Recently, I examined some automated Post-SIEM products, described with a lot of buzz words: UEBA, threat intelligence, machine learning, etc. I would like to share my opinion about all this, from the vendor, and from the consumer side.
What’s bad with traditional SIEMs?
Some information security experts [1,2,3] say, that SIEMs are very expansive and they don’t do their job properly. Traditional SIEMs usually unable to process huge amounts of mostly unnecessary logs and produce tonnes of false alarms. I’m not an expert in SIEM, but it seems to be true. Log data is useless when you just store it. And when you try to search something in it, you need to understand what exactly you are looking for and what threats are critical for your organization.
SIEM correlation features make this task much easier. But who will write the rules of this correlation? Even top SIEM vendors openly say that the most of out-of-the-box correlation rules are useless, can only be used as examples and users should develop their own rules. Of course, there are also some content and use case libraries: paid ones or free as SOC Prime Use Case Library. But in any case, the effective use of SIEM is a complex process.
Give me “real threats”
As a reaction on this, some vendors and security startups developed an easy way: solutions, that will detect only the “real threats”. Thats sounds great. Some wise application tells you what is going on in your network correlating various sources of security data, and you just work with this issues. Awesome! But how does this really work?