‘Anti-SIEM’ cuts through the clutter of security alerts
Tech teams can apply, cheap easy solution and avert the danger of ignoring threat notices
By Byron Acohido, ThirdCertainty
More companies are deploying cyber defenses to alert employees when possible threats to data and networks are detected. That’s a good thing.
What’s not so good is that these tools and components can raise alarms so often, a company’s tech team is in a constant state of high alert.
I had the chance to speak with Cyphort Senior Director Mounir Hadad about his company’s solution to all that noise, which they like to refer to as the “Anti-SIEM.”
Related article: Security as a service catches on
“When you look at the security space in general, it’s extremely fragmented,” Hadad says. Many companies set up products to detect threats and protect systems, “and the problem is, not a single company out there can rely on just one vendor to be able to protect their own network.
“You end up with a plethora of products that are giving you all kinds of indicators of what’s happening in your network and, unfortunately, that leads to an overwhelming amount of information,” he says. “Our purpose here is to bring all of that information together, correlate it, make sense out of it, and present it in a very easy-to-follow-up manner.”
Through surveys conducted with the Ponemon Institute, Cyphort found that “a vast majority of security alerts end up being ignored. … You’re looking for a needle in the haystack. A lot of alerts … come from very noisy products, and customers do not follow up on those,” Hadad says. “Our objective here is to make sure that they do not miss that one important alert.”
Cyphort works to deploy existing technology and staff efficiently, instead of dealing with alerts from various components about the same problem.
Quieting the noise
For example, an employee might accidentally download a piece of malware, and notifications come in from several sources—a web secure gateway, an antivirus alert system, an intrusion-detection device.
“Each one of these different security products tends to be very noisy,” Hadad says, and a tech team has to check each one separately, even though one incident is causing the alerts.
Cyphort’s Anti-SIEM (a reference to security information and event management systems that amass mountains of traffic logs) would combine these events and label them as a single incident, so a tech team doesn’t have to check three components. “We bring them together, we correlate them, we put them in as one incident and we give you … a timeline view of … what happened.”
At the end of the day, the analyst would get a prioritized list of alerts.
While Cyphort gathers and correlates information from third-party devices, the company also has its own detection system.
“We do have network sensors that will look at traffic and carve out files and analyze them through behavioral analysis and apply machine learning,” Hadad says. “We bring our own core knowledge to that whole detection flow.”
Many companies have SIEMs, which can be expensive, difficult to maintain, and staff-heavy. Cyphort is working on a SIEM that gathers information about security events, but is cheaper and easier to maintain. “We … do the integrations for you; you don’t have to do them, and the number of staff that you need … is … reduced.”
For a deeper drill down, listen to the accompanying podcast.
More stories related to threat detection:
Ransomware attacks are a fact of life, so real-time detection, response is critical
Machine learning picks up where traditional threat detection ends
Automated malware detection provides effective early warning of threats