Security Information and Event Management, or SIEM, is a vital part of protecting a network against the advanced threats that can inflict major damage on an organization. It tracks everything that happens on the network, discovering hostile activities that would otherwise go unnoticed. Threats can be removed quickly before they can cause major damage.
Many companies have created SIEM products. Some offer incomplete solutions based on older technology, while others provide complete, state-of-the-art defenses. One of our top choices is the Securonix system, which we present as SIEM as a service. In this article, we’ll explain why Securonix is among our top choices and what it offers.
Traditional security software includes intrusion detection systems (IDS) and intrusion prevention systems (IPS). They look for indicators that someone has compromised or is trying to compromise the machines on a network. Possible indicators include altered executable files, suspicious access patterns, communication with remote servers, improper website behavior, and many others.
A good IDS is versatile and powerful, but legacy designs look at one indicator at a time. The tactics which the most devious threats use are hard to catch that way. Insider threats are likewise difficult to spot since activity from logged-in accounts is presumed legitimate. What’s necessary is to look at the network as a whole and discover suspicious patterns that span multiple systems.
This is where SIEM takes threat detection to the next level. It forms a complete picture of network activity from logs on all the components, applies advanced analytics to them, and discovers patterns indicating hostile actions. It can alert administrators of what it has found or initiate automatic remediation.
A SIEM system can run either on the network it protects or as an external service. Cloud-based services are growing in popularity because of their greater scalability and ease of management.
Securonix, based in Texas, offers a cloud-native SIEM service. It includes log management, user and entity behavior analytics, and security incident response. It ranked as a “leader” in Gartner’s 2022 Magic Quadrant for SIEM, with a strong rating for both ability to execute and completeness of vision. It isn’t the biggest player in the business, but it’s growing rapidly.
Securonix uses a process called entity context enrichment to apply context to huge amounts of unstructured data. The emphasis on context helps it to integrate information from multiple sources and distinguish normal variation from suspicious events. This fulfills SIEM’s promise of delivering more than the sum of the various indicators it processes.
Its dashboard lets administrators and analysts get an overview of the network’s status. They can quickly spot changes and review notifications, allowing prompt action.
The software architecture is built on open standards. This means it can incorporate well-tested software components instead of having to invent everything from scratch. The data isn’t locked in but can be accessed by a variety of tools. An organization can create applications to supplement the Securonix services.
The central task involves the processing of huge amounts of unstructured data from diverse sources. The backend uses Apache Hadoop, an open-source system for handling big data. Its components include:
All of these are open source components with large user bases and strong support. They aren’t locked into a vendor that could stop supporting them or change its terms. This helps us to integrate Securonix software into BitLyft’s complete protection solution, working with our Central Threat Intelligence (CTI) system to match SIEM results with the latest trends in hostile action. Other integrations, such as EMR applications for healthcare, are likewise available.
The heart of SIEM is its ability to detect threats. Securonix uses log management, UEBA, and automation to identify advanced threats that evade most forms of detection. Unlike some competitors, it treats UEBA as an integrated part of SIEM rather than an add-on.
The traditional way of detecting threats is by their signatures, bit patterns that are characteristic of hostile actions. As a simple example, “../..” in a URL is likely to indicate a directory traversal attempt. While many threats can still be caught this way, the most devious and dangerous ones are harder to spot. They change their bit patterns frequently, hoping to blend into the background. The way to catch them is by their behavior rather than their signatures.
UEBA, or User and Entity Behavior Analytics, is fully integrated into the SIEM. It works with the same backend, unlike SIEM products that rely on a separate UEBA component. Securonix UEBA provides some of the most advanced analysis of potential threats in the industry. It spots attacks that go unnoticed by other tools.
What makes it possible is powerful machine learning algorithms. It establishes a baseline for a network’s normal behavior patterns. It analyzes interactions among users, systems, applications, IP addresses, and data.
This is where entity context enrichment comes into play. UEBA starts by building a complete profile of every entity in the network, including users, systems, and IP addresses. When analyzing events, it applies context such as user role, geolocation, and assets affected. Events are matched against TTPs (tactics, techniques, and procedures) that threat intelligence has identified.
Securonix UEBA handles a range of use cases:
Organizations with sensitive data don’t want to overlook indications of threats in progress. At the same time, though, they can’t afford a lot of false alarms, or administrators will waste their time chasing them down. The natural human response to “crying wolf” will take the edge off even dedicated IT staff if it happens too often.
Another issue is redundant reports, where the same threat turns up in multiple disconnected warnings. That makes it hard to see that a single cause is behind all of them and to get a big picture of the threat. Malware on a desktop machine, capture of a password, lateral movement to a server, downloading of additional hostile code, and sending of data to a remote server could all be parts of the same attack. It can look like multiple threats when what’s happening is a set of coordinated actions spread over several machines and accounts.
Securonix does a good job of reducing both kinds of information overload. Its UEBA-based approach produces more accurate results than signature-based threat identification and less advanced behavior analytics.
Discovering threats in huge quantities of network data is a “needle in a haystack” problem. Finding all the needles without seeing them where they aren’t is a difficult problem. Machine intelligence and context-based analysis help Securonix to be accurate and precise in diagnosing incidents.
Anomalies are combined into threat chains. Rather than getting seemingly unrelated pieces, administrators and analysts get a full picture of the steps of an attack. They can respond with a coordinated action to remedy the whole threat, rather than fighting separate, less effective actions.
Discovering security incidents is only half the battle. Remediation has to follow, and it should be fast and thorough. The Securonix SIEM uses a combination of automated responses and administrator notifications.
The Securonix Investigation Workbench lets administrators probe indications of compromise by examining anomalous entities and tracing events and activities connected with them. They can get a visual analysis of events, seeing them in relation to their context. Multiple teams can collaborate to get more insight and resolve an issue faster.
Case management capabilities aid collaboration. Some incidents require a multi-step response, including cleaning out malicious activity from multiple systems and repairing damaged data. Case management workflow lets security teams see what progress has been made. Role-based access controls what team members can do, based on their assigned responsibilities.
Feedback runs in both directions. ResponseBot, a recommendation engine driven by artificial intelligence, examines the actions which Tier 2 and 3 analysts take to handle threats. It uses these actions, taking their context into account, to make recommendations to triage specialists. This lets them make more informed decisions about which incidents to escalate.
Many incidents lend themselves to a fully or partly automated response. The faster they’re remedied, the less harm they do. The Securonix SIEM includes built-in, configurable incident playbooks to resolve events with known solutions quickly.
A SIEM system has access to large amounts of information in the course of its job. It needs to protect that information. Securonix makes its own security as high a priority as its customers’. Protecting user privacy and system security is especially important when dealing with confidential data under HIPAA, GDPR, PCI DSS, and other regulations and industry standards. Non-compliant security tools, including older SIEM software, can’t be used when working with such data.
Amazon Web Services has certified Securonix as an Advanced Technology Partner in Security Competency. Securonix uses a multi-tenant architecture to scale each customer’s resources as needed without compromising anyone’s information integrity.
The Securonix cloud platform is certified compliant under SOC 2 Type 2 and ISO 27001:2013, which cover general security practices. It also has HITRUST CSF certification, which verifies security and privacy practices in the healthcare industry. Together, they affirm that:
This is just a partial list. The standards have detailed requirements to ensure that user data is protected.
Different organizations have different needs. BitLyft offers its customers a choice of SIEM tools. Picking the right SIEM is an important decision, and you should consider several factors.
The BitLyft AIR® platform consists of four components to give you the best defense against online threats. In addition to your choice of SIEM, it includes the following:
You can talk with us and view a demo to learn about the BitLyft AIR® configuration that will best meet your threat protection needs. With new dangers constantly appearing on the Internet, keeping your network well-protected is a necessity.