When it comes to searching for and detecting threats, it’s not just the response to the incident that matters. The search strategy employed from the start is equally important. This is why it is vital that any kind of reactive alert is complemented with a protective attitude regarding the analysis and detection of threats.
In this sense, the Cytomic Platform goes even further; it correlates and analyzes over 56 million interconnected events in real time every week. It takes as its starting point threat hunting and a zero-trust vision with centralized capacities to visualize the health of the protection, discover unprotected endpoints, and immediately carry out instant installations from the console, as well as visibility of applications and versions installed, among other culpabilities.
With these capacities, we can obtain indicators of the presence of attacks on the network, and find out what assets have been compromised, and thus establish a customized remediation plan. However, there are other kinds of solutions that, in and of themselves, do not fulfill this proactive approach: SIEM alerts.
The popularity of SIEM alerts_
These alerts are the tool most commonly used by SOCs to protect cybersecurity in all kinds of companies. They entrust the reliability of the processes on their IT systems to this kind of automated technology, which reports any issue that may occur.
This is what we can see in the SANS 2019 Threat Hunting Survey: The Differing Needs of New and Experienced Hunters. In the study, 575 small, medium and large organizations that work in threat hunting or alongside threat hunters were surveyed. The results show that SIEM alerts are still widely-used among organizations, and that 66.2% of organizations employ them because of how easy they are to use. There are reasons for this, since SIEMs enjoy certain advantages in certain corporate environments.
1.- Automatic analysis. SIEM tools analyze the state of the processes that are occurring on the IT system, and classify thousands of events to evaluate their behavior and detect possible anomalies that could lead to a cyberattack.
2.- Evaluation of causes. Should a cyberattack happen, this kind of alert scours the system in order to analyze the possible causes of the attack and how to stop it.
However, the fact that SIEM alerts are one of the most commonly-used tools around doesn’t mean that they are infallible. It particularly doesn’t mean that they alone are sufficient when it comes to protecting corporate cybersecurity autonomously and individually.
The SANS report states that “Organizations are still placing a strong reliance on SIEM alerts as their current go-to tool for threat hunting […] While a SIEM may be the easier source or tool for organizations to obtain, it generally provides low value from a hunting perspective.” A survey carried out by 451 Research and published on TechBeacon draws a similar conclusion: “ less than a quarter of the security pros it surveyed (21.6 percent) believe they are getting full value from their SIEM systems […] only 31.9 percent of respondents said they’re getting more than 80 percent of the value they expected from their system when they installed it.”
In this sense, in order to fully protect an organization’s cybersecurity, SIEM alerts have certain deficiencies, which could mean that a company’s environment is not completely protected:
1.- Reactive approach. Although SIEM alerts are based on known threats to prevent possible cyberattacks, they have one part that is fully reactive, which is that part that doesn’t carry out autonomous searches of possible vulnerabilities.
2.- Unknown threats. As a result of the above strategy, SIEMs are based on searches for threats that they already know, but not for unknown threats. These unknown threats will be at the mercy of customized alerts. According to AV-Test, 350,000 new malicious programs are registered every day. Bearing this in mind, customizing alerts to discover these new threats is an insurmountable task for most organizations, since many SOCs do not have enough professionals to update search criteria so frequently.
3.- False positives. SIEM alerts can evaluate many events individually, but when an event occurs with others, they may fall short. This kind of tool may come across a process that, taken in isolation could be a threat, but when run with other events, is not dangerous. This causes an increase in the amount of false positives detected.
Complementary threat hunting_
SIEM alerts can be useful for corporate cybersecurity in their reactive part. However, they should be used in conjunction with a proactive approach and strategy, which constantly hunts for previously unknown threats, and which acts autonomously to detect and classify them.
This is why Cytomic customers can enjoy extended cybersecurity, which is aimed at achieving interoperability with other systems and applications already in use. Thanks to this, they have available to them connectors for on-premise SIEMs, and API of Indicators of Compromise (IoC), which allows for the retrospective and real-time search for IoCs using internal and external sources.
Besides all of this, it is always accompanied with threat hunting and insights provided by Cytomic Platform. This way, it all forms a complementary ensemble to ensure that protection is efficient and complete.