Do you suffer from too many vague and un-prioritized incident alerts? What about ballooning SIEM data and deployment costs as your organization expands and ingests more data? You're not alone. Last week, over a hundred infosec folks joined us live for Demanding More out of Your SIEM.
Content Shared in the Webcast
In Gartner's Feb 2016, “Security Information and Event Management Architecture and Operational Processes,” Anton Chuvakin and Augusto Barros recommend a “Run-Watch-Tune” model in order to achieve a “SIEM Win”. For those with a Gartner subscription, check out the full report here.
While some SIEM vendors recommend 10 full-time analysts for a 24/7 SIEM deployment, at least three full-time employees should serve as the foundation of your deployment. A breakdown of core Run, Watch, and Tune responsibilities:
Run: Maintain operational status, monitor uptime, optimize application and system performance.
We recommend: Take stock of your existing network and security stack – are there more data sources you should be integrating? From talking to customers and our Incident Detection & Response research, top gaps in SIEM integrations are:
- DHCP. This integration provides a crucial User-Asset-IP link and powers most User Behavior Analytics solutions today.
- Endpoint Data. If local authentications aren't centrally logged, attackers can laterally move between endpoints and go undetected by the SIEM. 5 Ways Attackers can Evade a SIEM.
- Cloud Services. Leading cloud services such as Office 365, Google Apps, and Salesforce expose APIs with audit data, but many SIEMs don't take advantage of this data.
Watch: Using the SIEM for security monitoring and incident investigation.
We recommend: Today's organizations are getting way too many alerts – here's a poll taken during the webcast.
Most security teams have to jump between multiple tools during investigations, are getting too many alerts, and are struggling to identify stealthy attacks, such as the use of compromised credentials and lateral movement, that don't require malware to be successful. Most organizations are alerted on unauthorized access to critical assets, but at that point, intruders are already at Mission Target in the Attack Chain.
By mapping your detections to the Attack Chain, you can find intruders earlier and kick them out before data exfiltration occurs.
Tune: Customize SIEM content, create rules for specific business use-cases.
We recommend: Building queries requires specialized SIEM skills and experience manipulating large data sets, a scarce skillset that differs from incident investigation & response experience. If you've just been handed the reins to an existing SIEM deployment, it's worth the time to do a rule review. While technology like User Behavior Analytics provides robust detection for today's top attack vectors behind breaches, custom work is still necessary to meet specific business needs, such as compliance or a company-specific detection.
What I Learned from the Audience
Throughout the talk, we asked a few questions to learn from the audience. 71% currently have a SIEM, 11% don't, and 18% don't but are looking to purchase. Current satisfaction with their existing SIEM for Incident Detection and Response was across the board, with answers ranging from 4-8 on a scale of 1-10. The biggest concern was with data costs, the pricing model behind traditional SIEM solutions.
Top questions from our Q&A:
1. What is the best way to detect pass-the-hash techniques over servers?
The key data source is endpoint event logs. Only local authentication logs contain both the source and destination asset. For a full technical breakdown, check out our whitepaper: Why You Need to Detect More than Pass the Hash, with best practices on how to identify the use of compromised credentials.
2. Is there a way to see all InsightIDR integrations on your website?
Yes – to see the full list, which ranges from network events, endpoint data, existing log aggregators or SIEMs, and more, check out the Insight Platform Supported Event Sources doc here.
3. Is there an [InsightIDR] integration with Nexpose or Metasploit?
Yes! Nexpose, our vulnerability management solution, integrates with InsightIDR to provide visibility and security detection across assets and the users behind them. This provides three key benefits:
- Put a “face” to your vulnerabilities
- Automatically place vulnerable assets under greater scrutiny
- Flag users that use actively exploitable assets
Learn more about the Nexpose-InsightIDR integration here. InsightIDR also integrates with Metasploit to track the success of phishing campaigns on your users.
I Want More from My SIEM Deployment: Why InsightIDR?
InsightIDR works by integrating with your existing network and security stack, including Log Aggregators and SIEMs. The first step is unifying your technology and leveraging SIEM, UBA, and EDR capabilities to leave attackers with nowhere to hide.
InsightIDR can augment or replace your existing SIEM deployment. Organizations that use InsightIDR in sync with their SIEM especially enjoy:
- User Behavior Analytics: Alerts show the actual users and assets affected, not just an IP address. InsightIDR automatically correlates the millions of events generated every day to the users behind them, highlighting notable behaviors to accelerate incident validation and investigations.
- Endpoint Detection & Visibility: The blend of the Insight Agent and Endpoint Scan means detection and real-time queries for critical assets and endpoints, even off the corporate network. InsightIDR focuses on detecting intruders earlier in the Attack Chain, meaning you'll be alerted on local lateral movement, privilege escalation, log deletion, and other suspicious behavior happening on your endpoints.
- 10x Faster Incident Investigations: The security team can bring real-time user behavior, log search, and endpoint data together in a single visual timeline. No more jumping between disparate log files, retracing user activity across multiple IPs, and requiring physical access to the endpoint to answer questions.