SIEMs have been the principle workhorse for safety operations facilities, continuously scaled up all through the years to accommodate the elevated quantity of safety information. However as an alternative of buffing a single horse to deal with this workload, can we distribute it throughout a number of horses?
At GigaOm we’ve been following this area for a number of years now, and as I’ve been researching the area for the third iteration of the Radar Report, I got here throughout the identical challenges and narratives from distributors, which boil all the way down to “do extra with much less”.
That’s: extra logs, extra threats, extra integrations, with much less time wanted to unravel incidents, much less tolerance for undetected occasions or false positives, and fewer analysts wanted to investigate incidents. This development will proceed. IT programs are solely getting extra advanced and the assault floor continues to extend.
An IBM research discovered that it took a median of 277 days—about 9 months—to determine and include a breach. So, SIEMs have to retailer information for roughly one 12 months to assist menace looking actions.
As a primary, apparent response, distributors are facilitating extra storage. Cloud Knowledge Lakes are an inexpensive and scalable choice to do that, and look like more and more widespread.
A second, simply as apparent response, entails SIEM distributors rising the effectivity of their resolution to detect threats sooner and automate as many workflows as potential. To do that natively, you have to herald exterior capabilities. Low-hanging fruit are SOAR, UEBA, and XDR. SOAR, for instance, was basically a response to resolving SIEM’s inefficiencies. SOAR capabilities inside SIEM make sense—automate response processes contained in the field.
Nonetheless, log ingestion and alert curation continues to be a core SIEM perform, no matter what number of extra options you cram underneath one roof. Integrating different instruments’ capabilities in SIEM is an effective resolution proper now, however tackling billions and trillions of logs, with or with out ML, would merely grow to be inefficient from a compute, networking, and storage viewpoint. It would grow to be just about unattainable to handle a distributed atmosphere with a centralized resolution.
Traditionally, when options grow to be too giant and hulking to handle, we’ve seen enhancements shifting in the direction of a distributed structure that may assist horizontal scalability.
Can we do the identical to a SIEM? How wouldn’t it look? I think about it as follows :a centralized administration airplane or orchestrator will management light-weight, distributed SIEM brokers deployed throughout completely different log sources. Every agent will gather and retailer information domestically, correlate and determine suspicious actions, and use alarm guidelines outlined particularly for the kinds of logs it’s analyzing.
OpenText’s ESM has first introduced a Distributed Correlation function way back to 2018. In essence, enterprises can add a number of cases of correlators and aggregators that run as particular person providers and distribute the correlation workload throughout these providers.
As an alternative of simply distributing the correlation engine, we will think about the entire resolution and its elements in lighter deployments, which embody log ingestion, storage, filtering, alert guidelines and the like, even perhaps specialised for a particular sort of occasion supply. For instance, we will have SIEM brokers solely liable for worker units, community visitors, server logs, end-user internet functions functions, and so forth. Or, have brokers devoted for cloud environments, on-premise deployments, or colocation amenities.
Let’s not neglect that one of many principal promoting factors of SIEMs is the aforementioned correlation function, which entails making apparent or non-obvious connections throughout a number of information sources. Right here, the orchestrators can coordinate correlations by pairing solely related info from completely different sources. These may be filtered for one thing as fundamental as timestamps, be guided by pre-trained ML algorithms, or leverage the MITRE ATT&CK framework for widespread patterns.
There’s plenty of engineering and ingenuity required in scaling programs, and all distributors are scaling as much as accommodate a whole lot of 1000’s of occasions per minute in a technique or one other. If present developments are serving to to scale SIEM programs incrementally, a brand new structure might assist accommodate future ingestion necessities. When centralized programs can not accommodate, maybe a distributed one ought to be thought-about.