Elastic
By James Spiteri - Solutions Architect, Cyber Security Specialist
Organisations face a deluge of daily threats today that a decade ago would have seemed almost unthinkable in volume and variety. While attack techniques continue to evolve, experts largely agree that the most pragmatic approach in SecOps is to assume you already have or will inevitably be breached, and to focus on responding as quickly as possible to mitigate that inherent risk. Fortunately, open source tools exist to enhance SIEM and make sense of the huge volumes of enterprise data that threaten to overwhelm IT security teams.
An attacker's ROI is much higher for a corporate attack, as it is likely to generate far greater revenue. There's also a wider attack surface to probe, given that most firms only protect their most critical assets and do the bare minimum to comply with regulations.
Attackers are also more familiar with the infrastructure, software, and tools used by enterprises; they know precisely where common security gaps lie. An incorrectly configured Amazon Web Services account could bring down an entire organisation.
These challenges are compounded by the fact that many organisations are still rooted in past practices, with security teams focused on defending the perimeter. This means many new cloud services are brought online without the necessary controls in place. But it also means that not enough attention is being paid to potentially suspicious activity inside the corporate firewall.
The truth is that a determined attacker will always be able to get past your defences. The key is proactively hunting them down to minimise the time they have inside your network.
On paper, SIEM solutions offer a decent way forward — centralising and aggregating alerts and data from disparate systems. The problem is that data volumes today are many orders of magnitude greater than these platforms were designed to handle. Even then, they may not cover a broad enough range of data sources to drive sufficient insight into the threat landscape.
The answer lies with open source search tools that can be added as extra analytical layers on atop existing SIEM platforms. In this way, these tools import all the data from your SIEM solution and supplement it with new datasets to drive broader insight. These new datasets might come from new security applications, endpoint logs, and the growing number of IoT and OT systems proliferating in modern organisations.
The value of search here is in analysing structured and unstructured data: everything from legacy logs (which may never have been structured for external use) to unstructured text such as powershell transcripts. A crucial ingredient is machine learning. Intelligent algorithms empower overstretched security teams by automating anomaly detection within datasets. Machine learning solutions enable teams to baseline normal behaviour and then train the system to search for specific anomalies and patterns that might represent an attack.
There's still plenty of work to do, but with open source search augmenting existing SIEM investments, effective incident detection and response is within reach for most organisations.