Improving on the Typical SIEM Model

Christian Wiens Director of Marketing

Christian Wiens is Director of Marketing at MixMode. He has 10+ years of experience as a cybersecurity professional. He has his BA from The University of California, Berkeley and resides in Austin, TX.

The following is an excerpt from our recently published whitepaper, “The Failed Promises of SIEM: How Next-Generation Cybersecurity Platforms are Solving the Problems Created by Outdated Tools,” in which we discuss the ways in which SIEM has failed to deliver on promises made to the cybersecurity industry and why cyber teams must instead turn to a next generation platform powered by unsupervised AI to navigate the ever evolving threatscape of 2020 and effectively defend against modern threats and bad actors.

Improving on the Typical SIEM Model

Despite its inherent flaws, today’s SIEM software solutions still shine when it comes to searching and investigating log data. One effective, comprehensive approach to network security pairs the best parts of SIEM with modern, AI-driven predictive analysis tools. Alternatively, organizations can replace their outdated SIEM with a modern single platform self-learning AI solution.

MixMode vs. Legacy SIEM

With a SIEM, customers face a prevalent inherent shortcoming: analysts must spend hours on fruitless manual investigations into alerts based on an inaccurate baseline. When vendors push NTA add-ons to “complement” their SIEM platforms, it is often an attempt to overcome this significant limitation.

MixMode’s application of NTA and NDR, combined with third-wave AI, mitigates this issue by changing the fundamental way the SIEM establishes the baseline while providing the standard security features of a SIEM including search and investigate functionality. Legacy NTA solutions rely on a historical analysis of network traffic and comparing behavior anomalies against one another. Rules and alerts based on a historical, non-evolving baseline are limited in their effectiveness.

Network conditions are constantly shifting and along with them, expected baseline behavior. An anomaly today may not be an anomaly tomorrow. For example, when a significant percentage of workers abruptly switched to remote work arrangements, unprepared companies were hit with a mountain of false positive alerts.

MixMode removes the siloed nature of additive NTA baselines with an adaptive approach that is responsive to rapidly evolving network baselines. Context-aware insights result in fewer false positive alerts, while AI-prioritized reports decrease demands on analyst time. Instead of spending hours sifting through SIEM logs, analysts can address genuine security vulnerabilities.

MixMode vs. Next-Generation SIEM

MixMode is built around robust predictive analytics capabilities, an area where SIEM lags far behind. Instead of relying on historical log data, MixMode constantly updates expected baseline network behavior. The result is authentic real-time threat detection and predictive analysis based on actual, current network behavior.

MixMode can be used as a standalone solution or in parallel with a traditional SIEM. In either case, upgrading will help organizations reduce overall cost and resource requirements. In fact, MixMode offers real-time and predictive threat detection, noise reduction, and deep investigation at a fraction of the cost of a typical SIEM.

MixMode vs. False Positives

Based on validated data, both customers profiled in our real-world examples were able to achieve greater than 95 percent suppression of false positives in the first week, compared to the false positive rate delivered by their outdated, rules-based SIEM approaches.

Fewer false positive alerts leads to a decreased workload for employees who have been tasked with combing through all those alerts. Instead of applying their own experience and human intelligence to the monotonous task of threat hunting, these analysts can prioritize their time on true threats and anomalies.