There is a pernicious myth floating around. It’s that rule-based Security Information and Event Management (SIEM) is old technology, and is no longer worth using today. It’s that modern attacks can bypass rule-based SIEMs. This is partly true, but mostly false. There are large, older companies out there that don’t use SIEMs to defend their data, and they do so at their own risk. There are newer, smaller companies that don’t use SIEMs either. Whether out of ignorance, necessity, or choice, they are giving up valuable protection that can be the difference between a massive data breach or simply another day in security operations.
Rule-based SIEMs have been around for a while, but they are by no means obsolete. When compared against machine learning programs and UEBA solutions, rule-based and real-time correlation SIEMs like ArcSight are still the fastest way to detect known attack patterns.
What is SIEM best used for?
When you know what you’re looking for, and want to catch malicious activity as fast as possible, SIEMs are the way to go. They are almost instantaneous, and don’t require a lot of computing power when compared to machine learning. They work by coding rules and thresholds that trigger an alert as instances occur. They can be relatively simple rules, like sending an alert if someone has more than 3 failed log-ins after 8pm. Rules can get fairly complex as well, but essentially you’re telling the SIEM what to look out for.
What is UEBA best used for?
UEBA, which stands for User and Entity Behavioral Analytics, is used to determine if any users (or entities like printers, web servers, etc) are behaving erratically. This type of technology will help find attacks that go under the radar of traditional SIEMs, that don’t trigger any rules. For example, if an employee’s account is hijacked and used to steal company data, UEBA will detect anomalous behavior where SIEM might not. For accounts that have been hacked, advanced persistent threats, insider threats, UEBA is the best way to defend your company.
At Micro Focus, we recently acquired a powerful UEBA solution called Interset. Interset is able to analyze, detect, and respond to threats by distilling billions of events into a prioritized list of high-quality security leads that focus and accelerate threat detection. This is all done with unsupervised machine-learning technology, which allows analysts to use their time elsewhere rather than training models and fine-tuning algorithms.
How do they work together?
Using a SIEM solution will find threats fast, as long as you know what you’re looking for. It’s a good baseline for any protected enterprise to have a well-maintained SOC with the most up-to-date correlation rules. ArcSight’s Enterprise Security Manager (ESM) is arguably the most powerful real-time correlation engine on the market today, and may be the most customizable as well. The addition of UEBA with Interset allows ArcSight to prioritize threats like never-before, as well as identify user behavior that isn’t likely to trigger any correlation rules. By using them both, you combine the coverage and capabilities of real-time correlation of ArcSight ESM with the powerful unsupervised machine-learning benefits of Interset.
You don’t need to replace your SIEM with a UEBA. SIEMs still hold a valuable position in your SOC, and can work in tandem with a good UEBA solution. Micro Focus is combining ArcSight and Interset to provide more complete security coverage within your SOC.
For more information, check out our latest video Next-Gen SOC | Episode 3: Correlation, Machine Learning, and Threat Hunting.