, as usual, criticized VM vendors and theirs solutions a little bit. ?
Continue readingRecently, I examined some automated Post-SIEM products, described with a lot of buzz words: UEBA, threat intelligence, machine learning, etc. I would like to share my opinion about all this, from the vendor, and from the consumer side.
Some information security experts [1,2,3] say, that SIEMs are very expansive and they don’t do their job properly. Traditional SIEMs usually unable to process huge amounts of mostly unnecessary logs and produce tonnes of false alarms. I’m not an expert in SIEM, but it seems to be true. Log data is useless when you just store it. And when you try to search something in it, you need to understand what exactly you are looking for and what threats are critical for your organization.
SIEM correlation features make this task much easier. But who will write the rules of this correlation? Even top SIEM vendors openly say that the most of out-of-the-box correlation rules are useless, can only be used as examples and users should develop their own rules. Of course, there are also some content and use case libraries: paid ones or free as SOC Prime Use Case Library. But in any case, the effective use of SIEM is a complex process.
As a reaction on this, some vendors and security startups developed an easy way: solutions, that will detect only the “real threats”. Thats sounds great. Some wise application tells you what is going on in your network correlating various sources of security data, and you just work with this issues. Awesome! But how does this really work?
This is my personal blog. The opinions expressed here are my own and not of my employer. All product names, logos, and brands are property of their respective owners. All company, product and service names used here for identification purposes only. Use of these names, logos, and brands does not imply endorsement. You can freely use materials of this site, but it would be nice if you place a link on https://avleonov.com and send message about it at me@avleonov.com or contact me any other way.