We’ve just finished a webinar with Intel Security and Eric Ogren from the 451 Group titled “How UBA and Machine Learning Can Turbocharge SIEM.” Having both a prominent industry analyst and a leading security vendor endorse the value of integrating machine learning and UBA with SIEM is very exciting.
It’s very timely as well. After 15 years of growth and maturity, security information and event management (SIEM) sits at the top of the enterprise security ecosystem. With its breadth of log collection, real time monitoring, head’s up SOC displays, alert triage, and workflow and compliance, SIEM is the go-to system for security teams to manage enterprise risk.
The reach of enterprise SIEM also makes it a terrific platform for organizations to productively introduce exciting new technologies that are designed to deal with the fast-changing attack environment.
Add Security Analytics
Think about preserving all the value and investment (which includes training, process, runbooks, reporting, etc.) in SIEM with a boost from a new type of solution that leverages big data technologies —introducing new attack detection analytics operating on logs, network and other security data sources to enable enterprise security teams to detect attacks that have eluded real time defenses while accelerating incident investigation and response.
Niara provides UBA-based machine learning analytics and integrated incident investigation support that leverages the storage and compute scale of big data to deliver:
- The Right Data at Scale. Selected high value and often complementary data sources (i.e., Active Directory and VPN logs, flows, packets, files, alerts, and external threat feeds) are mined for suspicious signals and stored for long-term investigation and context.
- Advanced Analytics. Next generation supervised and unsupervised machine learning algorithms utilize these “weak” signals to build up an activity baseline that highlights not just anomalous behaviors but also the malicious intent of an entity (i.e., user, host, or application).
- Integrated Forensics at Your Fingertips. Once an alert has been identified, analysts have one-click access to layered forensics–from events contributing to a user or system’s attack score down to the packet level – avoiding the “swivel chair investigations” required to find, analyze and summarize critical data that is either in multiple systems or no longer online and available. Because Niara natively collects, analyzes and incorporates network packet and flow data in addition to logs, alerts, etc., an analyst can intercept attacks in progress and, in seconds, validate the attack and make decisions regarding the severity of the incident and the appropriate response plan.
- Seamless Integration. UBA machine learning leverages many of the same logs and alerts that that an ESM, ArcSight, Splunk or QRadar system so handily collects—and often supplements that visibility with efficient and cost-effective aggregation of high volume sources such as DNS that typically are not collected in a SIEM. This means that the investment already made for IT operations and compliance can be easily extended to produce additional value in terms of precision attack detection and accelerated incident response. In fact, a growing best practice is to deploy a UBA solution alongside of SIEM with bi-directional integration, so that the SOC team can continue using their existing consoles and benefit from the attack detection and advanced threat hunting capabilities that Niara provides.
Like the NOC and other key IT operations centers, SIEM-based SOCs perform a critical role in protecting the enterprise and providing the workflow for efficient threat and attack remediation. Integrating Niara with a SIEM is like turbocharging an engine – new analytics find subtle attacks before they do damage and the incident response is cut from hours and days to minutes.