Plugging the Gaps in SIEMs and Log-Management Systems

Security analysts now have an alternative to drowning in log data.

SIEMS and Log Management Systems Benefit from Endpoint ModelingIT and security professionals are struggling to secure their organizations’ systems and data, against an ever-widening array of cyber threats and threat authors. One of the strategies they rely on is beefing up the conventional information security stack, which includes tools such as firewalls, antivirus, malware removal, IDS/IPS (intrusion-detection and -prevention systems), and SIEMs (security information and event management) or log-management systems. 

The last of these – SIEMs and log-management systems – provide a good example of the law of unintended consequences. These products clearly have a role to play in enhancing security, as they gather data about an organization’s security from multiple locations, and provide a single point of view on all the data. But the by-product of monitoring and reporting on every aspect of networks, devices, applications, and users can be an extreme case of information overload: the volume of security alerts that is generated is outpacing the ability of security analysts to process it.

As Observable founder and CTO Patrick Crowley has observed, “There are simply too many machines generating too many logs in corporate environments, and most incident responders spend the vast majority of their time chasing down false positives.”

A tale of two use cases

In a brief new video, Patrick Crowley explains how a new approach to IT security – endpoint modeling – addresses the functional gaps in SIEMs and log-management systems, and relieves the burden that will otherwise overwhelm security analysts.

SIEMs and log-management systems remain essential components of today’s security portfolio, he argues, because they offer a robust solution for one of the two use cases to which they’re being applied. That first use case is the function of a single pane of glass – a central destination for all of the machine-generated log data from an IT environment. Once all of that data is brought together, centralized, and indexed, any analyst who has a question has a single place to go, to get that question answered. As logs continue to grow in both volume and diversity, that’s an invaluable thing to have.

But the second use case for a SIEM or log-management system is one that, despite a decade’s worth of effort, SIEM vendors have not yet delivered on. This is the automatic detection of security problems; in other words, the SIEM’s ability to surface – in that growing avalanche of log data – where the risks are.

In order for a SIEM to automatically find where the problems are, there has to be some underlying technology that is capable of distinguishing between the normal and the abnormal. This distinction cannot be superficial or statistical; it needs to be qualitative, more akin to what a skilled human would bring to the task of analysis.

Endpoint modeling delivers a new approach to IT security, one that addresses the functional gaps in SIEMs and log-management systems, and relieves the burden that will otherwise overwhelm security analysts.

Patrick Crowley, CTO, Observable Networks

Stronger together than alone

This is precisely the gap in SIEMs and log-management systems that endpoint modeling fills. For every connected resource in your footprint – including networks, servers, devices, applications, data, and users– a specialized entity, the endpoint model, is created to track what is normal role and behavior. As a result, when any resource behaves in a way that is abnormal, i.e., deviates from the model, it can be seen in sharp relief to the established model.

This functionality enables endpoint modeling to complement SIEMs and log-management systems, in two important ways.

First, it automates the detection of data security problems. When integrated directly in a customer environment, the SIEM and the Observable endpoint modeling service can exchange information in both directions. The endpoint modeling service publishes alerts to the SIEM and trouble-ticket system, and can extract from the SIEM additional data that can be folded into its own model and analysis. The result is a combination that is much more powerful than either security solution separately.

The second dimension that allows endpoint modeling to serve as a strong complement is that it takes as input a kind of information that is generally not seen in SIEMs: network flow data. While most SIEMs are technically capable of consuming network flow data, in practice, most don’t, because the very high volumes of network flow data create either technical (storage) challenges for the SIEM, or pricing challenges. Because endpoint modeling is driven by network flow data, it can sidestep the challenges of storage and pricing for the SIEM, and deliver the benefits of the combined offering at disruptively low prices.

For more of Patrick Crowley’s perspective on how endpoint modeling can make SIEMs and log-management systems work better for your organization, see this brief video.

Experience Dynamic Endpoint Modeling on Your Own Network

Getting better visibility into your network and improving your security couldn’t be easier. Sign up for a free, no-risk trial of Observable’s Endpoint Modeling solution, and change the way you see security.

Detect Threats Faster – Start Your Free, No-Risk Trial