The following is an excerpt from our recently published guide, “The Next Generation SOC Tool Stack – The Convergence of SIEM, NDR and NTA.” In this guide we analyze the failed promises of SIEM platforms, how Network Traffic Analysis (NTA) and Network Detection and Response (NDR) tools fit into the equation, and how third-wave, self-supervised AI is created outside the limitations of the legacy architectures that are holding back many of today’s security vendors.
The Problem with Relying on Log Data for Cybersecurity
One of the most prevalent issues impacting the effectiveness of security teams who use SIEM as their primary means of threat detection and remediation is the fact that data logs are an attractive medium for modern hackers to exploit. Bad actors consistently breach networks through tactics like phishing using behaviors that are unlikely to trigger a SIEM response (or even an endpoint or firewall response). Once inside the network, hackers head straight for an organization’s SIEM logs, modify them and begin launching insider attacks against other network assets. Today’s hackers are also skilled at creating malware that looks legitimate enough to trick SIEM.
Because SIEM is neither sophisticated enough to identify this kind of attack anywhere near real time nor as anomalous, these embedded attacks can create damage for months before being detected.
SIEM vendors struggle to answer questions about whether their services actually offer “real-time threat prevention” or “predictive analysis.” Coulehan says this is because they typically don’t. SIEM has a foundational dependence on historical log data as the basis for what the industry terms “normal or appropriate network behavior.” The fundamental flaw of traditional SIEM best practices, is the dependence exclusively on retroactive, outdated log information.
“It’s hard to position the SIEM as a real-time or predictive solution when the primary data it leverages is exclusively historical log data,” he says. “Before it can be used, the log data is extracted, transformed, replicated, and normalized. The success or failure of a typical SIEM deployment is often subjective and is always dependent on the experience and expertise of the ever-increasing number of personnel required to maintain those systems.”
“Every SIEM customer ultimately objects to the hidden, ever-increasing cost and resource investment required. The lack of quantifiable business impact on operational improvement, efficiency, or revenue further adds to the frustration and difficulty justifying additive investment.” he adds.