A breach is announced, details are released, and everyone wonders: does my organization have, or has it had, activity associated with the people or methods connected to this breach? Many organizations today can’t answer this question, as they can’t perform efficient historical analysis of past events. Anomali Enterprise provides this ability, with no impact to the SIEM.
Anomali Enterprise enhances SIEM technologies by extracting the most crucial information from SIEM data and allowing for historical searches of that data in a fraction of the time it would take to perform on a SIEM. While most SIEM solutions perform a critical role in organizations’ security infrastructures, they are generally incapable of deep retrospective analysis.
SIEM technologies generally do well with:
Anomali Enterprise, on the other hand:
Do we have this? That’s often the first question asked after a breach is publicly announced. As details around the methods and actors involved in a breach are revealed, stockpiled data can be searched to determine if the same activity has occurred internally. Sometimes. But for most organizations relying on traditional SIEM technologies, “stockpiled” data often consists of only the past three or six months of activity. This is a huge problem if the details of the recently-announced breach being investigated actually happened many months ago, or even as far back as a year.
But what if a year or more of historical data does exist? That’s great! At least, if the data was actually searchable. Most SIEM deployments store data in hot and cold storage areas, making historical searches over long periods tedious, as some data needs to be moved from cold to available.
But what if a year or more of historical data is available and online? That’s great! Unless an analyst needs to begin the search on Friday before leaving work just to get the results by Monday morning. Most SIEM deployments are designed for the near real-time analysis of log data. SOC analysts analyze a stream of data, perform basic searches on recent activity, and draw a conclusion, while correlation rules automatically perform near real-time analysis on the stream. This is the point and purpose of a SIEM, and most SIEM’s do this quite well, but when it comes to searching all data over the previous months and years, it is cumbersome.
With Anomali Enterprise, the question can be answered in seconds. Anomali Enterprise is purpose-built to collect, store and rapidly retrieve a record of all internally logged activity, allowing analysts to pinpoint activity by known bad entities in a matter of seconds.
Along with extremely fast and deep historical searching, Anomali Enterprise is also integrated with the world’s largest Threat Intelligence Platform (TIP), Anomali ThreatStream. This opens the door for Anomali Enterprise to proactively alert, in near real-time, on activity logged to known bad threats, per high fidelity intelligence from ThreatStream. Anomali Enterprise can also integrate vulnerability data from VA tools like Qualys, allowing for risk prioritization that is based on real-world activity (matches). And by leveraging the MITRE ATT&CK framework, Anomali Enterprise provides deep context across strategic intelligence enabling analyst to assess and respond with great efficiency. Also, various sources can be directed to Anomali Enterprise without the need to increase SIEM storage, licensing, processing power or overall budget.
Running historical searches over the weekend is a thing of the past with Anomali Enterprise. As an integral piece of the Anomali Threat Platform, your organization will be able to answer past, current and future questions immediately, and accurately.
As a Senior Sales Engineer at Anomali, Dave works with organizations to build and operationalize threat intelligence programs. His cyber security experience spans 20 years including the US Army, DoD, Symantec, ArcSight, Exabeam, and Q1 Labs (IBM). Dave believes in Anomali’s vision of leveraging Threat Intelligence efficiently to detect and prevent previous, current and future attacks.