No SIEM? No Problem!

What kinds of imagery are conjured up when you think about a Security Operations Center (SOC)?  Perhaps a militaristic setting straight out of the movie War Games, but with upgraded tech? Or maybe a dark room with a few scruffy security analysts staring at a wall full of large monitors while they frantically hammer away on their keyboards? Possibly you’re envisioning a single security engineer wearing a nerdy T-shirt hidden away somewhere in the bustle of a sprawling cubical farm?  Depending on the organization, any of these scenarios may be close to the truth. While the staffing and setup of each SOC is different, one thing 99% of them have in common is that a Security Information and Event Management system, also known as a SIEM, is the driving technology used by analysts.   SOCs belonging to organizations of all sizes rely on their SIEM to aggregate logs, detect known bad behavior using correlation rules, and generate alerts for analysts to triage. But should they?

The near ubiquitous nature of SIEMs within SOCs, might make it easy for one to conclude that a SIEM is a requirement for a modern SOC.  Until recently, I would have been compelled to agree with this statement, however it’s simply no longer the case.  In recent years, new product categories like User and Entity Behavior Analytics (UEBA), are increasingly including much of the functionality expected of a SIEM. More specifically, solutions like Exabeam, have made it possible to run a highly functioning SOC without the need to invest in a SIEM. Allow me to explain.

What’s Driving this “SIEM-in-SOC” Trend?

Arguably, the two primary driving forces for the adoption of SIEMs within SOC environments are:

1. Log centralization – The first step to identifying and addressing security incidents is to aggregate logs and alerts into a centralized location such that it can be efficiently sifted through. Interestingly, log collection can now be accomplished cheaper and easier by using open source software and commodity hardware or by relying on tools like Exabeam to be the centralized aggregation point.

2. Detection of Bad Behavior – Once all the relevant pieces of data are in the same place, the next step is to analyze them looking for signs of ill intent. While SIEMs were designed to correlate log data together looking for attacks and to enable security staff to easily explore the findings, they have actually become a major source of strain on security analysts. The time and effort needed to deploy and tune a SIEM, then address the alerts generated by it simply overwhelms many SOC teams. 

How SIEMS are Dragging Security Analysts Down

While SIEMs may be widely adopted, they present several obstacles for the analysts that use them:

1. Alert Exhaustion – SIEMs collect security events and alerts from all sorts of systems. On top of that, they generate their own alerts based on correlation rules.  This creates a never ending mountain of work for analysts to review. In most SOCs, there are simply not enough analysts to ever complete the workload.
2. Pivoting Through Data – Once a high risk alert has been found, analysts must query their SIEM for more information. Determining what data to pivot on to investigate an incident requires knowledge of threats and the SIEM’s specific query language.  This is especially challenging for junior analysts.
3. Reconstructing Incident Timelines – Analysts need to manually construct a chronological timeline of the security incident by piecing together the clues they have gathered. Pulling this information out of a SIEM is incredibly time consuming. 

Additionally, hidden within these larger responsibilities are an abundance of cumbersome tasks like user name to IP address attribution, determining asset ownership, etc. that further expend analyst resources.

Skipping the SIEM

Deciding to forgo a SIEM and instead leverage the capabilities of Exabeam can significantly increase detection fidelity, while reducing the amount of time spent on investigations. A SIEM-free SOC can be easily accomplished by utilizing syslog to ingest data directly into the Exabeam platform from its source, and then analyzing it with Exabeam’s advanced user behavior analysis capabilities.  This deployment method results in satisfying both of the driving forces which previously required a SIEM: log centralization and detection of bad behavior.

Once in place, Exabeam is able to increase threat detection well beyond the capabilities of a SIEM through the use of behavioral analysis on a proprietary data object known as a User Session. Exabeam’s session data model ties all activities of a user from log-on to log-off into a single session, even if the user changes devices, IP addresses, or credentials.  For modern threats which involve high degrees of lateral movement, this session data model prevents attacks from going undetected or disappearing after a credential switch.  Additionally, Exabeam takes a risk-based approach to security, which models normal and abnormal behavior for all users and entities within an environment and only alerts on risky anomalies. This results in a reduced number of alerts being presented to security staff. When Exabeam detects risky behaviors, it already has all of the relevant data supporting those behaviors stitched together into chronological timelines. These session timelines allow security staff to triage incidents in minutes rather than the days or hours it would take to run multiple searches in a SIEM and building a timeline manually. Learn more about the Exabeam session data framework.

Analyst time that used to be spent on manual investigations and reconstructing incident timelines can now be spent on more proactive security measures like threat hunting. Exabeam also helps with this initiative by providing analysts the ability to search multiple dimensions of a user’s activity via user sessions as opposed to single events. This enables your team to hunt for attackers before they access your critical systems or data, all without having to learn a complicated search language. Do you want to know when a service account starts logging in from the VPN or at an abnormal time? With Exabeam’s Threat Hunter this can be accomplished with a just few quick clicks.

Bye-Bye to by-the-Byte Billing

In today’s world, data is king. This especially holds true when it comes to security. Unfortunately, most major SIEM vendors charge for the amount of data being ingested, which forces many organizations to only collect data they think is worthy to pay for, instead of what data they might actually need.  What happens when your budget constraints force an unnecessary blind spot in your security posture? Undetected incidents and prolonged investigations.  Exabeam doesn’t charge based on data ingestions because we understand that the more data you have, the better you can know your attacker.

In the time it takes you to get caught up on the last few episodes of Mr. Robot, you could have deployed Exabeam and given your organization the tool it needs to detect, hunt, and respond to modern cyber-attacks.