Who ya gonna call (to make the most of your SIEM data)?

· 4 MIN READ · DAVE JOHNSON AND TYLER ZITO · OCT 31, 2022 · TAGS: Cloud security / MDR

“Detectin’ makes us feel good!”

Are you troubled by strange alerts in the middle of the night?

Do you experience feelings of dread in your on-prem or cloud environment?

Have you or your security team ever seen a spook, specter, or ghost malware outbreak that you had trouble detecting quickly and remediating?

For some security professionals, even the briefest consideration that a SIEM might not be the centerpiece of their security stack is a spooky, Shyamalan-esque, jumpscare movie they’d only watch from behind the couch (with popcorn, of course).

But Expel ain’t afraid of no ghosts…

For the record, we aren’t The Gatekeeper of SIEM. We’re The Keymaster, helping generate additional security value from your environment directly without having to rely entirely on a SIEM. In addition, as a somewhat radical challenge to industry trends, we can cross the streams between SIEM and the rest of your technology. We work with the tech our customers have in place, including their existing SIEM alerts and custom notables, to tailor the service to their requirements. The result combines top-shelf 24×7 SOC and best-of-breed security technologies optimized for your technical and business context, improving visibility and mean time to detect and remediate (MTTD/MTTR).

Fundamentally, what is a SIEM, anyway? Traditionally, a SIEM is a grouping of rules and logic that extract interesting events from a large set of data which, up until recently, was the only choice many of us had in trying to make sense of all the spooky log stuff coming out of our environments. We’ve spent the past decade or so using SIEMs to solve a problem that other technologies are also solving (or as an add-on–agents, for example). Endpoint detection and response (EDR), intrusion detection systems (IDS), and intrusion prevention systems (IPS), cloud access security brokers (CASBs), privileged access management (PAM)–there are plenty of acronyms and abbreviations to choose from. This doesn’t mean SIEMs are no longer useful—they absolutely are—but the ecosystem of high-fidelity solutions is expanding and evolving to address the complexity of evolving attacker methodology.

But now a different problem rises from the grave: “how can we keep track of it all?” Should we try to scale by adding more rules and building a bigger SIEM? Or maybe elevate to a higher plane of existence where there is no SIEM, only ruuuuules! (and detections).

Let’s say you did decide to go the route of building a bigger SIEM. Consider a known constant, like the general size of a Twinkie. If we scale a standard SIEM to keep pace with the requirements of new telemetry and the massive, increasing complexity of data, we’ll end up with a SIEM Twinkie weighing in at several hundred pounds. You’re likely going to need even more people to lift that giant SIEM Twinkie than you currently have today.

Let’s talk about getting to that higher plane and making that giant SIEM Twinkie a more manageable size, shall we?

Historically in the cybersecurity service industry, when someone asks if your product is a SIEM, you say yes! (or something to that effect). Except here, because Expel isn’t a SIEM. We’re a security operations provider that incorporates SIEM alert data with all the other relevant sources of security information in your environment. The whole is greater than the sum of the parts, and this approach magnifies the detection and response impact of your security stack and team.

The Expel Workbench™ is the next step in the technical evolution of security monitoring. Ultimately, whether you believe in the existence of SIEM and its power to improve visibility in your cybersecurity environment, or not, we can help.

Now, when there’s something strange in your environment, the SIEM has to know what to look for, and if it doesn’t then it won’t know what to alert you about. An integrated platform (like Workbench) knows exactly what to watch for. What’s abnormal? What’s paranormal [fx: lightning flash, thunderclap, evil laughter]? A modern, sophisticated SOC, where your existing SIEM is a part of the set-up, boosts time to response and efficiency, improving triage and enhancing investigations.

For example, let’s say we get an alert for a host named “StayPuft” engaging in malicious-looking user behavior. Additionally we’ve noticed, user “Elvis” is doing something strange. Because of the way we use automation for in-depth initial triage and correlation, our analysts have the time they need to investigate the user in detail. Who is “Elvis” and when was the last time we saw them log in? Has there been any other strange behavior here? Is this the kind of behavior we expect from this user in this situation? Or is it completely harmless and would never ever possibly cause any sort of destruction?

Armed with a full complement of relevant information from different sources and defensive layers, analysts can report back to the customer, quickly and accurately, with insight into appropriate next steps.

Customers who import their finely honed SIEM into a tool like Workbench can translate all the human hours invested in development into customized rules for their special use cases. In other cases, they may realize they no longer need a SIEM, only rules—specifically, all the proprietary detection rules that come with Expel Workbench that have direct relevance to the security tools you have in your stack. Imagine firing a beam of high-energy positrons at the malicious entity to “Expel” their activity from your environment into a containment vessel. (See what I did there? Expel? Get it?)

Everything I’m describing also lowers your overhead management and time spent on your SIEM. You literally get the best of both dimensions.

There’s a better, less scary way to team up and make the challenge of fielding security alerts much easier and actually enjoyable. If you have questions about how we can help you do exactly that, we’d be happy to talk.

We hope you enjoyed the absolutely necessary original Ghostbusters movie references. Have a Happy Halloween and may nothing too spooky happen over the holiday.

But if it does…. Who ya gonna call?