They said “Why bother?” They said “It’s too hard.” They said “Why now?” They said “The market is too crowded.”
They say a lot of things!
We are living in a time where it is taking adversaries less and less time to compromise organizations and the cost of a data breach—both financial and reputational—can cripple a company. The stakes could not be higher .
It is time to raise the effectiveness of security teams by cleaning up the crowded security analytics market and its complex patchwork of products. It is time to stop investing in “next-gen” SIEM solutions that are delivering diminishing value and look at SIEM in a whole new way. And the future is Abstract.
The Early Days of SIEM
I grew up at ArcSight from 2001-2011, when SIEM was just starting to be defined and there were only four companies on the scene: ArcSight, Net Forensics, E-Security, and Network Intelligence.
I developed customer use cases with the most powerful correlation engine on the market and deployedSecurity Operations Centers (SOCs) for the largest, most complex organizations in the world, led by some of the most brilliant up-and-comers perspective of the challenges that companies are facing in real-world environments. I also witnessed the devolution of SIEM.
How Compliance Regulations Changed the SIEM Landscape
We were moving forward, solving real-world security challenges, when along came Enron, whose epic 2001 failure resulted in the Sarbanes-Oxley Act. Shortly thereafter, the Payment Card Industry (PCI) Data Security Standard was introduced. Both of these compliance regulations mandated that logs containing financial data be collected from critical business systems and stored. This was a game changer for security teams. Organizations were nowcollecting logs that were not previously in scope for SIEM, and they contained data that was an attractive target for cyber attacks.
As the scale and complexity of these logs continued to grow, Splunk hit the market with a novel approach: just write the logs to disk and don't worry about normalization; fast read-and-write without the analytics. How could they do analytics? The data was raw and, in order to use it, it had to be parsed at run time rather than being parsed at collection. As Splunk was making inroads with a pure logging solution, at ArcSight, we were going afterhigher-level business value outcomes, looking for insider threats, converging physical and logical security (shameless link to book), and detecting fraud in large financial systems—a very different outlook on SIEM
Entering the XDR and Data Swamp Era
Logging solutions caused a market shift in SIEM, from solving complex security problems and advanced analytics to what I like to call search-based analytics. As the volume of logs became so immense, the capabilities of the “SIEM” logging solutions decreased so much that they couldn’t do both scale and analytics. So, security teams had a new challenge – they had all the data but couldn’t do anything with it. The costs went through the roof, the capability for the analyst to build detections leveraging true correlation and analytics hit an all-time low, and they were living in the data swamp. This brought about a whole new category of technology that was built adjacent to, or on top of SIEM, called XDR, yet most of the XDR platforms should have really been features of SIEM.
Are We Just Modernizing Mistakes?
For the last few years, big tech companies have been putting out “new” versions of SIEM and others are branding themselves as next-gen SIEM. The problem is, they’re just putting lipstick on a pig. They’re taking an old logging solution, wrapping a Python library around it, sticking it in the cloud with a new dashboard, and calling it next-gen SIEM. Sadly, most of these “next-gen” SIEM offerings are already about two-thirds of the way through their tech lifecycle.
We cannot just keep building on a broken premise. Back in 2002, I wrote a paper called Got Correlation? Not without Normalization, and this premise still holds true. You cannot truly perform analytics or correlation without normalizing data, and this excerpt from my paper gives a short explanation of why:
What is correlation? Correlation is derived from the word correlate that means to be in or bring into mutual relation. That’s the dictionary definition, but the “information security world” interprets correlation as having the ability to access, analyze, and relate different attributes of events from multiple sources to bring something to the attention of an analyst that would have gone unnoticed otherwise.
- Searchingis not correlation, by definition
- Singleevent matching is not correlation
The Future is Abstract
As security experts, our job is to detect adversaries who threaten our customers’ livelihood. And the way to do that is to truly understand the data sources. Then and only then can you truly differentiate what data is important and what data is just being stored for compliance. This allows us to bifurcate security and compliance use cases.
Let me give you an example. During my time at Verodin (acquired by Mandiant, now part of Google Cloud), I met with numerous customers who would explain how effective their detection strategies were and how they had such great MITRE ATT&CK coverage, however when we ran live fire attacks in their environments, the rules wouldn't fire! Why? Because they were not actually collecting the right logs (either misconfigured or just not enabled) from the right sources to actually trigger the rule. This led to a false sense of security.
At Abstract Security, we help customers gain insight into their visibility gaps by understanding their data sources, their environment, and the detection scenarios they have in place. The Abstract Security platform allows for security data to be separated from compliance and observability data. This saves money, saves resources, and saves time, freeing analysts up to focus on the threats that matter. Rather than search for needles in a haystack, we will just give you the needles and tell you which ones are the sharpest. This gives our customers a true understanding of detection effectiveness and helps them create a roadmap for continued improvement.
We are transcending the practice of building next-gen solutions on a broken premise. We are building the security data platform of the future. Join us on the journey. The future is Abstract.