Tech,Space,Gaming, and Science Fiction News to wet your whistle
What Is Next Generation SIEM? 8 Things to Look For
The SIEM market has evolved and today most solutions call themselves "Next Generation SIEM." Effective NG SIEM should provide better protection and equally important, if not more, a much more effective, next gen user experience. What you should look for when evaluating a next generation SIEM?
The state of cybersecurity has evolved one threat at a time, with organizations constantly adding new technologies to combat new threats. The result? Organizations are left with complex and costly infrastructures made up of many products that are out of sync with one another, and thus simply cannot keep pace with the velocity of today's dizzying threat landscape.
Traditional security information and event management (SIEM) solutions tried to make sense of the mess but fell short. Then came "Next Generation SIEM" or NG-SIEM. No vendor today will admit that they sell legacy SIEM, but there is no ISO style organization doling out official NG SIEM stamps of approval. So how is a security professional to know if the technology in front of him or her really brings the benefits they need, or if it's just another legacy vendor calling itself NG-SIEM?
The basic capabilities of legacy SIEM are well known – data ingestion, analytics engines, dashboards, alerting and so on. But with these legacy SIEM capabilities your security team will still drown in huge amounts of logs. That's because even many NG-SIEMs in the market still let copious amounts of threats and logs pass through – straight to the doorstep of your security team.
Working Down the Pyramid
A true Next Generation SIEM will enable the security team to work from the top down, rather than bottom up. If we look at the above pyramid, most security analysts have to sift through the bottom layer of logs and alerts – or create manual correlation rules for new attacks that can then move logs up the pyramid. This is extremely time-consuming and frustrating. Essentially security teams (especially small teams of one or two analysts) simply don't have the bandwidth to go through all the logs, meaning attacks slip through the cracks (and analysts burn out).
Artificial Intelligence technologies available today can help to automatically create correlation rules for existing attacks - and even new attacks - before they occur. The significance of this for security teams is enormous: It means they can begin at the top of the pyramid by going through a small number of logs. For those threats the analyst deems require further examination, the mid-level and raw data needs to be readily available and easily searchable.
The Checklist for NG-SIEM
To make sure your NG-SIEM of choice will be effective, look for the following capabilities:
Data lake – a solution that is able to ingest ALL types of data from various sources, making sure data retention can be supported, with very high search performance, including securing the data in transit and at rest.
Data classification – relies on structured and un-structured data classification technologies (such as NLP) in order to sort all collected data into classes of security groups such as MITRE techniques and tactics – representing the data through one language. This will allow much faster investigation.
Behavioral analytics – Built in NTA and UEBA engines. These engines by themselves lack the ability to cover the entire cyber kill chain, therefore need to be part of the NG-SIEM in order to allow correlating them with other signals, thus reducing the noise that typifies them.
Auto-Investigation (or SOAR) can mean many things. The bottom line is that effective auto-investigation needs both to perform prioritization (entity prioritization, supporting all identity types including ip, host, user, email, etc.) and allow impact analysis. Impact analysis is the ability to analyze the level of actual or potential impact that each risk-prioritized entity has on the organization, so that response actions can be prioritized effectively.
Auto-Mitigation – will not necessarily be implemented on day one, however, a NG-SIEM must have the ability to automatically execute mitigation actions, even if these, in the beginning, are triggered in very narrow security use cases.
Automation – Automation – Automation – nothing can be 100% automated, but in general the NG-SIEM Vendor needs to present at least 80% automation of the legacy SIEM operations. Otherwise we are missing the whole point of what NG-SIEM is all about, supporting the data pyramid approach.
Data relevancy analyst support tools – Manual investigation will always be part of the analyst's job. A NG-SIEM must present search and hunting tools that support the analyst's advanced investigation actions, and response. In this way the NG-SIEM will support the analyst efficiently in their route of investigating the data from the top of the pyramid, through only the relevant (related) information at the bottom of it. This way we make sure advanced investigations are done quickly and efficiently.
Community - solutions which have an opensource component will create a dynamic avenue for constant improvement of the NG-SIEM, through community contributions.
All of the above will create a SIEM with a user experience which allows security analysts to work top down rather than bottom up, starting with the highest risk data.
A SIEM platform that can tick off all these boxes will provide performance that is truly "next generation" and enable the organization to respond faster to relevant threats, at lower cost, improved ROI, and will make for a stable and happy security team.
About the author: Avi Chesla is the founder and CEO of empow (empow.co) - a cyber security startup distrupting the SIEM category with our "no rules" AI and NLP based i-SIEM, integrated with the Elastic Stack. Before empow he was CTO at Radware. Avi holds 25 patents in the cyber security arena.
By Liam McCabe This post was done in partnership with Wirecutter . When readers choose to buy Wirecutter's independently chosen editorial picks, it may earn affiliate commissions that support its work. Read the full article here . After six summers of researching, testing, and recommending window air conditioners, we've learned that quiet and affordable ACs make most people the happiest—and we think the LG LW8016ER will fit the bill in most rooms. This 8,000 Btu unit cools as efficiently and effectively as any model with an equal Btu rating, and runs at a lower volume and deeper pitch than others at this price. Little extra features like a fresh-air vent, two-axis fan blades, and a removable drain plug help set it apart, too. The LG LW8016ER is a top choice for an office or den, and some people will find it quiet enough for a bedroom, too. If our main pic
Cuando llevas miles de horas gestionando entornos vSphere, es posible que te encuentres con situaciones o problemas extraños con tus VMs, como es el caso de este post, donde veremos... Leer más » La entrada Forzar el reinicio de una VM que no responde en vSphere aparece primero en Blog de Cenabit . via Latest imported feed items on VMware Blogs https://ift.tt/2OIPfR4 If New feed item from https://blogs.vmware.com/feed , then send me an email at kr