3 Questions to Ask SIEM Vendors — And 3 to Ask Yourself - Exabeam

3 Questions to Ask SIEM Vendors — And 3 to Ask Yourself

Published
February 22, 2022

Author

Reading time
9 mins

The best vendor evaluations are standardized. Develop a checklist for your requirements and desired outcomes. It helps to have a trusted advisor to help you through this process, as it’s easy to become enamored with certain features and functions that really don’t matter.

In this post, you’ll learn the right questions to ask your prospective vendor — and yourself — throughout the process of buying a Security Information and Event Management (SIEM) solution.

Deconstructing the Alphabet Soup of Information Security

The security industry sure loves acronyms. Here are a few that you’ll commonly come across.

SIEM — Security Information and Event Management

Some basic SIEMs are data lake/log aggregation platforms used to perform searches and extract relevant info into a common information model, while others are a place to assign cases and used for correlation rules. Modern SIEMs combine the data lake and correlation rules to create automated timelines using data analytics and machine learning. These timelines provide a “day in the life” view by populating both normal and abnormal behavior, and giving context around alerts — oftentimes revealing anomalous behavior before you even receive an alert.

UEBA — User and Entity Behavior Analytics

Some basic SIEMs are data lake/log aggregation platforms used to perform searches and extract relevant info into a common information model, while others are a place to assign cases and used for correlation rules. Modern SIEMs combine the data lake and correlation rules to create automated timelines using data analytics and machine learning. These timelines provide a “day in the life” view by populating both normal and abnormal behavior, and giving context around alerts — oftentimes revealing anomalous behavior before you even receive an alert.

XDR — Extended Detection and Response

XDR enables you to combine all your security telemetry in one place so you can run it through data correlation, analytics, and threat detection to assist in the detection and investigation stage, then takes it a step further into how you respond. However, not all XDRs are created equal. Some XDRs come from vendors who use only their own telemetry and response. Referred to as native or closed XDR, this only works if you rely on one single vendor for IT infrastructure and security. In contrast, open XDR allows you the flexibility to keep your existing investments in best-of-breed security tools.

TDIR — Threat Detection, Investigation, and Response.

TDIR is more of an art than a science. Approximately two-thirds of an analyst’s time is spent on completing a series of disconnected steps that have to be manually integrated. But this process can be automated, helping SOCs to improve workflows from collection to detection, investigation, and response across the whole lifecycle and giving time back to the analyst.

Questions You Should Be Asking a Prospective SIEM Vendor

  1. How much data do I need to send to you?
    It’s not so much about the amount of data, but rather the right data. Windows Event Logs, all authentication logs, and security events (EDR, AV, NSM, etc.) are a great start. One common problem is trying to introduce high-volume sets of data (like web gateway logs) too quickly, because that’s the old-school way of thinking. Next-gen SIEMs and XDRs leverage machine learning and analytics to baseline an environment so that anomalous behavior can be quickly and easily detected.
  2. Are the actions I take using your tool repeatable?
    As mentioned above, it’s not so much about the amount of data as it is about the right data and the right platform to process that data to get you the outcome you’re looking for. It’s also about being able to repeat the same process the same way each time.
  3. How does this product integrate into my existing security portfolio?
    If your vendor makes unbelievable claims about the problems they solve without asking you what problems you have, they are missing the point. Vendors should take an outcomes-based approach to solving their customers’ challenges. Even then, some vendors will deviate from addressing your particular needs and instead focus on what they think is best. There are some pretty cool solutions out there that do some pretty awesome things, but if they are offering you a Band-Aid for a cut you don’t have, then you are being distracted from your objectives.

The Three Hallmarks of SIEM Success

When it comes to evaluating SIEM vendors, there are three categories of questions you should be asking yourself.

  1. Integration – Am I able to dump in all the logs I wanted to, and can I establish what normal behavior of that stack looks like across all those tools?
  1. Analytics – Do my people have to learn Snort rules in order to find out what happened in a log, or is it laid out for them? If I’m rich in people but poor in capital expense, that’s fine, but if I am turning help desk workers into forensic analysts, I need some tool help and analytics.
  1. Automation – What automation is available? Can I sort and automate anything? Does the tool help with threat hunting or just give me a command-line interface (CLI) for self service? If I have a particularly low-level SOC, can I automate ticketing to appropriate teams for certain classes of events? 

Next-gen SIEMs have identity data, network data, and endpoint data all in one place. Ideally, your tools should do the work for your analysts. They should always enforce and support processes — repeatable work streams that happen every day — because the SOC gets a lot of alerts. The way that data is sorted, how the details about context are enriched, knowing

risk, and having playbooks makes training go faster. With the right tools, you can spin up a competent SOC analyst in a matter of weeks rather than months.

Future-proof Your SOC Success with the Right Analytics in Your SIEM

The number one reason for monitoring your security ecosystem is to defend against the bad guys — usually organized crime or a nation-state actor. In the end, it’s all about money in one way or another. The good news is that if you have your tools set up correctly, you’re already one step ahead, even when something goes terribly wrong.

Attack vectors keep changing. In 2001, Code Red worms spread across the planet by time zones, and as each new geo came online and turned on their systems…Poof! Proliferation galore. Two years later, it was Slammer. In 2016 and 2017, it was Petya, and then the destructive NotPetya. The minute hackers get their hands on any new exploit code, it’s off to the races.

It takes less than a minute for a newly-stood-up box/honeypot to start being scanned for vulnerabilities, even on a smaller or less significant ISP. It can take less than half an hour for the attacks to start.

The behavior stays the same. People attack infrastructure, third-party libraries, application logic faults, or plain old unpatched software. Whatever the nasty wrapper that originates the path of the attack, the vast majority of attacks have similar paths to proliferation through the system and persistence — namely, compromised user or service accounts. 

Remember the high-profile Apache Struts issues in 2017, and the software supply attack in 2020 called Sunburst? And, of course, there’s the zero-day Log4j exploit that dropped on a Friday afternoon, killing the weekend for hundreds of thousands of people across engineering, support, and development — not to mention the poor SOC people being asked hourly for reports they’d never had to produce before.

Thankfully, it’s now possible to see identity events mapped into network activity.

TDIR must, above all, find a way to link related events by causality to identify each major step of the adversary’s actions. Events do not happen in isolation from one another, so the data should support identifying what came before as well as what happened next. 

This is why seeing “normal” and identifying anomalies is far more powerful than older, signature-based detection. You definitely need data from your identity provider, Active Directory, and so on, to correlate against network and endpoint detection technology. If you’re

not pulling those logs in off your Active Directory now, you’re missing a big piece of the puzzle.

Modern SIEMs must be able to put all related events together, sort by timestamp, and add some sort of actual risk scoring that takes in the data from the device or sensor, and adds intelligence across your reporting stack.

If you don’t know the MITRE ATT&CK framework, spend some fun time clicking through their attack chain and focus on all of the tactics, techniques, and procedures (TTPs) used to proliferate, spread laterally, and persist in your network. There are so many places where seeing anomaly behavior will give you the edge to find an infection, a compromised user or service account — those behaviors are consistent.

This is going to remain. “This is the Way.” This is the value of your SOC, of your SIEM and XDR tools, the value of doing more with less — or rather, the value of doing things consistently, in a programmatic way. And your SIEM should be there, supporting you every step of the way.

Summary

Now you’re armed with some of the right questions that will be most useful to you when talking to your Board, your fellow stakeholders in the organization, your vendors, and — most importantly — your team of analysts doing the daily work.

Watch the Webinar

For more insights, watch the on-demand webinar, “The 5 Claims Your SIEM Vendor Should Never Make… And They Did.” Learn about the questions everyone should be asking their security teams, potential vendors, and management.

The 5 Claims Your SIEM Vendor Should Never Make… And They Did

Similar Posts

What’s New in Exabeam Product Development – August 2022

What’s New in Exabeam Product Development – July 2022

What’s New in Exabeam Product Development – June 2022




Recent Posts

Exabeam News Wrap-up – Week of September 12, 2022

The 4 Steps to a Phishing Investigation

Exabeam News Wrap-up – Week of September 5, 2022

See a world-class SIEM solution in action

Most reported breaches involved lost or stolen credentials. How can you keep pace?

Exabeam delivers SOC teams industry-leading analytics, patented anomaly detection, and Smart Timelines to help teams pinpoint the actions that lead to exploits.

Whether you need a SIEM replacement, a legacy SIEM modernization with XDR, Exabeam offers advanced, modular, and cloud-delivered TDIR.

Get a demo today!