Gone are the days where security meant creating a password, or deploying AV, or just configuring the firewall. Of course, they’re not just gone, these days are long gone. Password security, for one, was first implemented by the Massachusetts Institute of Technology and Bell Laboratories in the 1960s. Antivirus came later, in the 1980s, following the first anti-virus virus “Reaper” in the 70s. Then, as more and more computers became connected and internet attacks on networks became a thing, firewalls were developed and deployed for protection.
Next came the need to add a centralized and customized threat detection capability. As more and more intellectual property and data was being stored digitally, it became increasingly necessary to quickly and accurately identify threats. And so we came to SIEM, or Security Incident and Event Management. The term was coined almost 20 years ago in 2005, describing the next generation (and eventual replacement) of siloed Security Event Management and Security Information Management tools. These days though, the idea that SIEM is the only way to embed a threat detection capability, is also on the way out.
Ten years ago, your only viable option for threat detection was to either invest in a SIEM, or for sophisticated enterprise security teams to build one internally. The idea was to ingest and centralise all logs, then based on a threat detection use case, write rules to detect threats and generate alerts to be actioned as a result. While SIEMs are great for log storage, management and compliance, to fully utilize the SIEM’s threat detection capability requires significant input from skilled professionals…what I call the hidden cost.
Purchasing an enterprise grade SIEM solution and assuming your threat detection worries will disappear is like buying an F1 car and thinking you'll be able to race like Lewis Hamilton. If you don’t have a capable driver and a sophisticated team to maintain it, the car will sit in the garage gathering dust.
Unfortunately, I’ve seen this happen with SIEMs and stretched security operations teams time and time again.
To further illustrate this point, we recently surveyed just over 100 IT Security decision makers in the UK. More than 80% of all respondents said they use SIEM technologies as part of their security tech stack. Unfortunately this hasn’t put an end to alert fatigue and poor visibility. 84% of our respondents acknowledged that they don’t have full visibility of their alerts. For me, this validates that SIEMs themselves are indeed in need a lot of fine tuning, otherwise they end up being another noisy alerting tool.
We’ve seen a proliferation of sophisticated security tooling being made available to purchase off-the-shelf, able to detect malicious or anomalous activity across the entire IT environment. These tools have their own native threat detection engines — managed/tuned by the vendor — they analyse data and then generate alerts. Or in other words, they detect threats based on a specific threat detection use case and then generate alerts as a result of this.
I hope that sounds familiar. I call these tools mini-SIEMs. Particularly in the SMB and Mid-market, we’re seeing security teams more heavily rely on these products more and more. This means that for the stretched infosec team, the problem has fundamentally changed. They’re having to dedicate a significant portion of their time to responding to the alerts generated by these threat detection products. The problem is, that the majority of alerts generated by these threat-detecting mini-SIEMs are false positives, meaning it’s a challenge to surface the genuine signal amongst the noise.
In a world where the threat detection capability we've associated with SIEMs is being decentralized, investment should therefore be directed to the ’right‘ threat detection tools. Investment should go to tools that address your business’ specific threat detection use case concerns and should be combined with technology that will help you triage, investigate and respond effectively.
So, I suppose the challenge I make to you, the reader, aligning to the topic of this blog, is before diving headfirst and investing big in SIEM consider your risk appetite and resource profile carefully. There are alternative — and more suitable — models out there for threat detection and response.
And that’s where SOC.OS comes in…
SOC.OS is a SaaS-based security alert investigation and triage tool, fundamentally reimagining how security operations are conducted today. Traditional tools aren’t solving the problems faced by stretched security teams. SOC.OS is the lightweight, cost-effective, and low-maintenance alternative for your team.