Machine learning underlying SIEM systems gets smarter at neutralizing cyber threats

Automation, speedy processing can winnow information from massive amounts of sensor data

Share on FacebookShare on Google+Tweet about this on TwitterShare on LinkedInEmail this to someonePrint this page

A good portion of the $50 million in fresh venture capital financing that LogRhythm secured last August will go toward improving the Boulder, Colorado-based company’s SIEM technologies as part of a drive for growth of its international business.

SIEM stands for security information and event management. SIEM systems collect internet traffic logs from all across a large business network—and then analyzes that ocean of log data to flush out complex cyber threats.

According to research firm Gartner, companies spend roughly $2 billion a year on SIEM technologies, and about a dozen SIEM security vendors compete aggressively to win a share of this business. LogRhythm’s rivals include the likes of IBM, Splunk, Trustwave and AlienVault.

Related podcast: Machine learning keeps malware from slipping through

ThirdCertainty recently spoke to company co-founder and CTO Chris Petersen about the machine learning underlying SIEM detection capabilities. You can listen to my podcast of that conversation by clicking above. And below, Mike Reagan, LogRhythm’s chief marketing officer, supplies his 30,000-foot view of the evolving SIEM market. Text edited for clarity and length.

ThirdCertainty: SIEM has been around since 2005. It didn’t reach its full promise in early years. What’s changed?

Mike Reagan, LogRhythm chief marketing officer
Mike Reagan, LogRhythm chief marketing officer

Reagan: SIEM was initially developed as a platform to cull meaningful information from the massive volume of security events being generated from firewalls and intrusion detection/prevention systems (IDS/IPS). The promise of first-generation SIEM was compelling, and most deployments were able to cut down the number of events being surfaced. But they went from millions of events per day, down to thousands; still an unmanageable volume for most IT security teams.

Today, SIEM platforms employ advanced and comprehensive analytics, such as user behavior analytics, network behavior analytics and endpoint analytics, against all log and machine data in real time. This meets a critical need and is being established as the centerpiece for the next-generation security operations.

3C: For instance?

Reagan: The vast majority of logs represent benign threats. For example, when Charlie taps his badge against the badge reader to enter the front door of his office building. Let’s say that three hours after Charlie enters his office in Toledo a corporate VPN server records a successful authentication to the network by “Charlie” from an IP address located in Jakarta. In this scenario, it is highly probable that Charlie’s credentials have been compromised. This is a SIEM that is capable of consuming logs from a myriad of data source types and applying additional context to that data. In this scenario, a SIEM with integrated security orchestration automation (SOA) would automatically disable Charlie’s account, launch an investigation, and even initiate an account reset for the real Charlie so he could get back to work.

3C: How do you differentiate LogRhythm from, let’s say, IBM or Splunk?

 Reagan: IBM’s SIEM solution, their QRadar product, originally was designed to perform network-based anomaly detection (NBAD). Repositioning the platform as a SIEM solution to capture compliance dollars flowing into the SIEM market, Q1Labs built a solid following as a first-generation SIEM. Five years ago, IBM acquired Q1Labs. Since then, their path to innovation to fill functional gaps in QRadar has been realized through partnerships and acquisitions rather than through material investment in in-house development. While this approach allows IBM to check the boxes for specific end-user functional requirements, it does so with distinct technologies that require multiple interfaces and restricted interoperability.

Splunk has made its mark as a central log data repository and search platform. The vast majority of Splunk users are in IT operations, where searches against IT operations data are useful in aiding root cause analysis. Splunk customers who use the application for security use cases typically do so to address incident response and investigation needs rather than for real-time threat detection. It’s designed to aid the “hunter” who knows what they’re hunting for. As such, Splunk requires more manual intervention and management than other SIEMs that are designed to automate analysis, alerting and security orchestration.

3C: And the argument for your technology is what?

Reagan: LogRhythm’s singular focus is on delivering a comprehensive security intelligence and analytics platform that empowers organizations to detect, respond to and neutralize threats before they can result in a material breach or service disruption. While the company maintains a broad technology integration partner ecosystem, it also has a strong track record of delivering continuous innovation in its platform to ensure that its technology evolves to meet the ever-shifting challenges of the cyber threat landscape.

3C: How is the SIEM market likely to evolve over the next few years?

Reagan: The SIEM market has gone through a huge transformation over the past eight years. If we simply compare the Gartner SIEM Magic Quadrant report for 2008 to this year’s report, we see a material thinning of the herd. In 2008, the market was reported to be just over $700 million with 23 SIEM vendors covered in the report. This year’s report indicates a market that is greater than $1.7 billion with just 13 vendors.

The SIEM market has shifted from one that was driven by solutions that address compliance requirements to one that now focuses on faster detection, response and neutralization of cyber threats. Next-gen SIEMs that offer the full spectrum of threat life cycle management within a fully integrated solution will sustain an advantage over solutions that comprise multiple disparate products.

More stories related to threat detection:
Automated malware removal fights fire with fire
Machine learning helps detect real-time network threats

Machine learning combined with behavioral analytics can make big impact on security