The challenges with SIEM and How it can become an integrated security platform, to provide a framework for managing next generation SOC, and mitigate advanced attacks
The World of SIEM has changed, it is a 2 decade old technology
Was great in managing compliance
evolved from log management to correlation and providing single pane of glass
reduces signal to noise
But got soon got reduced to limited sight due to its limitations
I was surprised to see the report from Mandiant that states the following facts -
100% of the breaches had updated Anti-Virus software
63% of the breaches were reported by third parties
It took 243 days to detect an attack
Situation Continued:
The number and variety of new adversaries and threats continues to grow
Adversary’s continue to get more sophisticated in their attacks due to the proliferation of cyber weapons in the underground economy. Vulnerabilities and exploits available to attackers continue to increase as company’s leverage Mobile, Cloud and the Internet of Everything. This provides adversary’s an almost unlimited supply of attack scenarios to achieve an objective
Complication: Traditional SOCs are not equipped (agile enough) to deal with the volume and advancement in cyber attacks
Machine learning systems automatically learn programs from data” (*)
You don’t really code the program, but it is inferred from data.
Instead of trying to mimic the way the brain learns: that's where terms like artificial intelligence come from.
We are drowning in information, but starved for knowledge
So much noise that finding the signal is difficult
Limitation
Adversaries - Exploiting the learning process (Understand the model, understand the machine, and you can circumvent it)
Any predictive model on InfoSec will be pushed to the limit e.g. think how the SPAM engines evolved.
SIEM is dead because
Reactive and driven by rules, wherein the security is not static that one can implement rules and sleep, the security is continuous process and evolving
It might collect logs from desperate sources but most attacks and malware do not leave logs/ logging is difficult; one may not monitor transactional logs or limitation of collecting logs from end points other than Host FW/IPS/DLP
Cannot provide information about attack vector but only detect
SIEM is rapidly losing trust because of its inability to adapt to address new APT challenges