average corporate The security organization spends $18 million annually but is largely ineffective in preventing breaches, IP theft and data loss. Why? The segmented approach we are currently using in the Security Operations Center (SoC) does not work.
Here’s a quick refresher on security operations and how we got to where we are today: A decade ago, we protected our applications and websites by monitoring event logs – digital records of every activity that happens in our cyber environment, from logins Changes from email to configuration. Logs are audited, flags raised, suspicious activities investigated and data stored for compliance purposes.
The security-driven data stored in a data lake can be, in its original form, structured or unstructured, and therefore dimensional, dynamic and heterogeneous, which gives data lakes their distinction and advantage over data warehouses.
As malicious actors and adversaries became more active, and their strategies, techniques, and procedures (or TTP in security parlance) became more sophisticated, simple logging evolved into an approach called “Security Information and Incident Management” (SIEM). , which includes using the software. To provide real-time analysis of security alerts generated by applications and network hardware. SIEM software uses rule-driven correlation and analysis to transform raw event data into potentially valuable intelligence.
While this was no magic bullet (it’s challenging to implement and get everything working properly), the ability to find the so-called “needle in the haystack” and identify attacks in progress was a huge step forward.
Today, SIEMs still exist, and the market is led largely by Splunk and IBM Quradar. Of course, technology has advanced significantly as new use cases emerge constantly. Many companies have eventually moved to cloud-native deployments and are taking advantage of machine learning and sophisticated behavioral analysis. However, the deployment of new enterprise SIEMs is lower, costs are higher, and – most importantly – the overall needs of the CISO and the hard-working team at SOC have changed.
New security demands are making Siem very demanding
First, the data has exploded And SIEM is very narrowly focused. Mere collection of security incidents is no longer sufficient because the aperture on this dataset is too narrow. While there is likely to be a large amount of event data to capture and process from your event, you may be missing large amounts of additional information such as OSINT (open-source intelligence information), consumable external-threat feeds, and valuable information. are doing. Malware and IP reputation databases, as well as reports of dark web activity. There are endless sources of intelligence, too much for a SIEM’s dated architecture.
Additionally, the cost as well as the data exploded. Data explosion + hardware + license cost = increasing total cost of ownership. With infrastructure both physical and virtual, the amount of information being captured has exploded. Machine-generated data has grown 50 times, while the average security budget grows 14% year over year.
The cost of storing all this information makes SIEM cost-prohibitive. The average cost of a SIEM reaches around $1 million annually, which is just for licenses and hardware costs. The economics in SOC forces teams to capture and/or retain less information in an effort to keep costs under control. This further reduces the effectiveness of the SIEM. I recently spoke with an SOC team that wanted to query large datasets looking for evidence of fraud, but doing so in Splunk was cost-prohibitive and a slow, tedious process, leaving the team to explore options.
The drawbacks of the SIEM approach today are alarming and terrifying. A recent survey by the Ponemon Institute surveyed nearly 600 IT security leaders and found that despite spending an average of $18.4 million annually and using an average of 47 products, 53% of IT security leaders “didn’t even know their products”. Were or not. Be at work.” It is clearly time for a change.