SIEMs have been the primary workhorse for safety operations facilities, continuously scaled up all through the years to accommodate the elevated quantity of safety knowledge. However as an alternative of buffing a single horse to deal with this workload, can we distribute it throughout a number of horses?
At GigaOm we’ve been following this area for a number of years now, and as I’ve been researching the area for the third iteration of the Radar Report, I got here throughout the identical challenges and narratives from distributors, which boil all the way down to “do extra with much less”.
That’s: extra logs, extra threats, extra integrations, with much less time wanted to unravel incidents, much less tolerance for undetected occasions or false positives, and fewer analysts wanted to investigate incidents. This development will proceed. IT programs are solely getting extra advanced and the assault floor continues to extend.
An IBM examine discovered that it took a median of 277 days—about 9 months—to establish and include a breach. So, SIEMs must retailer knowledge for roughly one yr to assist risk searching actions.
As a primary, apparent response, distributors are facilitating extra storage. Cloud Information Lakes are an inexpensive and scalable possibility to do that, and look like more and more widespread.
A second, simply as apparent response, entails SIEM distributors growing the effectivity of their answer to detect threats sooner and automate as many workflows as attainable. To do that natively, you could usher in exterior capabilities. Low-hanging fruit are SOAR, UEBA, and XDR. SOAR, for instance, was basically a response to resolving SIEM’s inefficiencies. SOAR capabilities inside SIEM make sense—automate response processes contained in the field.
Nevertheless, log ingestion and alert curation remains to be a core SIEM operate, no matter what number of extra options you cram beneath one roof. Integrating different instruments’ capabilities in SIEM is an efficient answer proper now, however tackling billions and trillions of logs, with or with out ML, would merely turn out to be inefficient from a compute, networking, and storage perspective. It’s going to turn out to be just about inconceivable to handle a distributed setting with a centralized answer.
Traditionally, when options turn out to be too massive and hulking to handle, we’ve seen enhancements transferring in the direction of a distributed structure that may assist horizontal scalability.
Can we do the identical to a SIEM? How would it not look? I think about it as follows :a centralized administration aircraft or orchestrator will management light-weight, distributed SIEM brokers deployed throughout completely different log sources. Every agent will gather and retailer knowledge domestically, correlate and establish suspicious actions, and use alarm guidelines outlined particularly for the varieties of logs it’s analyzing.
OpenText’s ESM has first introduced a Distributed Correlation function way back to 2018. In essence, enterprises can add a number of situations of correlators and aggregators that run as particular person providers and distribute the correlation workload throughout these providers.
As an alternative of simply distributing the correlation engine, we are able to think about the entire answer and its elements in lighter deployments, which embody log ingestion, storage, filtering, alert guidelines and the like, maybe even specialised for a selected kind of occasion supply. For instance, we are able to have SIEM brokers solely accountable for worker gadgets, community visitors, server logs, end-user internet purposes purposes, and so forth. Or, have brokers devoted for cloud environments, on-premise deployments, or colocation amenities.
Let’s not overlook that one of many major promoting factors of SIEMs is the aforementioned correlation function, which entails making apparent or non-obvious connections throughout a number of knowledge sources. Right here, the orchestrators can coordinate correlations by pairing solely related data from completely different sources. These could be filtered for one thing as primary as timestamps, be guided by pre-trained ML algorithms, or leverage the MITRE ATT&CK framework for widespread patterns.
There’s a whole lot of engineering and ingenuity required in scaling programs, and all distributors are scaling as much as accommodate a whole lot of hundreds of occasions per minute in a technique or one other. If present developments are serving to to scale SIEM programs incrementally, a brand new structure may assist accommodate future ingestion necessities. When centralized programs can not accommodate, maybe a distributed one needs to be thought-about.
