Out With the Old, In With the New: Why Legacy SIEMs Aren’t Adequate in Today’s Threat Environment
The Subtle Indicators of a Security Event
With the continued perpetuation of a wide variety of cyberattacks, such that businesses now need entire departments to manage them, hacking culture is depicted throughout every avenue of media with a nefarious figure in a hoodie and obvious signs of attack on the side of the victim. We’ve all seen the portrayal of the security analyst responding to an event in true crime television shows—some visually obvious, all-encompassing incident that disables any accessibility to systems occurs, indicating to the FBI that they’ve been breached and initiating a chain of response activity. Unfortunately for federal agencies and enterprises, actual cyberattacks and security events are not that obvious, and they certainly don’t present themselves in a grand fashion.
As explained by Splunk, legitimate, modern attacks are executed as a chain of events made up of numerous components and activities. Converse to how attacks actually happen, many threat detection technologies only address one kind of attack activity or component, which tasks users with uncovering the context of an alert in a broad system of activities; legacy SIEMs in particular.
“I think that the really important thing for federal agencies to realize is the fact that when it comes to events that are security relevant, it’s not usually just a single indicator or a single event that lets you know something’s wrong. It’s not like in movies where alarms go off and lights flash because there’s a hacker. It’s usually subtle—something that lets you know that there’s been some sort of a security breach, and that’s indicators from a variety of products. You really need something like a SIEM to pull all your security products together and get you a single pane of glass for what’s going on in your environment.”
-Erika Horton, Of the House ASE, First of Her Name, Queen of the Index Cluster, Protector of the Log Data, Breaker of Nothing and Mother of Notable Events
Architectural Flaws of Legacy SIEMs vs. the Modern Approach of Splunk ES
Knowing that proper detection requires a more comprehensive approach, it’s worth noting why legacy SIEMS are no longer adequate in today’s threat environment. One of the biggest problems with traditional legacy SIEMS is that they’re focused on aggregating events from IDS, IPS, and similar products. On the contrary, modern solutions focus on the fact that all data is security relevant data, and you need to be able to pull it all into one place to look at it comprehensively. IDS and IPS provide better indication that a malicious actor is infiltrating, but they aren’t helpful with insider threats and risks of that nature. Likewise, when a malicious actor does hack an agency with IPS, you need to be able to trek thru the system, where they’re going, and what they’re copying. If you’re only focusing on the perimeter, you’re missing two-thirds of the picture.
Beyond that, legacy SIEMs have a longer time to value and are written to have a database on the backend, which requires a lot of upfront work to normalize the data before you can put it into the system. Splunk Enterprise Security, the SIEM often recommended by August Schell, does not. Normalization for Splunk happens at search time versus ingest time, which means it’s flexible, and allows users to change data normalization at any point in the process, often referred to as schema-on-the-fly.
Traditional database architecture, including the way they store data, as well as the hardware that’s required to run them, do not make for scalability. Legacy SIEMs also weren’t intended to include all internal metrics, devices, and information, so they tend to be smaller solutions. Splunk is designed to scale on an unlimited basis because of a much more flexible architecture. You can scale down to two little servers running just a few gigabytes of data, to implementations of hundreds of servers with multiple terabytes of data per day.
Performance issues with legacy SIEMs aren’t only specific to scaling; high availability is problem, too. Many legacy SIEMs don’t include true clustering, so there’s no automatic failover, which means a significant amount of work has to be done to restore services. Conversely, Splunk has automatic failovers and clustering technologies you can utilize so that high availability is there when you need it. Where flexibility is concerned, traditional SIEM products are created with traditional security products in mind. Splunk is created with data in mind, period—any source, type, or format. You don’t have to worry about data scheme at ingest, or making the data fit Splunk; Splunk always fits your data. You’re not limited to products or use cases, either.
The Power of Flexibility: Swapping Out Your Legacy SIEM for Splunk ES, an Analytics-Driven SIEM
“In order to maximize threat intelligence for coverage, a variety of threat data must be pulled together, be easy to use and easy to operationalize, in order to enable teams to do their jobs better and faster and improve overall security posture with confidence and efficiency.”
Security is an ongoing process, and the modern IT organization can’t afford to spend excessive time investigating events, Splunk explained. A legacy SIEM simply won’t keep up with the rate at which security events have to be investigated, plus, the dominance of cloud services, while increasing efficiency, also expands the threat vectors that have to be monitored.
For these reasons, enterprise IT needs an easy way to correlate information across all security data in order to adequately manage security posture. It is far more efficient to anticipate the occurrence of security events and response in real time than it is to monitor events after they’ve already occurred—which requires an analytics-driven SIEM platform, such as Splunk ES. The biggest difference between a legacy SIEM and Splunk ES is the ability to monitor threats in real time and respond expeditiously to minimize or avoid damage. Plus, it allows for monitoring user activity and behavior internally to lessen the risk of insider threat or an unintentional compromise.
Here are six critical functionalities of Splunk ES (and six reasons why it’s necessary to swap out your legacy SIEM):
- Real-Time Monitoring
- Incident Response
- User Monitoring
- Threat Intelligence
- Advanced Analytics
- Advanced Threat Detection
Embracing Splunk With August Schell
August Schell Splunk engineers are well-versed in the limitations of legacy SIEMs, as well as the process of replacing them with a better, stronger solution. If you’re concerned about your risk exposure as a result of the use of a legacy SIEM, it might be time to evaluate an upgrade, and ASE is here to help. If your security team would like to learn more about how Splunk ES can provide better security management and monitoring capabilities, reach out to an August Schell Splunk expert, or call us at (301)-838-9470.