Anti-SIEM’ cuts through the clutter of security alerts

Tech teams can apply, cheap easy solution and avert the danger of ignoring threat notices

 
Share on FacebookShare on Google+Tweet about this on TwitterShare on LinkedInEmail this to someonePrint this page

More com­pa­nies are deploy­ing cyber defens­es to alert employ­ees when pos­si­ble threats to data and net­works are detect­ed. That’s a good thing.

What’s not so good is that these tools and com­po­nents can raise alarms so often, a company’s tech team is in a con­stant state of high alert.

I had the chance to speak with Cyphort Senior Direc­tor Mounir Hadad about his company’s solu­tion to all that noise, which they like to refer to as the “Anti-SIEM.”

Relat­ed arti­cle: Secu­ri­ty as a ser­vice catch­es on

When you look at the secu­ri­ty space in gen­er­al, it’s extreme­ly frag­ment­ed,” Hadad says. Many com­pa­nies set up prod­ucts to detect threats and pro­tect sys­tems, “and the prob­lem is, not a sin­gle com­pa­ny out there can rely on just one ven­dor to be able to pro­tect their own network.

You end up with a pletho­ra of prod­ucts that are giv­ing you all kinds of indi­ca­tors of what’s hap­pen­ing in your net­work and, unfor­tu­nate­ly, that leads to an over­whelm­ing amount of infor­ma­tion,” he says. “Our pur­pose here is to bring all of that infor­ma­tion togeth­er, cor­re­late it, make sense out of it, and present it in a very easy-to-fol­low-up manner.”

Infor­ma­tion overload

Through sur­veys con­duct­ed with the Ponemon Insti­tute, Cyphort found that “a vast major­i­ty of secu­ri­ty alerts end up being ignored. … You’re look­ing for a nee­dle in the haystack. A lot of alerts … come from very noisy prod­ucts, and cus­tomers do not fol­low up on those,” Hadad says. “Our objec­tive here is to make sure that they do not miss that one impor­tant alert.”

Cyphort works to deploy exist­ing tech­nol­o­gy and staff effi­cient­ly, instead of deal­ing with alerts from var­i­ous com­po­nents about the same problem.

Qui­et­ing the noise

For exam­ple, an employ­ee might acci­den­tal­ly down­load a piece of mal­ware, and noti­fi­ca­tions come in from sev­er­al sources—a web secure gate­way, an antivirus alert sys­tem, an intru­sion-detec­tion device.

Each one of these dif­fer­ent secu­ri­ty prod­ucts tends to be very noisy,” Hadad says, and a tech team has to check each one sep­a­rate­ly, even though one inci­dent is caus­ing the alerts.

Cyphort’s Anti-SIEM (a ref­er­ence to secu­ri­ty infor­ma­tion and event man­age­ment sys­tems that amass moun­tains of traf­fic logs) would com­bine these events and label them as a sin­gle inci­dent, so a tech team doesn’t have to check three com­po­nents. “We bring them togeth­er, we cor­re­late them, we put them in as one inci­dent and we give you … a time­line view of … what happened.”

At the end of the day, the ana­lyst would get a pri­or­i­tized list of alerts.

Sophis­ti­cat­ed detection

While Cyphort gath­ers and cor­re­lates infor­ma­tion from third-par­ty devices, the com­pa­ny also has its own detec­tion system.

We do have net­work sen­sors that will look at traf­fic and carve out files and ana­lyze them through behav­ioral analy­sis and apply machine learn­ing,” Hadad says. “We bring our own core knowl­edge to that whole detec­tion flow.”

Many com­pa­nies have SIEMs, which can be expen­sive, dif­fi­cult to main­tain, and staff-heavy. Cyphort is work­ing on a SIEM that gath­ers infor­ma­tion about secu­ri­ty events, but is cheap­er and eas­i­er to main­tain. “We … do the inte­gra­tions for you; you don’t have to do them, and the num­ber of staff that you need … is … reduced.”

For a deep­er drill down, lis­ten to the accom­pa­ny­ing podcast.

More sto­ries relat­ed to threat detection:
Ran­somware attacks are a fact of life, so real-time detec­tion, response is critical
Machine learn­ing picks up where tra­di­tion­al threat detec­tion ends
Auto­mat­ed mal­ware detec­tion pro­vides effec­tive ear­ly warn­ing of threats