Enhancing Your SIEM with Retrospective Analysis in Anomali Match

Introduction

A breach is announced, details are released, and everyone wonders: does my organization have, or has it had, activity associated with the people or methods connected to this breach? Many organizations today can’t answer this question, as they can’t perform efficient historical analysis of past events. Anomali Match provides this ability, with no impact to the SIEM.

Anomali Match enhances SIEM technologies by extracting the most crucial information from SIEM data and allowing for historical searches of that data in a fraction of the time it would take to perform on a SIEM. While most SIEM solutions perform a critical role in organizations’ security infrastructures, they are generally incapable of deep retrospective analysis.

SIEM technologies generally do well with:

• Collection of raw log data for store-of-record purposes (NIST 800-53)
• Selective storage and indexing of data for near real-time analysis (and often cold storage for older data)
• Parsing of data in to fields for near real-time analysis purposes, either by human analysts, correlation rules, anomaly behavior analysis, pattern discovery or some other type of near real-time analysis and detection
• Matches logged activity to a limited set of basic threat intelligence indicator types such as IP’s or domains

Anomali Match, on the other hand:

• Only processes and stores fields that would be relevant in performing a deep (months or years) historical search
• Stores and indexes all relevant data for fast and efficient historical searches
• Links back to original raw logs when available
• Matches all current and historical log activity to all known relevant indicators, including meaningful contextual threat model data, which includes threat bulletins, incidents, actor profiles, campaigns, TTP’s, and vulnerabilities

Why this matters

Do we have this? That’s often the first question asked after a breach is publicly announced. As details around the methods and actors involved in a breach are revealed, stockpiled data can be searched to determine if the same activity has occurred internally. Sometimes. But for most organizations relying on traditional SIEM technologies, “stockpiled” data often consists of only the past three or six months of activity. This is a huge problem if the details of the recently-announced breach being investigated actually happened many months ago, or even as far back as a year.

But what if a year or more of historical data does exist? That’s great! At least, if the data was actually searchable. Most SIEM deployments store data in hot and cold storage areas, making historical searches over long periods tedious, as some data needs to be moved from cold to available.

But what if a year or more of historical data is available and online? That’s great! Unless an analyst needs to begin the search on Friday before leaving work just to get the results by Monday morning. Most SIEM deployments are designed for the near real-time analysis of log data. SOC analysts analyze a stream of data, perform basic searches on recent activity, and draw a conclusion, while correlation rules automatically perform near real-time analysis on the stream. This is the point and purpose of a SIEM, and most SIEM’s do this quite well, but when it comes to searching all data over the previous months and years, it is cumbersome.

With Anomali Match, the question can be answered in seconds. Anomali Match is purpose-built to collect, store and rapidly retrieve a record of all internally logged activity, allowing analysts to pinpoint activity by known bad entities in a matter of seconds.

Useful Things

Along with extremely fast and deep historical searching, Anomali Match is also integrated with the world’s largest Threat Intelligence Platform (TIP), Anomali ThreatStream. This opens the door for Anomali Match to proactively alert, in near real-time, on activity logged to known bad threats, per high fidelity intelligence from ThreatStream. Anomali Match can also integrate vulnerability data from VA tools like Qualys, allowing for risk prioritization that is based on real-world activity (matches). And by leveraging the MITRE ATT&CK framework, Anomali Match provides deep context across strategic intelligence enabling analyst to assess and respond with great efficiency. Also, various sources can be directed to Anomali Match without the need to increase SIEM storage, licensing, processing power or overall budget.

Running historical searches over the weekend is a thing of the past with Anomali Match. As an integral piece of Anomali, your organization will be able to answer past, current and future questions immediately, and accurately.