How to Optimize SIEM Performance With Threat Intelligence and IOC Matching
The nature of information technology is such that it is always expanding and being innovated at a pace that can be daunting to keep up with. The cybersecurity market in particular is constantly updating itself with the development of new technologies, methodologies, and best practices to deal with equally evolving cyberthreats. The security challenges faced by enterprise clients, however, have changed very little over the past couple of decades. They still want better visibility into the threats targeting them, they still struggle with data overload, and they still suffer from a shortage of human resources. The question is, why do these challenges still exist despite the progress we’ve made in establishing security standards and building better technologies?
Challenge 1: Integration
By taking a closer look at the cybersecurity deployments amongst large corporations, I have spotted some trends that lead to these challenges. Most of the enterprise clients I assist have many different security products in their environment. They address different use cases but are rarely cross-integrated. You could call these clients’ infrastructures ‘heterogenous’, given how the technologies and staff using them are effectively siloed. These silos slow down cross-communication, hinder response attack times, and leave legacy systems overlooked and often under-utilized.
Challenge 2: Data Overload, Staffing Shortfall
The advent of SIEM1 technology in the early 2000s has been a positive game changer for the cybersecurity industry. It also put a glaring spotlight on security challenges. When properly configured and manned, SIEMs keep users aware of all kinds of malicious activity occurring within their networks. However, ever-expanding IT environments mean ever-expanding log volumes, which require more storage space, more processing power, and more analysts to triage the high number of alerts that SIEMs generate every day. Why more analysts? Because a classic SOC model has Tier 1 analysts who triage alerts, Tier 2 analysts who perform incident response and remediation, and Tier 3 analysts running forensics and pentesting2… And a fair share of these tasks are performed manually!
Challenge 3: Technology Advances Faster than We Can Hire
In the last decade, the democratization of cyber threat intelligence has added an extra strain on SIEMs as clients want to use them to compare external threat data to internal logs. In terms of order of magnitude, we’re talking about comparing tens, if not hundreds of millions of indicators of compromise (IOCs) to billions, if not trillions of events in a SIEM in real-time. Though it’s possible in theory, it’s nowhere near efficient in practice—try querying your SIEM if a small list of just 1,000 Command & Control IP addresses were contacted by your assets in the past year and then tell me how many hours that search will take. The flood of data combined with staff restraints leaves organizations at a disadvantage, despite the advancements SIEMs continue to make.
Meeting the Challenges, Supercharging the SIEM
SIEMs aren’t going anywhere, and they shouldn’t — they’ve proven their value. When it comes to optimizing their capabilities, threat intelligence can make a major difference. For example, filtering a subset (fraction) of the total number of IOCs that are linked to threats most likely to target a company, and then comparing that data to the most recent SIEM event logs (e.g., last 90 days), enables more effective detection. However, a limited query such as this does not cover threat actors’ typical dwell time, and by omitting the majority of the IOCs from the query, its effectiveness is lessened.
So now that we have a better understanding of why enterprise clients are still struggling with the challenges of threat visibility, data overload, and staff shortages, we can immediately identify the following areas for improvement:
Optimizing correlation between event logs and threat intelligence i.e. faster matching with larger time ranges and leveraging all available threat intel.
Breaking down internal silos by improving cross communication between teams and tools.
Simplifying and automating security procedures so that sophisticated tasks that require uncommon skill sets can be effectively accomplished by a broader audience.
I believe that in order to act upon these improvements, clients need to advance from using just the traditional SIEM-SOC setup — with a dash of threat intel sprinkled over the top — and instead adopt an intelligence-driven approach to securing their perimeter.
Threat intelligence comes as much from internal client data as from external sources3 so by placing it at the center of your security architecture, you’ve already resolved your visibility challenge. Breaking down silos comes next by centralizing team communications and software integrations from a single point of contact. Finally, automating mundane analyst tasks such as alert triage while providing user-friendly tools for more stimulating tasks such as threat analysis is required to optimize your staff’s time and enhance their capabilities.
The Anomali Approach
Anomali’s intelligence-driven security suite does all of the above and more:
- Anomali Match automates the detection of threats in your network by continuously correlating all available threat intelligence against all SIEM and other event logs.
- Anomali ThreatStream centralizes your threat intelligence and delivers it to your security controls to synchronize remediation across your perimeter.
- Anomali Lens provides threat intelligence knowledge and context at your fingertips with easy-to-understand visualizations and immediate confirmation whether your perimeter has been impacted (or not!) by the scanned threat.
If you want to see how Anomali can help you resolve your old security challenges with its new intelligence-driven approach, contact us for a demo.
To learn more about our SIEM integration partnerships, please visit our marketplace. To learn more about our latest cloud SIEM integration, read: Anomali, Microsoft Partnership Automates Enterprise Threat Detection and Response Operations