SIEM systems were first created for large enterprises and government agencies that were frequent targets of advanced cyber attacks. Back then, smaller and lower-profile organizations were able to get by with basic security tools as they were seldom the target of hackers. The world has changed and today cyber attacks have become so widespread and complex that small and medium-sized organizations need the same next-generation SIEM tools as large enterprises.
Next-generation SIEM technology uses advanced correlation techniques encompassing applications, transactions, pattern and behavior discovery, statistical and moving average anomalies, business process management, risk management, and global threat intelligence feeds.
Many organizations are caught between a rock and a hard place. They need industrial strength security, but do not have the people or the budget to run a security operations center (SOC) and administer a SIEM system. SIEM systems are typically complex to administer and require teams of people for monitoring events, experts for authoring use case content, and a lot of care and feeding.
We recommend resource-strapped organizations look at cloud-based offerings from new companies providing a SOC-as-a-Service. This new breed of Managed Security Service Providers (MSSPs) uses a cloud-based shared services model. There is no upfront investment in hardware and software and no requirement to hire a team of security and SIEM experts – instead customers pay subscription fees for a turnkey service.
What should you look for in a Next-Generation MSSP?
- Support for large diversity of log collection sources with a large variable selection of device types, vendors, applications, and users
- Support for non-log data Intelligence and ability to actually correlate information
- Support for user monitoring, identity and actor profiling or behavior analysis
- Asset and business process modeling
- Advanced methods of correlation from multiple devices and vectors
- Advanced Use Case applicable to your business
- Active Lists for correlation with items like former employees, contractors, trusted partners, or suspicious addresses
- Escalation of threats to higher level alert priorities as suspicious activity persists
- Prioritization of threats based on Asset Criticality, Model Confidence, Relevance, and Event Severity
- Automated remediation response to specific Very High Level Alerts
- Compliance content packages and simple reports for compliance including HIPAA, PCI, SOX, FFIEC, etc.
- Threat Intelligence and Reputation Active List correlation with globally known abusive attackers, command and control servers, and malicious IP addresses
- Correlation of vulnerability scan data and specific vendor IDS threat definitions to determine if an exploit is targeting an existing vulnerability, indicating a high probability of success
- Easy-to-Use Web Portals with graphical dashboards
- Case management and Workflow
- 24×7 Expert support