Threat Research Report Team

How to Maximize Your SIEM Benefits

Written by Pat Haley | Nov 25, 2019 5:13:54 PM

 

Having the ability to aggregate and analyze data across multiple systems is a necessity for companies of all sizes, primarily for security and compliance reasons. For most businesses, SIEM (security information and event management) tools fulfill this function. But SIEM solutions as they are traditionally used can be costly, a problem that eventually leads most security professionals to make important decisions based on dollars and cents rather than actual security needs.

 

That doesn’t have to be the case.

 

There’s no disputing the advantages of SIEMs, but there are ways to modify your workflow so you retain access to all the SIEM benefits of data logging without incurring significant costs. This article touches on some of the basics regarding SIEM usage, and offers a way to enhance your SIEM’s capabilities so it becomes more cost-effective.

 

You can cut SIEM costs without sacrificing endpoint security observability. Learn how.

 

The advantages of SIEM technology: Why use it?

At its core, SIEM technology aggregates and stores data, making it available for use in a wide variety of applications. Many organizations use SIEM to meet compliance requirements (SOC 2, HIPAA, PCI, etc.), but large enterprises also use SIEM as an integral part of their threat management program. It’s the ideal way to gather data from various sources—network devices, servers, endpoints, and more—and analyze it for possible security threats. Security notifications that arise from SIEM systems can then be investigated further to determine the appropriate response from your security team.

 

Data collection and analysis is a necessary element of any mature security program, but why use a SIEM for this work? Benefits of a SIEM are:

  • It provides a consolidated view of your data. Without it, you’d need to investigate the logs of each input source separately. A SIEM gives you a centralized view of your data, making it easier to gather and analyze security information in an effort to keep your systems safe.
  • It can take in any kind of data. SIEMs are designed to take in structured and unstructured arbitrary data and normalize it. All your data goes into a centralized repository where it is stored and accessible.
  • It can be used to achieve a variety of goals. Whether you need a SIEM for audit and compliance reporting, your security program, or for classic IT operations such as your help desk or network troubleshooting, the data can be presented in a way that’s usable. For this reason, a SIEM makes a lot of sense for organizations that have lots of different use cases that revolve around data or logs.
  • It is designed to be scalable. The architecture of a SIEM naturally supports large amounts of data, so you can continue to scale out and grow your data and the solution will work equally as well. In fact, many major SIEM solutions (including IBM’s QRadar and ArcSight from Micro Focus) are designed for large enterprises.

A costly disadvantage of SIEM

The above listed advantages are the reason SIEM solutions are so popular in enterprises today. But the major disadvantage of a SIEM—the cost—actually diminishes some of those advantages, making it hard for organizations to get the maximum value from the tool.

 

That’s because most SIEM players (with the exception of a few vendors) charge based on data ingested—usually gigabytes per day or events per second (EPS). But this is very difficult to predict. Organizations typically sign up for an estimated amount of EPS initially but need more later, and the costs continue to increase. At some point, further decisions about increasing the capability of the SIEM revolve around money, as opposed to solving the challenges the SIEM is intended to address. And as a result a security program can suffer because when an incident does occur, the data isn't there to either detect it proactively OR investigate it after the fact.

 

One way to address this challenge—and to make your SIEM more cost-efficient—is to enhance your SIEM workflow with the addition of the Uptycs security analytics platform. Uptycs is not a SIEM itself, but it augments SIEM systems in such a way that it reduces the amount of data being processed, therefore reducing the overall cost. Often times, even at this lower cost, Uptycs is providing net new data that helps close infrastructure blind spots and aid in investigations.

 

Want to see Uptycs in action? Schedule a free, live demo to see how it can enhance your organization’s threat management program.

 

SIEM + Uptycs: How it works

A traditional SIEM workflow looks like this:

Data logs → SIEM processing → Output

 

Large organizations feed incredible amounts of data into a SIEM, much of it from production servers and employee workstations, which are frequently the target of attacks. As processing costs increase, many organizations start to limit the data they pull from endpoints (even though they know it’s useful), compromising the effectiveness of their security program.

 

Uptycs couples the osquery agent with a powerful analytics engine to collect system data from endpoints across your organization—everything from servers and workstations to virtual machines, cloud instances, and containers—and store and aggregate it to enable valuable correlations and anomaly detection. It forwards to the SIEM only the necessary data—with context—related to the specific alerts or workflows that you care about. If you need more data from Uptycs, to aid in an investigation for example, it can be retrieved automatically through our API.

 

In this way it offloads some of the data collection and analytics from your SIEM system onto the Uptycs platform, enabling significant cost savings in data storage. (And Uptycs doesn’t charge by EPS or gigabytes per day.)

 

Here’s how the new workflow looks using Uptycs:

Data logs → Uptycs (e.g. alert) → SIEM → Output

 

And while a SIEM is certainly scalable, it’s not necessarily designed with performance in mind. That means it could take hours to actually retrieve the results of your queries. Uptycs has the ability to not only index data quickly, but to respond to a query in seconds, giving you instant access to information so you can solve for security challenges quickly and easily.

 

If you’d like to read about our security platform in more detail, read our white paper, Trifecta of Security @ Scale; or, schedule a live demo to find out how Uptycs can be easily integrated into your SIEM workflow.