Category: SIEM

[The Lost Bots] Season 2, Episode 1: SIEM Deployment in 10 Minutes

Welcome back to The Lost Bots! In the first installment of Season 2, Rapid7 Detection and Response (D&R) Practice Advisor Jeffrey Gardner and his new co-host Stephen Davis, Lead D&R Sales Technical Advisor, give us their five pillars of success for deploying a security information and event management (SIEM) solution. They tell us which pillars are their favorites and how security practitioners — including our hosts themselves — sometimes misstep in these areas.

Watch below for a rundown of how to successfully deploy a SIEM, all in a cool 10 minutes. (Fair warning: Your actual SIEM deployment might take slightly longer than it takes to watch this episode.)

Throughout Season 2, Jeffrey and Stephen will talk through some of the biggest topics and most pressing questions in D&R and cybersecurity, both one-on-one and with guests. We'll be publishing new episodes on the last Thursday of every month. See you in July!

NEVER MISS A BLOG

Get the latest stories, expertise, and news about security today.


Additional reading:

The Average SIEM Deployment Takes 6 Months. Don’t Be Average.

If you’re part of the huge growth in demand for cloud-based SIEM (Security Information and Event Management), claim your copy of the new Gartner® Report: “How to Deploy a SIEM Solution Successfully.”

Depending on what SIEM you choose, and how you approach the process, getting to operational and effective can take days, or months, or a lot longer.

Here are the Gartner report’s key findings:

  1. “Ineffective security information and event management (SIEM) deployments occur when requirements and use cases are not aligned with the organization’s risks and risk tolerance.”
  2. “Clients deploying SIEM solutions continue to take an unstructured approach when deciding which event and data sources to onboard, with the goal of getting every source in from the beginning. This leads to long and complex implementations, cost overruns, and higher probabilities of stalled or failed implementations.”
  3. “SIEM buyers struggle to choose between on-premises, cloud, or hybrid deployments due to the complexities created by the various environments that need to be monitored, e.g., on-premises, SaaS, cloud infrastructure and platform services (CIPS), remote workers.”

SIEM centralizes and visualizes your security data to help you identify anomalies in your environment. But nearly all SIEMs require you to do a ton of customizing and configuration. Nearly all disappoint with their detections. And nearly all will exhaust you with false-positive alerts… every hour of every day… until analysts start ignoring alerts, which will surely doom you someday.

Now, here’s what we think

Rapid7 began building InsightIDR nearly a decade ago. While the threat landscape keeps changing, our mission never has: to empower you to find and extinguish evil earlier, faster, easier.

InsightIDR has never been a traditional SIEM. You should consider it if:

Fast deployment is a priority to you. InsightIDR leads the SIEM market in deployment times. With SaaS delivery and a native cloud foundation, customers can be deployed and operational in days and weeks – not months and years.

Time-to-value and tangible ROI matter to your leadership team. InsightIDR combines the best of next-gen SIEM with native extended detection and response (XDR). Get highly correlated UEBA, EDR, NDR, and Cloud detections alongside your critical security logs and policy monitoring, compliance dashboards, and reporting in a single pane of glass.

Your team is tired of false positives. InsightIDR's expertly vetted detection library provides holistic threat coverage across your entire attack surface. An emphasis on high-fidelity, low-noise detections ensures that all alerts are relevant and ready for action.

You’re ready to accelerate your security posture. InsightIDR empowers teams to up-level their security and achieve sophisticated outcomes – without the complexity of traditional SIEMs. Embedded security orchestration and automation (SOAR) capabilities give you enviable security operations center (SOC) automation and enable even new analysts to respond like experts.

Don’t forget your copy of the new Gartner® Report: “How to Deploy a SIEM Solution Successfully.”

GARTNER is a registered trademark and service mark of Gartner, Inc. and/or its affiliates in the U.S. and internationally and is used herein with permission. All rights reserved.

Gartner, How to Deploy a SIEM Solution Successfully, Andrew Davies, Mitchell Schneider, Toby Bussa, Kelly Kavanagh, 7 July 2021

Additional reading:

NEVER MISS A BLOG

Get the latest stories, expertise, and news about security today.


Every security tool vendor talks about detection and response, so what makes NDR so special, and how does it relate to XDR / Open XDR?

NDR is special because it focuses on the nerve center of an organization’s IT infrastructure: the network. Wireless or wired device, endpoint or server, application, user or cloud – all are connected to the network, and the network never lies. It’s the foundation of truth about what’s happening in the IT infrastructure.

Network Detection & Response

NDR solutions use non-signature-based techniques (for example, machine learning or other analytical techniques) for unknown attacks alongside quality signature-based techniques (for example threat intelligence fused in-line for alerts) for known attacks to detect suspicious traffic or activities. NDR can ingest data from dedicated sensors, existing firewalls, IPS/IDS, metadata like NetFlow, or any other network data source, assuming strategic placement of sensors and/or other network telemetry. Both north/south traffic and east/west traffic should be monitored and traffic in both physical and virtual environments should be monitored. All data is collected and stored in a centralized data lake with an advanced AI engine to detect suspicious traffic patterns and raise alerts.

Once alerts are triggered, the analyst or NDR solution must respond. Response is the critical counterpart to detections and is fundamental to NDR. Automatic responses such sending commands to a firewall to drop suspicious traffic or to an EDR tool to quarantine an affected endpoint, or manual responses such as providing threat hunting or incident investigation tools are common elements of NDR.

So how does XDR relate to all this? In our view, NDR and XDR are not an either/or proposition. In fact, our Open XDR Platform incorporates NDR functionality natively, along with next-generation SIEM, threat intelligence and many other functions necessary for security operations. Using our dedicated sensors or integrations with existing security tools like firewalls, our platform captures and analyzes network traffic along with server logs, user information, endpoint data and many other data types to give security analysts a 360-degree view of their entire security infrastructure, along with the ability to respond quickly.

Our AI engine analyzes data from all sources across the IT infrastructure for anomalies and unknown threats (including NDR for network traffic), and correlates and combines related alerts into incidents. Those incidents are presented in our Loop dashboard interface in order of risk priority. This way, analysts are no longer chasing down every individual alert like swatting away so many flies, but can focus their attention on actual complex attacks – where they are occurring, how they’re occurring, and what to do about them, in a very efficient manner. And in many cases, our Open XDR Platform responds automatically by triggering actions in a firewall or EDR system, for example.

The result of natively incorporating NDR as part of XDR  is that our platform captures the real truth about what’s happening in your IT infrastructure, presents actionable information clearly with context and in order of priority, and allows analysts to counteract actual attacks instead of chasing hundreds or thousands of individual alerts each day. By combining NDR and Open XDR, we make security fun and effective again!

The post NDR vs. Open XDR – What’s the difference? appeared first on Cybersecurity Insiders.

SIEM and XDR: What’s Converging, What’s Not

Let’s start with the conclusion: Security incident and event management (SIEM) isn’t going anywhere anytime soon.

Today, most security analysts are using their SIEMs for detection and response, making it the core tool within the security operations center (SOC). SIEM aggregates and monitors critical security telemetry, enables companies to monitor and detect threats specific to their environment and policy violations, and addresses key regulatory and compliance use cases. It has served – and will continue to serve – very important, specific purposes in the security technology stack.

Where SIEMs have traditionally struggled is in keeping pace with the threat landscape. It expands and changes daily. Very, very few security teams have the resources to consume all the relevant threat intelligence, then create the rules and configure the detections necessary to find them.

Rapid7’s SIEM, InsightIDR, is the exception, designed with a detections-first approach.

InsightIDR leverages internal and external threat intelligence, encompassing your entire attack surface. Our detection library includes threat intelligence from Rapid7’s open-source community, advanced attack surface mapping, and proprietary machine learning. Detections are curated and constantly fine-tuned by our expert Threat Intelligence and Detections Engineering team.

InsightIDR is the only SIEM that can actually do extended detection and response (XDR). And we can’t help but think all the XDR buzz is the security industry’s way of letting you know that, yes, detection and response performance is still lacking.

A cloud SIEM can provide a strong XDR foundation — agile, tailored, adaptable, and elastic

A cloud SIEM approach gives you an elastic data lake that lets you collect and process telemetry across the environment. And the core benefits of SIEM are yours: log retention, fast and flexible search, reporting, and the ability to fine-tune and customize policy violations or other rules specifically for their environment or organization. Cloud SIEM with user and entity behavior analytics (UEBA) and correlation capabilities can already achieve XDR, tying disparate data sources together to normalize, correlate/attribute, and analyze.

Of course, some customers that purchased traditional SIEM for detection and response haven’t been able to get those outcomes. They don’t have a next-generation SIEM that supports big data and real-time event analysis. Perhaps machine learning and behavioral analytics aren’t there yet.

Or maybe the SIEM has security teams drowning in alerts, ignoring too many of them. Detection and response is really hard — and it really is a symphony — especially as the environment continues to sprawl and resources remain scarce.

XDR aims to solve the challenges of the SIEM tool for effective detection and response to targeted attacks and includes behavior analysis, threat intelligence, behavior profiling, recommendations, and automation. The foundation is everything.

When we introduced InsightIDR some time ago, some criticized it as trying to do “too much”

It turns out we were doing XDR.

Today, our highly manicured detections library is expertly vetted by our global Rapid7 Managed Detection and Response (MDR) SOC, where we also get emergent threat coverage. It’s single-platform, integrated with raw threat intel from Rapid7’s open-source communities (Metasploit, Heisenberg, Sonar, Velociraptor) and strengthened signal-to-noise following our acquisition of IntSights external threat intelligence.

Call it what you like

SIEM and XDR are described as “alternatives,” “complementary,” and also barreling toward one another destined to collide. We’ve read how one is dead and the other is the future. (Must it always be this way?)

No matter what you call it, focus on the outcomes, not the acronyms. It's easy to get lost in the buzz, but the best products for your business will be those that address your top priorities.

Additional reading:

NEVER MISS A BLOG

Get the latest stories, expertise, and news about security today.