Four Ways CSPi Can Help Take Your SIEM Security Solutions’ Effectiveness to the Next Level
Security information and event management (SIEM) software, including Splunk, QRadar and those from other SIEM vendors, can be an extremely valuable tool in a company’s overall threat detection and prevention stack. For many companies, SIEM security solutions can also be an important tool for application management, security, and industry compliance, and even offer additional components such as business and web analytics.
However, SIEMs still have some areas where performance and value could be improved.
For example, remember that any security tool that depends on the data it ingests is only as good as the information it is provided with. This can lead to two less-than-ideal scenarios:
- Ingesting too much data (or worse, the wrong data) increases operating costs and leads to a high number of false positive alerts.
- Yet if SIEM security solutions aren’t provided with the right data, threats will be missed.
The good news is that there are new ways to solve this SIEM “ingestion dilemma” and other related challenges. Let’s take a closer look at four unique ways that CSPi cybersecurity solutions can make your SIEM even better by enhancing your network security resulting in accelerating your incident response capabilities.
Tip #1: Generate unsampled NetFlow data, not full packets
Using solutions such as the ARIA SDS Packet Intelligence application removes the need to send complete network packets into your SIEM. When you think about it, this decision makes sense because it is usually too much information, at too high a cost.
Instead, solutions such as ARIA SDS Packet Intelligence generates and sends lightweight NetFlow/IPFIX metadata for every packet crossing the network to the SIEM security solution. Even though this is lightweight data, this NetFlow still provides the details modern SIEMs require to detect network-born threats accurately.
Unlike network switch-generated NetFlow that is sampled at up to one flow record for every 10,000 packets, ARIA SDS Packet Intelligence provides metadata for every single packet. This means you don’t miss anything and can find possible threats much sooner.
Tip #2. Send only select data conversations (as requested) to find specific threats
The ARIA SDS Packet Intelligence application classifies all traffic as it crosses the network. It gives security teams the flexibility to take action against that traffic, including create copies, shunt, redirect, forward, or select various data conversations based on filters such as SRC/DST (source and destination) that can be ingested by the SIEM as requested.
For example, this can be part of the incident response process after an issue has been identified by the SIEM, especially if an incident response workflow requires that the actual data be reviewed for further investigation.
In this case, sending select data increases the effectiveness of the SIEM security solution by providing packet-level detail on malware or threat payloads, without having to ingest all packets to find them. Additionally, this may eliminate the need for further incident response and reduce related costs.
Tip #3. Stop east-west network-born threats immediately
Firewalls can only see and stop threats coming in from the Internet their specialty is north-south traffic. They typically don’t monitor east-west traffic within a network, and they don’t look inside trusted VPN tunnels running between sites or to a public cloud environment.
Endpoint security tools can only recognize threats once they land on a device, which means that they tend to miss many other forms of a breach, such as insider threats, compromised credentials, data leaks, data exfiltration, and more.
Good news: The same probes and intelligent network interface cards (NICs) that generated the metadata described above are already sitting in-line. They can be directed to intercept and stop threat conversations on the network as they are identified by the SIEM security solution or as instructed by a SOC team or with SOAR APIs. This ability to stop a potential threat conversation between two devices is a much better approach than taking critical devices or VMs off the network.
This provides a “surgical” means to stop threat conversations deeper within the network—covering east-west as well as north-south conversations. As a result, you’ll keep critical processes running safely by blocking potential threats and providing time to implement remediation action plans.
Tip #4: Review previously recorded network activities to locate impacted devices and identify exposed records
By integrating our nVoy Series Recorder with your SIEM security solutions, any recorded metadata can be immediately revisited in all of the impacted devices. Or, you can select captured data feeds to be replayed (such as those that may be recorded against important data assets that may contain PII or PHI data).
This integration helps to identify the exact records that may have been exposed and provides historical information on all impacted devices to determine root cause and identify patient zero.
In summary, SIEMs are important security tools and should continue to be an important part of any company’s security infrastructure. Yet by following these four tips, any company can significantly improve their SIEM security solution’s performance and overall value.
How do we go about doing this? Our ARIA Packet Intelligence application provides enhanced network security insights, so the SIEM and security teams can make better decisions, faster and more effectively.
Also, as an added measure of security, it makes sense to protect the data from the inside. CSPi delivers with an easy-to-deploy Key Management Server application that can generate thousands of encryption keys per minute to secure per-data and application transactions.
To learn more, visit www.cspi.com.
CSPi is a leading cybersecurity firm that has been solving security challenges since 1968. Our security solutions take a radically different approach to enterprise-wide data security by focusing on the data at its source, securing DevOps applications and leveraging network traffic for actionable insights. CSPI’s ARIA SDS platform uses a simple automated approach to protect any organization’s critical data, including PII/PHI, on-premise and in public clouds, no matter if is in use, in transit, or at rest. Our Myricom® nVoy Series appliances provide compliance assurance, automated breach verification and network monitoring enabled by the 10G dropless packet capture capabilities of our Myricom® ARC intelligent adapters.