Security information and event management (SIEM) tools have been held in high consideration in the cybersecurity landscape for the past decade. Many businesses today would even go as far as using it at the heart of their security strategy to identify potential cyber-attacks. Yet, as cyber-threats incessantly evolve, processes are required to speed up their incidents response and face reality: while SIEM tools do enable enterprises to get a better grasp on log analysis, they should not to be confused with actual security analytics practices. Whereas SIEM is a perfectly functioning tool in the role it was designed for, its capabilities cannot be stretched further into the universe of advanced security analytics. It remains, however, the perfect foundation on which to bring modern solutions.
What should probably concern us is that, despite the undeniable truth looming above their heads, organizations still fail in their effort to implement the appropriate security analytics tools. And which other proof would you need if not the rising number of attacks and the failure to detect incidents in due time. According to the 2015’s survey launched by the online portal Statista concerning 58 U.S. companies, it was found that 97 percent have experienced malware attacks and less than a third were aware of it before it happened.
SIEM tools were created to capture and manage security events on information systems through log correlation. Nevertheless, given the diverse nature and huge amounts of incoming data, not confined only within the network perimeter, but also from both internal and external sources, SIEM use-cases and their applicability are vastly overrated when it comes to dealing nowadays with noisy security environments. Traditionally, SIEM tools collect data that comes exclusively from a pre-defined source, underlining a severe lack in analysis ranges. This, unfortunately, leaves the door open for skilled hackers to work their way around that particular source and stay under the radar. At the same time, the information collected from logs requires a specific format for processing. Obviously, format alignment is time-consuming and leads to the delay of the entire detection cycle.
What is even worse is that the detection cycle was already incomplete to begin with – SIEM, by definition, which can only search for previously identified threats when searching for security breaches. Finally, a SIEM simply fails to provide IT teams with the aim of a larger picture needed in order to achieve their security analytics goal. As experts attempt to react faster to alerts and to scale up with the quantity of data expected to be managed, they are often forced to remediate security issues manually. Who wouldn’t be overwhelmed in this case?
The current cyber-environment is like quicksilver, continuously evolving. This is why, at the latest RSA Conference that took place in San Francisco last week, a number of experts expressed the fact that modern security analytics must, without exception, include contextual thinking. If we want to give a proactive response to emerging threats, looking individually at devices, events and activities on the network is not enough. We cannot say that SIEM tools are capable of ‘real-time’ analysis, since they need time to pass through all their in-built phases: collection, storage, normalization, correlation and enrichment in order to detect a potential menace. But nobody can blame a system for having its limits. What we can point a finger at is those who keep on rolling with a vulnerable one, despite being aware of its shortcomings.
Just to make it clear, our experts are not saying SIEM is obsolete. Not at all. It has simply fulfilled its potential in terms of log collection, and, hereafter, it has rarely been successful at detecting security breaches. That is the reason we designed Reveelium, an intelligent solution that helps you build a true security analytics architecture, by completing the data puzzle left behind by usual tools. It is able to identify the symptoms of all malicious behaviors through its automated anomaly detection system. Built as a multi-dimensional BigData technology, Reveelium includes: a detection engine of weak signals hidden in large amounts of data (1); a correlation engine, based on the experience of system engineers and security consultants (2); and a global knowledge base, Reveelium’s experience repository which collects, abstracts and shares the behaviors identified across Reveelium users (3).
Reveelium not only enables real-time detection of behaviors that deviate from the norm, but it can also be easily added to an existing SIEM, surpassing the simple processing of logs. The added value of this innovative technology developed by ITrust is settled by the detection and evaluation of said deviations. Reveelium identifies attacks overlooked by SIEM solutions and protects organizations from the risk of becoming just another cyber-crime victim.