The Games SIEM Vendors Play: Statistics vs. Machine Learning and Malware vs. Compromised Credential Detection

Security information and event management (SIEM) is critical to an organization’s cybersecurity strategy, providing real-time visibility into security-related data from various sources, such as network devices, servers, and applications. But when it comes to selecting a SIEM vendor, organizations often find themselves navigating a complex landscape of features, pricing models, and marketing claims.

In the last two posts in this series on the games SIEM vendors play, we explored tricky “free” versions and performance without scalability, as well as security considerations of public cloud plus local and remote users. In this post, we will discuss tactics around machine learning and the detection of malware and compromised credentials.

When it comes to purchasing a SIEM solution, one of the key considerations is how well it can detect and respond to cybersecurity threats. In the past, SIEM solutions relied heavily on statistics and rule-based algorithms to detect anomalies and suspicious activity. However, advancements in machine learning have enabled these techniques to be incorporated into SIEM solutions, leading to improved detection capabilities.

Statistics vs. machine learning

One game to look out for is vendors promoting their use of machine learning without providing meaningful explanations of how it is used in their product. Machine learning can be a powerful tool for detecting and responding to security threats, but it is not a silver bullet. And too often, marketing teams exchange the term “artificial intelligence (AI)” with conditional response automation. Organizations should look for vendors that provide clear explanations of how machine learning is used in their products and what specific benefits it provides. Additionally, simpler statistical analysis has its place for various organization’s use cases, particularly for outlier detection tasks without labeled data that is required for machine learning.

The main difference between statistics and machine learning is that statistics relies on predefined rules and thresholds to detect anomalies, while machine learning uses data to learn and adapt to different patterns and behaviors for both humans and machines.

With statistics, the system is only able to detect patterns and anomalies that it has been specifically programmed to look for. For example, if the system is set to flag any login attempts from a certain IP address as suspicious, it will only detect this specific type of behavior and will not be able to detect or flag IPs not on the original list that have some of the same unusual or anomalous behavior.

On the other hand, machine learning-based solutions are able to learn from the data they collect and adapt to different patterns and behaviors. For example, a machine learning-based SIEM would be able to detect anomalies in login attempts from different IP addresses, rather than just a specific one, and include in the risk evaluation other criteria such as time of day, activity that is outside the group membership, and more.

Malware detection vs. compromised credential detection

Another important aspect to consider when looking at SIEM solutions is the level of malware detection and response capabilities. Traditional SIEM solutions often rely only on signature-based detection from endpoints, next-generation firewalls (NGFW), host-based intrusion detection systems (HIDS), intrusion detection systems (IDS), etc., which only detect known malware signatures or hashes. But cyberthreats are constantly evolving, rendering this approach insufficient.

Machine learning-based SIEM solutions, on the other hand, are able to detect unknown malware by analyzing patterns and behaviors that indicate malicious activity — because an attack is more than the malware dropper. Any of the attack frameworks out there detail how malicious actors start with recon, then move to weaponization, persistence, lateral movement, and exfiltration. And while SIEM vendors boast about their ability to detect malware, new processes running on a system, or deletions, you should also consider their ability to detect compromised credentials — particularly where there is lateral movement. Compromised credentials are a major threat vector and can be used by attackers to gain unauthorized access to an organization’s network from within (for example, a compromised service account or local WiFi hack) or without (for example, a compromised VPN session, endpoint issues, ransomware, trojans, etc.).

Combining machine learning with statistics and other techniques can lead to improved detection capabilities, enabling a SIEM solution to detect both known and unknown malware, as well as compromised credentials by looking at common behavior — particularly the ability to see normal vs. abnormal behavior on the part of every network user and entity. Look for vendors that can detect all of these things and provide actionable information to help mitigate these threats.

Conclusion

When considering a SIEM solution, it’s important to look for a vendor that incorporates machine learning and other advanced techniques for improved detection capabilities. Additionally, consider the level of malware detection and response capabilities, as well as the ability to detect compromised credentials. This is a combination of user and entity behavior analytics (UEBA) capability, use case analysis, and flexibility/breadth on what kinds of logs can be taken in and effectively parsed against common industry frameworks. 

We hope that this blog series has shined a light on the games SIEM vendors play, that you should be aware of when making a selection. Overall, you should consider the total cost of ownership, scalability, security, and the specific capabilities of the SIEM solution. Additionally, be wary of vendor claims that are not backed up with concrete details on how their product works. By being informed, you can select a SIEM solution that meets your organization’s needs and helps you to effectively detect, investigate, and respond to cyberthreats.

The Exabeam Fusion Total Economic Impact™ (TEI) study by Forrester Consulting revealed how a group of Exabeam Fusion SIEM customers achieved a composite ROI of 245% over three years, with a payback period of less than six months.

Read the report to learn:

• Four measurable areas where customers achieved ROI using Exabeam Fusion SIEM
• Why customers choose Exabeam Fusion SIEM
• How the Exabeam Next-gen SIEM can transform security operations