Trying to decipher Cybersecurity jargon can feel like trying to make sense out of a spoonful of alphabet soup. Is your SIEM equipped with sufficient NTA? What about your XDR? Or wait, was it NDR? What’s IRM, anyway? And whatever happened to UEBA?
The reality is that just because a Cybersecurity solution requires a glossary to understand doesn’t mean it’s the best — it doesn’t even mean the solution is adequate at all at protecting against modern, real-world threats. At a high level, good Cybersecurity is simple, no matter how you spell it: solutions that examine real-time network activity and make smart, context-aware decisions in the moment.
Let’s take a look at a few of the common acronyms associated with Cybersecurity solutions available on the market and how these compare with the capabilities of MixMode’s third-wave AI approach.
Security Incident and Event Management (SIEM)
Gartner defines SIEM as technology that “supports threat detection, compliance and security incident management through the collection and analysis (both near real time and historical) of security events, as well as a wide variety of other event and contextual data sources. The core capabilities are a broad scope of log event collection and management, the ability to analyze log events and other data across disparate sources, and operational capabilities (such as incident management, dashboards and reporting).”
Key elements of SIEM solutions:
● Log-based, retroactive analysis
● Rules created based on desired outcome or preventative measure
● Require continual, manual updating to adjust rules
● Massive data storage requirements
● Enormous false positive rate
MixMode and SIEM
The MixMode platform can work as a standalone solution or alongside existing SIEM approaches. In either case, MixMode mitigates some of the fundamental shortcomings and issues inherent to log-based Cybersecurity solutions.
Because MixMode develops a constantly evolving baseline of expected network behavior, there’s no need for operators to continually adjust parameters to meet evolving threats. MixMode uses third-wave AI that can apply predictive behavioral analysis in real-time, fully unsupervised. There’s no need for mass cold data storage, false positives are significantly reduced (often by greater than 95%), and SOC teams can focus on true alerts and preventative measures that bolster organizational security postures.
Insider Risk Management Systems (IRMS)
Gartner recently renamed its “User Entity Behavior Analytics (UEBA)” category to Insider Risk Management Solutions (IRM or IRMS). IRM solutions focus on insider threats (“malicious, careless or negligent threats to organizations that come from people within the organizations such as employees, former employees, contractors, or businesses associates, who have inside information considering the organization’s security practices, data, and computer systems”) “offer profiling and anomaly detection based on a range of analytics approaches, usually using a combination of basic analytics methods — e.g., rules that leverage signatures, pattern matching and simple statistics — and advanced analytics.” Vendors, the company writes, use “packaged analytics” to evaluate user activity and entities like hosts, applications, network traffic and data repositories to discover potential incidents.”
MixMode and Insider Risk Management
MixMode is context-aware. Why does that matter? Traditional Cybersecurity tools struggle with making confident decisions in the moment about whether to allow or block risky actions.
For example, an employee accessing sensitive files from home may not represent anomalous behavior, especially in the COVID-19 era where millions of workers have shifted to home-based roles, but this behavior could well be flagged by rules-based Cybersecurity platforms. Similar scenarios play out frequently across modern, fast-paced hybrid network environments, where enterprises often join together a mix-match of systems, including legacy on-prem machines, cloud storage and processing, IoT inputs and more. MixMode can handle the nuances of behavior by applying context-aware AI that examines real-time behavior in relation to other network behaviors, something a rules-based platform cannot achieve — these platforms need exceptions to rules to be explicitly spelled out and updated manually.
MixMode’s third-wave AI can accurately predict future network behavior in real-time. When unexpected activity happens anywhere on the network, MixMode analyzes the behavior in the context of how the network is used in real world circumstances.
Network Traffic Analysis (NTA) and Extended Detection and Response (XDR)
Gartner identifies NTA as tools that use a “combination of machine learning, advanced analytics and rule-based detection to detect suspicious activities on enterprise networks.” These tools, Gartner writes, “continuously analyze raw traffic and/or flow records to build models that reflect normal network behavior.” When NTA tools detect abnormal traffic patterns, they issue alerts.
Importantly, Gartner writes, “in addition to monitoring north/south traffic that crosses the enterprise perimeter, NTA solutions can also monitor east/west communications by analyzing network traffic or flow records that it received from strategically placed network sensors.”
Gartner defines XDR as a “SaaS-based, vendor-specific, security threat detection and incident response tool that natively integrates multiple security products into a cohesive security operations system that unifies all licensed components.”
MixMode and NTA, XDR and Other SIEM Add-ons
Tools like NTA are additive by nature. SIEM vendors have marketed add-on tools like NTA, NDR (network detection and response), and XDR to overcome the inherent limitations of their twentieth-century Cybersecurity solutions. To put it plainly, for SIEM to function as a security tool, customers must add various solutions, with associated additional costs and oversight.
Even when customers do opt to add solutions like NTA and XDR, their systems are typically ineffective as real-time, self-adapting security solutions. SOCs will need to continually monitor an endlessly growing supply of data, which must be stored indefinitely, due to the look-back nature of SIEM log-based tools.
MixMode Makes Sense of the Alphabet Soup
While SIEM, on its own, has some inherent flaws that must be overcome to work effectively, one truth remains: SIEM still shines brightly when it comes to searching and investigating log data. There’s an important place for some log data within a comprehensive network security approach. For clients who wish to retain their SIEM approach to some degree, MixMode pairs the best features of SIEM technology with modern, AI-driven predictive analysis tools.
Other clients opt to replace their legacy SIEM solutions with the modern, single-platform MixMode solution. MixMode’s application of NTA and XDR, combined with its proprietary third-wave AI, mitigates SIEM issues by changing the fundamentals.
As we’ve discussed, the platform’s continually evolving baseline of expected network behavior allows for real-time analysis within the context of real-world behavior. The result is fewer false positives, lower data storage costs, and renewed security team focus on true security priorities. MixMode offers real-time and predictive threat detection, noise reduction, and deep investigation at a fraction of the cost of a typical SIEM.