BLUF: NextGen SIEM is changing the landscape and it all starts with product integrations.
One of the keys to effective SIEM operations are robust integrations. By gathering data from various sources, such as network devices and application logs, you can gain a comprehensive picture of your organization’s security posture, accelerating threat detection and response. Streamlining this process reduces the time to connect the dots and drive accurate analyses.
Our previous blog explored Security Information and Event Management (SIEM) technologies and the components encompassing an SIEM. Here, we will dive deeper into each section individually to better understand particular pain points and their future.
Note: This is Part 2 of our NexGen SIEM series. Read part 1 here.
Integration Components
From granular control and robustness to complex management and programming knowledge necessities, each of the following categories presents unique strengths and challenges.
Agents
Using agents lets you get precise control over those tricky-to-reach logs, but boy do they come with a hefty price tag in management costs. Rolling them out across all your devices, making sure they’re set up just right, and keeping them updated is a pretty big investment.
Syslog
It’s an old-school favorite for integrating network devices where putting an agent isn’t doable. Syslog is kind of a “throw it out there and hope for the best” solution because it relies on UDP. Syslog is getting better, but historically, it has had its share of headaches with load balancing and reliability issues.
API Polling
API polling is gaining traction these days, thanks to centralized configuration management, having tight control and getting loads of contextual data. The catch? Access management is trickier, and you need to know your way around programming languages like Python or C++ to develop customized integrations.
HTTP Webhooks/HEC
Webhooks are also on the rise, providing a neat way to receive data through an HTTP listener. They make load balancing a breeze with HTTPS, keep your data safe, and simplify network management. But, webhooks usually need token authentication, which can be a headache to manage, and you have to set up your source to send data from the get-go. To boot, this setup doesn’t give you much wiggle room to filter or tweak the incoming data unless you get direct access to the source machine.
Integrations in the NextGen SIEM
Legacy SIEMs adopt a monolithic approach, merging Ingestion and Analytics into a single offering. However, we are witnessing a trend towards their separation, enabling more granular control over data and the collection of new, insightful information for analysis. To facilitate this, integrations are being positioned closer to the data source in these applications:
Cribl is empowering Security Operations Centers (SOCs) to regain control over their data with its centralized management and filtering capabilities. By reducing log volume, Cribl not only cuts down on storage and computing costs but also minimizes the clutter of irrelevant information that analysts have to sift through. This streamlining of data significantly diminishes analyst fatigue and the occurrences of false negatives. Moreover, as the landscape of SIEMs evolves and data lakes become increasingly integral, the ability to centrally manage data ingestion is becoming critical to the success of SOCs.
Endpoint tooling enables the querying of machines programmatically, allowing for the capture of specific data across a broad array of hosts. Platforms such as Crowdstrike, Microsoft Defender, and Tanium possess the capability to “ask questions” of a host and return the insights necessary for making quick, effective, data-driven decisions.
Following the recent release of the XZ Supply Chain Attack, simple Advanced Hunting Queries can be executed to identify which machines have the affected binaries installed, the version of these binaries, and how frequently they have been used in the last 30 days.
Metrics – SOCs have traditionally relied on log event data to monitor activities and occurrences within their environments. However, as the integration of Artificial Intelligence (AI) and Machine Learning (ML) within SOCs increases, the adoption of metrics formats is set to rise correspondingly. Metrics offer lightweight information stored within a time-series indexing system, enhancing query speed, reducing storage and computational costs, and enabling advanced predictive analytics on behavior. For example, abnormal CPU and memory usage by machines could indicate the presence of crypto-miners or atypical workloads, necessitating further investigation.
Detecting Anomalies in Data Feeds – After an upgrade to the Cisco firewall, we’re facing a new format. An API alteration has modified the fields in our JSON response. Additionally, a lapse in certificate renewal halted our API data reception. These scenarios are quite common and occur often. Implementing systems that can detect variations in data streams feeding into the SIEM is crucial for providing the SOC with the visibility necessary for success.
Stay tuned as we continue our exploration of the SIEM universe, helping you stay one step ahead in the dynamic world of cybersecurity. Next up, Analytics.
And now for the shameless plug. . .If you’re looking for assistance in establishing a Next Generation SIEM with a security data fabric or data lake, you’re in luck. SOI Solutions provides consulting practices to help build and implement cutting-edge integrations to help control costs and reduce risks. Reach out to our Sales team to find the best solution that works for you.
