Making SIEM accessible to all
Estimated reading time: 5 minutes
Securonix’s VP in APJ, Neil Campbell, shared about how he believed the industry of SIEM (security incident event management) and analytics, needs to be disrupted.
Table of contents
“I’ve seem customers have to spend so much on their SIEM and analytics platforms that it really cripples their security budget, and leads them to make some very difficult choices.
“The sheer cost of using SIEM means most customers have to make difficult decisions about what log sources or data sources they turn off in order to be able to continue to afford to operate the platform.
“And that’s paradoxical.”
Neil opined that there may be a way to change this, while offering effective SIEM solutions.
Legacy SIEM
Neal likened legacy SIEM as almost being the evolution of log aggregation.
“The sheer cost of using SIEM means most customers have to make difficult decisions about what log sources or data sources they turn off in order to be able to continue to afford to operate the platform.
“In the early days of SIEM, it was really about bringing all your logs produced from various data sources, together in a central place so that they are searchable and can be archived.
“Many organisations also have that requirement as part of the compliance regime that they operate under.”
With the gathered logs, events are correlated to better understand them and how to apply rules to them. “For example, if a user does something within five minutes of another event, then we know it’s a security event,” Neil described.
Next comes the analytics layer, and Securonix’s solutions basically proposes to fill the gaps left behind by legacy SIEM solutions.
Securonix’s cloud-native SIEM which is powered by security analytics, actually enriches the data that it ingests from various data sources. “And we run the analytics after the data is enriched and as it streams in, in near real-time.”
The mean time to discovery is much, much faster compared to data being ingested in batch processing manner.
Neil said, “In order to conduct analytics, you need data and lots of it.”
All the kind of elements that show activity and identity across a network environment like Active Directory, firewall, web proxy information, DNS, DHCP, and so on, allows Securonix to build profiles and behavioural models.
This is fundamentally different from the rules-based approach that legacy SIEM traditionally adopted.
SOAR-powered
Securonix has recently also announced a new capability in their product called SOAR or Security Orchestration Automation and Response.
“Time is the enemy of security and it’s far more useful to be able to automate a response to an expected security event,” Neil said.
“If your behavioural model says this event looks bad, then you could automatically quarantine that device until you can take a further look at it, or you could automate a response and orchestrate that response throughout the rest of your security environment.”
The outcome is automated response that is quicker, not to mention time saving for SOC (security operations centre) analysts, as well.
Regular tasks that SOC analysts perform can be taken over by SOAR instead, for example investigating everything that can be found out about a particular IP address or domain.
“If your behavioural model says this event looks bad, then you could automatically quarantine that device until you can take a further look at it, or you could automate a response and orchestrate that response throughout the rest of your security environment.”
“So, if you can automate that process for them, then imagine saving, 10 blocks of 20 minutes across a day and multiply that by the number of days and the number of analysts you have.
“You are gaining huge efficiency and you can focus them on the more important things that may represent security events and really need investigation,” Neal explained.
Disruption
In Neil’s experience, there is a SIEM tax of 50 cents for every dollar that the customer pays.
“And that leaves you very little remaining revenue to build all of the other services required to build a SOC – staff, customer portals to deliver, post-sales support and service…
Ultimately, many managed security service providers (MSSPs) end up having to decide whether they try to be profitable with customers not benefiting from the service, or be prepared to lose money and maybe provide a service that makes customers happy.
“I know it sounds very grim. But, that’s where the industry is at and that has to change.”
APAC plans
There are two ways that Securonix goes to market – via the channel partners and the MSSP channel – and emphasises verticals like financial services, government, utilities, natural resources, education, and healthcare.
Of note is the MSP vector that Neil said can really help a tech vendor like Securonix scale, because “…they would have a number of existing customers and as those customers’ contracts end, they would have the opportunity to change out the technology to ideally give a better outcome to the MSSP and the customer.”
The idea is that Securonix can offer a platform for MSSPs to be more cost-effective and more able to deliver great outcomes.
A recent global USD1 billion funding led by Vista Equity Partners, will go into expanding the organisation’s presence in Asia Pacific, minus India. That includes three sales leaders in three distinct territories – Southeast Asia, Japan, and then Australia/Zealand.
In essence
Neil added that we all need to expect more from the technology providers in this area, because SIEM same as advanced analytics is fundamental to any organisation’s security program.
“You can’t operate a security program effectively without that technology. And I think we all have a responsibility to make that accessible to the entire community rather than have it, kept as something that only the most cashed up organisations can afford,” he concluded.