July 16, 2019 • Zane Pokorny
Security information and event management (SIEM) solutions emerged in response to the need to collect, store, and analyze security data from across multiple systems in one place. Fundamentally, they perform two functions:
These two functions were sometimes called security event management (SEM) and security information management (SIM), respectively, and now they’re joined together in SIEM solutions.
For monitoring your internal network, SIEMs are far more efficient than any manual processes could hope to be. But detecting security incidents by only looking at your own network is like a doctor examining a patient using only internal tests. The patient’s external environment — what they’re eating, the spaces they’re living in, and so on — is just as important for diagnosing their health as what’s going on inside.
We’ll take a closer look here at some characteristics of SIEMs and explore how the external context provided by threat intelligence is essential for getting the most out of them.
SIEMs gather log and event data from various sources within a network, including devices like routers and switches, security devices like firewalls, webmail servers, applications, and more. That data gets normalized before being correlated and analyzed.
This approach helps organizations discover threats by identifying outliers (like unusual activity) and performing incident response more effectively, as well as monitoring for potential security issues, like what users have access to where. But there are limitations to SIEM solutions.
For one, they’re complex — they can be expensive to integrate with the rest of a security ecosystem, and even then they require a good degree of expertise to use effectively. Knowing what to do with all the event data that a SIEM can churn out can be difficult, and it’s only getting more so.
A few statistics from a recent Cisco study illustrate the problem:
Why are more than half of legitimate alerts going unresolved? Alert fatigue, information overload, a lack of time or expertise — whatever you want to call it, the problem is a big one. The solution requires moving beyond the reactive approach that SIEMs facilitate to a more proactive one.
Returning to the analogy of the doctor diagnosing a patient, threat intelligence provides the environmental context needed to see what might make you sick, so that you can take the proper precautions, like getting vaccinations.
Threat intelligence is knowledge that allows you to prevent or mitigate cyberattacks, helping you make informed decisions about your security by answering questions like:
All these factors are external context that can enhance the internal information you get from your SIEM, when they’re properly correlated together.
This short video explains further how threat intelligence provides context that helps you accelerate your alert triage:
The important thing is to get threat intelligence that’s actionable. Threat feeds, for example, which have their uses but don’t give a lot of context, are not threat intelligence — don’t treat them as such. For threat intelligence to be actionable, it needs to have the following qualities:
Integrating threat intelligence with your SIEM should look something like this:
Threat intelligence enhances your SIEM by enriching its internal network alerts with more context and correlating it with external information. This provides a more holistic, proactive approach to security.
This was only a quick overview, though. Learn more about the best practices for integrating threat intelligence with your SIEM by reading our complimentary solution brief on the topic, “Supercharging SIEM Solutions With Threat Intelligence.”