Why SOCs want to interrupt away from legacy SIEMs – Cyber Tech

COMMENTARY: A battle has unfolded throughout the safety operations heart (SOC). For many years, safety groups have balanced their monetary wants and safety wants to find out which knowledge they need to use and preserve to safe their organizations. Nonetheless, as knowledge volumes and storage prices proceed to soar, this imperfect strategy has led to one of many SOC’s largest challenges: the info paradox.

The information paradox refers back to the wrestle between the necessity to accumulate and analyze huge quantities of knowledge for safety functions, and the rising price and complexity of managing that knowledge. The evolving pace and class of our adversaries has exacerbated the issue: The common breakout time noticed in 2023 was right down to 62 minutes, in response to our latest analysis, and the quickest recorded assault was solely 2 minutes and seven seconds.

[SC Media Perspectives columns are written by a trusted community of SC Media cybersecurity subject matter experts. Read more Perspectives here.]

Adversaries are solely getting quicker, and it’s crucial that SOC groups match their pace. Nonetheless, as organizations migrate to the cloud and undertake SaaS and AI applied sciences, safety groups wrestle to detect, examine and reply to threats due to the large quantities of knowledge that groups should ingest and analyze. Consequently, many are shedding the race towards adversaries.

Why legacy SIEMs failed

One wrongdoer liable for the info paradox are the safety data and occasion administration (SIEM) instruments that had been initially designed 20 years in the past to centralize knowledge from disparate instruments so groups may use it to safe their companies. Nonetheless, these SIEM instruments had been constructed for a time when log volumes and adversary pace had been a fraction of what they’re in the present day. They’ve did not evolve and scale alongside the exponential progress of knowledge volumes and altering adversary sophistication.

Think about the workforce want to analyze an incident, and it needs fast entry to the entire firm’s knowledge to achieve a full image of the incident and decide subsequent steps. It’s now unattainable for a lot of SOC groups as a result of ingesting the entire crucial knowledge for a full investigation is simply too time-consuming and dear when utilizing legacy SIEM instruments. SOC groups are pressured to make budget-conscious decisions on which knowledge to investigate, resulting in an incomplete image, insufficient investigation and response, and inadequate safety towards breaches.

To realize the info and visibility they want, safety groups have created patchwork architectures consisting of legacy SIEMs, a number of knowledge lakes, and detection and response instruments. This strategy has turn into problematic as a result of safety analysts are relegated to “knowledge wranglers” who spend their time navigating a number of consoles and manually correlating knowledge. Consequently, they’re diverted from their core mission of defending the enterprise.    

Break the info paradox with Subsequent-Gen SIEM

A brand new technology of SIEM (Subsequent-Gen SIEM) has emerged to assist safety groups scale and ingest each supply of knowledge they’ve with out breaking the financial institution. These cloud-native instruments are essentially altering how the SOC operates, permitting them to lastly break freed from the info paradox drawback.

Safety groups now not have to make tradeoffs on which knowledge to make use of or discard primarily based on funds concerns. With a Subsequent-Gen SIEM’s scalable cloud structure, there’s no want for added servers and manpower to deal with rising knowledge volumes. Moreover, with revolutionary compression expertise, SOC groups can now maintain knowledge for months and even years at prices decrease than these of legacy SIEMs. 

These Subsequent-Gen SIEM instruments promise consolidation to assist speed up investigations and drive quicker detection. Analysts now not have to pivot between consoles and manually piece collectively knowledge. There’s no have to ahead and periodically retrieve EDR, cloud workload or identification safety logs, and no worries about community latency or backlogs as a result of essential knowledge is already within the platform and obtainable for correlation, decreasing the imply time to detect.

With speedy knowledge progress and an evolving menace panorama, it’s crucial that the SOC tackle the battle between the need to ingest and retailer all of its knowledge and the necessity to management ingestion and storage prices. Putting SOC groups in a continuing state of creating essential choices on knowledge has far-reaching implications, corresponding to safety blind spots, sluggish investigation occasions and SOC analyst fatigue, which all heighten the chance of a breach. It is time that we transfer away from legacy SIEMs and embrace Subsequent-Gen SIEMs to enhance SOC efficiency.   

Ajit Sancheti, basic supervisor, Falcon Subsequent-Gen SIEM, CrowdStrike

SC Media Views columns are written by a trusted group of SC Media cybersecurity material specialists. Every contribution has a objective of bringing a singular voice to essential cybersecurity subjects. Content material strives to be of the very best high quality, goal and non-commercial.