Machine learning underlying SIEM systems gets smarter at neutralizing cyber threats

Automation, speedy processing can winnow information from massive amounts of sensor data

Share on FacebookShare on Google+Tweet about this on TwitterShare on LinkedInEmail this to someonePrint this page

A good por­tion of the $50 mil­lion in fresh ven­ture cap­i­tal financ­ing that LogRhythm secured last August will go toward improv­ing the Boul­der, Col­orado-based company’s SIEM tech­nolo­gies as part of a dri­ve for growth of its inter­na­tion­al business.

SIEM stands for secu­ri­ty infor­ma­tion and event man­age­ment. SIEM sys­tems col­lect inter­net traf­fic logs from all across a large busi­ness network—and then ana­lyzes that ocean of log data to flush out com­plex cyber threats.

Accord­ing to research firm Gart­ner, com­pa­nies spend rough­ly $2 bil­lion a year on SIEM tech­nolo­gies, and about a dozen SIEM secu­ri­ty ven­dors com­pete aggres­sive­ly to win a share of this busi­ness. LogRhythm’s rivals include the likes of IBM, Splunk, Trust­wave and AlienVault.

Relat­ed pod­cast: Machine learn­ing keeps mal­ware from slip­ping through

Third­Cer­tain­ty recent­ly spoke to com­pa­ny co-founder and CTO Chris Petersen about the machine learn­ing under­ly­ing SIEM detec­tion capa­bil­i­ties. You can lis­ten to my pod­cast of that con­ver­sa­tion by click­ing above. And below, Mike Rea­gan, LogRhythm’s chief mar­ket­ing offi­cer, sup­plies his 30,000-foot view of the evolv­ing SIEM mar­ket. Text edit­ed for clar­i­ty and length.

Third­Cer­tain­ty: SIEM has been around since 2005. It didn’t reach its full promise in ear­ly years. What’s changed?

Mike Reagan, LogRhythm chief marketing officer
Mike Rea­gan, LogRhythm chief mar­ket­ing officer

Rea­gan: SIEM was ini­tial­ly devel­oped as a plat­form to cull mean­ing­ful infor­ma­tion from the mas­sive vol­ume of secu­ri­ty events being gen­er­at­ed from fire­walls and intru­sion detection/prevention sys­tems (IDS/IPS). The promise of first-gen­er­a­tion SIEM was com­pelling, and most deploy­ments were able to cut down the num­ber of events being sur­faced. But they went from mil­lions of events per day, down to thou­sands; still an unman­age­able vol­ume for most IT secu­ri­ty teams.

Today, SIEM plat­forms employ advanced and com­pre­hen­sive ana­lyt­ics, such as user behav­ior ana­lyt­ics, net­work behav­ior ana­lyt­ics and end­point ana­lyt­ics, against all log and machine data in real time. This meets a crit­i­cal need and is being estab­lished as the cen­ter­piece for the next-gen­er­a­tion secu­ri­ty operations.

3C: For instance?

Rea­gan: The vast major­i­ty of logs rep­re­sent benign threats. For exam­ple, when Char­lie taps his badge against the badge read­er to enter the front door of his office build­ing. Let’s say that three hours after Char­lie enters his office in Tole­do a cor­po­rate VPN serv­er records a suc­cess­ful authen­ti­ca­tion to the net­work by “Char­lie” from an IP address locat­ed in Jakar­ta. In this sce­nario, it is high­ly prob­a­ble that Charlie’s cre­den­tials have been com­pro­mised. This is a SIEM that is capa­ble of con­sum­ing logs from a myr­i­ad of data source types and apply­ing addi­tion­al con­text to that data. In this sce­nario, a SIEM with inte­grat­ed secu­ri­ty orches­tra­tion automa­tion (SOA) would auto­mat­i­cal­ly dis­able Charlie’s account, launch an inves­ti­ga­tion, and even ini­ti­ate an account reset for the real Char­lie so he could get back to work.

3C: How do you dif­fer­en­ti­ate LogRhythm from, let’s say, IBM or Splunk?

 Rea­gan: IBM’s SIEM solu­tion, their QRadar prod­uct, orig­i­nal­ly was designed to per­form net­work-based anom­aly detec­tion (NBAD). Repo­si­tion­ing the plat­form as a SIEM solu­tion to cap­ture com­pli­ance dol­lars flow­ing into the SIEM mar­ket, Q1Labs built a sol­id fol­low­ing as a first-gen­er­a­tion SIEM. Five years ago, IBM acquired Q1Labs. Since then, their path to inno­va­tion to fill func­tion­al gaps in QRadar has been real­ized through part­ner­ships and acqui­si­tions rather than through mate­r­i­al invest­ment in in-house devel­op­ment. While this approach allows IBM to check the box­es for spe­cif­ic end-user func­tion­al require­ments, it does so with dis­tinct tech­nolo­gies that require mul­ti­ple inter­faces and restrict­ed interoperability.

Splunk has made its mark as a cen­tral log data repos­i­to­ry and search plat­form. The vast major­i­ty of Splunk users are in IT oper­a­tions, where search­es against IT oper­a­tions data are use­ful in aid­ing root cause analy­sis. Splunk cus­tomers who use the appli­ca­tion for secu­ri­ty use cas­es typ­i­cal­ly do so to address inci­dent response and inves­ti­ga­tion needs rather than for real-time threat detec­tion. It’s designed to aid the “hunter” who knows what they’re hunt­ing for. As such, Splunk requires more man­u­al inter­ven­tion and man­age­ment than oth­er SIEMs that are designed to auto­mate analy­sis, alert­ing and secu­ri­ty orchestration.

3C: And the argu­ment for your tech­nol­o­gy is what?

Rea­gan: LogRhythm’s sin­gu­lar focus is on deliv­er­ing a com­pre­hen­sive secu­ri­ty intel­li­gence and ana­lyt­ics plat­form that empow­ers orga­ni­za­tions to detect, respond to and neu­tral­ize threats before they can result in a mate­r­i­al breach or ser­vice dis­rup­tion. While the com­pa­ny main­tains a broad tech­nol­o­gy inte­gra­tion part­ner ecosys­tem, it also has a strong track record of deliv­er­ing con­tin­u­ous inno­va­tion in its plat­form to ensure that its tech­nol­o­gy evolves to meet the ever-shift­ing chal­lenges of the cyber threat landscape.

3C: How is the SIEM mar­ket like­ly to evolve over the next few years?

Rea­gan: The SIEM mar­ket has gone through a huge trans­for­ma­tion over the past eight years. If we sim­ply com­pare the Gart­ner SIEM Mag­ic Quad­rant report for 2008 to this year’s report, we see a mate­r­i­al thin­ning of the herd. In 2008, the mar­ket was report­ed to be just over $700 mil­lion with 23 SIEM ven­dors cov­ered in the report. This year’s report indi­cates a mar­ket that is greater than $1.7 bil­lion with just 13 vendors.

The SIEM mar­ket has shift­ed from one that was dri­ven by solu­tions that address com­pli­ance require­ments to one that now focus­es on faster detec­tion, response and neu­tral­iza­tion of cyber threats. Next-gen SIEMs that offer the full spec­trum of threat life cycle man­age­ment with­in a ful­ly inte­grat­ed solu­tion will sus­tain an advan­tage over solu­tions that com­prise mul­ti­ple dis­parate products.

More sto­ries relat­ed to threat detection:
Auto­mat­ed mal­ware removal fights fire with fire
Machine learn­ing helps detect real-time net­work threats

Machine learn­ing com­bined with behav­ioral ana­lyt­ics can make big impact on security