Fourth-gen SIEM is New-Scale SIEM™: Cloud-native SIEM at Hyperscale

Security information and event management (SIEM) plays a central role in security operations monitoring, alerting, threat detection, and managing compliance. As data volumes, exposure points, third-party alerts, and the cost of talent and storage have all multiplied, the speed of SIEM innovation has not kept up. Every sensor, detection product, or feed required to enable security use cases in a SIEM drives the collection of more data, often into terabytes per day. As the window of opportunity to detect and investigate attacks decreases, defenders are left vulnerable if they don’t know what to look for. Unfortunately, most SIEM products can’t meet this requirement; customers deserve a better approach. 

In our recent webinar, Christopher Beier, Exabeam Senior Product Marketing Manager, gave an overview of New-Scale SIEM™, which was followed by a demo by Rocky Rashidi, Exabeam Principal Product Manager. New-Scale SIEM is a breakthrough combination of threat detection, investigation, and response (TDIR) capabilities that security operations need in products they will want to use. Exabeam SIEM delivers limitless scale to ingest, parse, store, search, and report on petabytes of data — from everywhere.

Top four customer challenges

Christopher began the webinar by introducing four things that customers consistently struggle with: 

1. Collecting the right data
2. Knowing what to look for
3. Finding real threats when they’re buried in a sea of noise
4. As humans, not being able to see the full picture 

Looking back at the history of SIEM

Regarding legacy SIEM, Christopher stated, “They weren’t really built for today’s environment. They were not designed to look at the volumes of data sources, the exposure points, or the types of attacks that we’re seeing today, and it’s causing a lot of noise, and you just don’t have the staff.” 

In generation one of the SIEM, “the days of ArcSight and QRadar,” Christopher explained, “it was all about alerts, getting logs, and correlating those things. The problem was with storage, putting all this information into relational databases, and creating those correlations. They weren’t very efficient. This was very expensive; it was slow and it took a lot of horsepower.” 

“When Splunk joined the game” in generation two, Christopher said, “they were very disruptive. They proved relational databases weren’t good for storage, so they used flat file databases, and added indexing of all the alerts, logs, and data points that were coming in. All the information was stored in their data platform. This gave you the ability to drill down a bit and was transformational for the SIEM market at the time. However, it wasn’t really focused on security concerns.”

When Exabeam entered the picture in generation three, “We started adding things like behavioral analytics and automation to help deal with the security components of this,” said Christopher. Now, in the fourth generation, it “is about getting cloud-native hyperscale performance from your SIEM solutions.”

Multiple ways to implement Exabeam

There are multiple ways customers can get started with Exabeam. “We’ve introduced a modular approach to understanding how to deal with all the security information within your environment,” explained Christopher. Whether it’s collecting that information from the very beginning with Security Log Management or putting analytics on top of the information that you already have, we have a way of structuring solutions for you, where you don’t have to rip and replace.”

Exabeam New-Scale SIEM features

Here are some of the features included in New-Scale SIEM, as Christopher summarized: 

1. Collection

The fuel for a SIEM is the data that you collect. We’ve created a very simple, unified approach to collecting data, whether it’s from your on-premise solutions or your cloud solution, and pulling that in through a centralized single interface. The Exabeam Security Operations Platform, through data collection, has this interface and it covers on-premises cloud context sources, collection from 200+ on-premises products, 30+ cloud-delivered security products, and 10+ SaaS productivity applications, so we can make all those connections, and context from security and threat intelligence. We then bring that all into one place so that you can get everything that you need from your security stack to understand what’s happening in the environment. 

2. Log Stream

Log Stream delivers a rapid log ingestion process at a sustained rate of more than a million events per second (EPS). A central console across all of Exabeam’s products enables you to visualize, create, deploy, and monitor your parsers within this unified ingestion pipeline, for all of Exabeam products and features. As the data is ingested, this parse is using upwards of 8,000+ pre-built log parsers. 

3. Search

We collect the data, we parse the data, and we understand how it’s configured. With a new centralized Search application, we’ve created a simplified search experience with faster queries, instant results over large volumes of data, and even years’ worth of data. We wanted to eliminate all the performance issues and gaps so that you can search not only data from two hours ago, but data from two years ago, all within this centralized management experience. So, you get that visibility, you get that fast search regardless of the historical data and you can do so without a learning curve. We really utilize a point-and-click capability so that any field that is ingested is available to you within the interface. 

4. Dashboard

You can print, export, and view data within a number of pre-built dashboards, with the ability to create some of your own dashboards using 14 different chart types. You’ll be able to get that information out to whoever needs to know about the security posture within your environment.

5. Correlation Rules

You’ll be able to compare incoming events with predefined relationships, and entities to identify and escalate if you’re finding things in your environment. Write, test, publish, and monitor upwards of a thousand custom correlation rules around the most critical business entities and assets within your environment and be able to define higher criticality with some context. If something is happening in your environment, you are able to trigger what the response is going to be. You get those detections with a very intuitive interface to help you do that.