It SIEMs to Me
Most of us have a SIEM (Security Information and Event Management) these days. We are collecting events from across our systems and networks. If you are fortunate enough, your SIEM will have a good correlation engine that will alert you to the highest severity events. That is helpful, but we are finding more and more of our analysts are alert fatigued. ESG recently sent out a survey where 63% of the respondents stated that security analytics and operations (SecOps) continue to grow more difficult. Couple that with the shortage of skilled cyber security professionals and we have a tsunami of trouble headed for our Security Operations Centers (SOCs). Fatigued, SecOps more difficult, and skills shortage – Oh my! It SIEM’s to me that we need a Smarter SIEM!
What is a Smarter SIEM? It is a SIEM that can help your team be less fatigued with alerts. It makes your job easier so you are more productive. And in light of the skills shortage, it helps your less experienced team members work with your more experienced team members.
How does it make our job easier and more productive? The way we work today is we have a high priority correlated event assigned to your analyst, and then they have to go through the process of researching the event. Where did it come from? Did it originate inside the organization or outside? What data is involved? Has anyone seen this before? If so, how did they go about remediating the problem if it is a problem? This is a great deal of work, and yes it lends itself to alert fatigue. A Smarter SIEM will understand the event and tag it in a framework as a specific tactic and technique. After all, we’ve seen this before. Then it will give you the capability to see how this has been used and how others have mitigated this threat. You do not have to go and search. You are pointed directly to the information. Thus saving you time and making you more productive.
How does this help me with the skills shortage and dealing with less experienced analysts? You probably thought I left out explaining the framework mentioned above. I would not do that because it is actually the most important part of what makes this work. If you have a defined ATT&CK framework, all of the tactics and techniques are defined. It becomes the Rosetta Stone of Cyber Attacks. It uses a specific language that your entire staff will use both experienced and less experienced. Now, we are all speaking the same language. When the SIEM tags the event as a specific technique, you refer back to the framework, and it tells you exactly what is going on. No research time required. It has all been seen before and mapped out. The threat has been identified and that leads us closer to remediation.
The MITRE ATT&CK framework was developed by researching many cyber security intrusions. Think of this quote from Sun Tzo, “If you know the enemy and know yourself, you need not fear the result of a hundred battles. If you know yourself but not the enemy, for every victory gained you will also suffer a defeat. If you know neither the enemy nor yourself, you will succumb in every battle.” MITRE documents the “Art of War for Cyber Attacks.” Because of their work, we know what happens with this technique. Because they have done the research, we are given several threat descriptions of where this has been used before. We are also given several examples of how these threats have been mitigated before.
A SIEM that incorporates the MITRE ATT&CK framework is truly a Smarter SIEM. It can help your team speak the same Cyber language. Your team is armed with the “Art of War for Cyber Attacks.” With this advanced knowledge your team will anticipate what is coming next and be that much closer to remediation. It SIEMs to Me that you should consider a Smarter SIEM.