SIEM in red on binary code background

Moving from “Big Rules” to “No Rules”

No two cybersecurity events are exactly alike, so it’s a fool’s errand to plan and protect solely against known threats. The need is greater now than ever for security teams to arm themselves with innovative SIEM technology with automatic threat detection and adaptive response.

When security information and event management (SIEM) technology burst onto the scene two decades ago, it promised to make life easier for security teams by aggregating, managing and analyzing log information from security infrastructure to facilitate meeting compliance requirements, provide forensics for security events and identify security incidents. But rather than become security’s silver bullet, SIEM solutions have grown into a well-known source of pain for security and compliance teams.

While SIEM has been somewhat successful at compliance and forensics, it has been woefully inadequate at security incident detection and response. The technology has become a major contributor to the security cost and complexity problem by requiring significant amounts of manual labor to digest logs from new data sources, classify them and then analyze the alerts the SIEM generates – the vast majority of which are typically false-positive or redundant. Put it all together, and SIEMs have earned the reputation of being reactive, passive, complex and expensive. Traditional SIEM’s fundamental failing is that its basic architecture might have been suitable for the threat landscape at the turn of the century, but it’s obsolete for today’s world, where organizations face:

  • Automated, machine-generated attacks that are constantly morphing and are increasingly multi-function, increasing attack velocity and effectively making every attack “brand new.”
  • A dramatic expansion of the enterprise attack surface, where traditional corporate “perimeters” no longer exist thanks to trends such as mobile, cloud and IoT.
  • A big data problem that prevents SIEMs from automatically consuming and operationalizing all of the content generated by machines and humans to provide situation awareness of the threat landscape.
  • Infrastructure bloat, caused by organizations’ reactive approach to security, where they respond to new threats and compliance requirements with new tools (each of which adds to the big data problem by generating its own streams of alerts and information).

Amid all these changes, SIEMs have remained largely unchanged: They continue to attempt to identify advanced attacks using human-written, static correlation rules – rules that require human security experts to develop, deploy, update and maintain. This approach just doesn’t work in today’s advanced cybersecurity landscape where there’s endless threat data that changes at the speed of light.

Not only do human-written rules require extensive manual labor to manage, driving up operations costs, but they also introduce significant security and compliance risks because: 1) Humans cannot write or update rules as fast as machines can change attacks, so cybercriminals will always have the upper hand; and 2) the number of rules required to cover all attack patterns has grown exponentially, causing a “Big Rules” problem that forces teams to be mired in mundane task work instead of focusing on priority issues that will strengthen the organization’s security posture and compliance efforts.

The reality is, rather than make security and compliance pros’ lives easier, the “Big Rules” problem has created more headaches for them by rendering SIEMs (even those claiming to be “next-generation”) too reactive (human-written rules can only be developed against known threats and patterns), too passive (designed for alerting, not responding), too complex (resulting in thousands of security correlation rules that are simply impossible to maintain) and too expensive (they require massive ongoing investment to cope with the “Big Rules” problem).

Does this mean that we should remove SIEMs from our security infrastructure? Absolutely not. But it does mean we need a new kind of SIEM: one that creates a “no rules” world.

Moving from “Big Rules” to “No Rules”

The “Big Rules” problem can be solved with a SIEM system that enables real-time detection, investigation, remediation and mitigation of both known and unknown threats, without rules or manual processes. But how do we get there? The answer lies in a “no rules” SIEM that relies on the power of artificial intelligence (AI) and behavioral analytics and is developed specifically for today’s sophisticated threat landscape.

A “no-rules” SIEM is founded on a stack of intelligence layers. The first (and most fundamental) layer is responsible for automatically classifying logs and data feeds by security “intent” – that is, separating benign activity from activity demonstrating malicious intent – using AI technology, such as machine learning (ML) and natural language processing (NLP) algorithms. These algorithms emulate the actions of security analysts – reading logs and data feeds, seeking out relevant information from the logs and from third-party data sources outside the organization and identifying attack intent – but magnitudes faster and more effective. Other important features of “no rules” SIEMs include:

  • Flexible data ingestion, where the SIEM is open for use with any database and has the ability to collect structured and unstructured data, including logs, network flows, intelligence feeds, user and account activities and more.
  • Auto-correlation, leveraging cause-and-effect analytics to automatically validate and prioritize attacks and reveal the complete “attack story,” without requiring static correlation rules.
  • Adaptive orchestration by using the capabilities of an organization’s existing security infrastructure to actively investigate and mitigate (block) attacks, without requiring scripts.

With these capabilities, SIEM technology transforms from being a reactive and passive system to an active one that detects, confirms and stop attacks before they can cause harm. This dramatically improves incident detection and response, simplifies security and compliance management and, because there are no rules to manage, slashes SIEM total cost of ownership.

Perhaps most importantly, “no rules” SIEMs are designed to combat the sophisticated cybercriminals we face today. Attackers may reuse some of the same tools and techniques, but no two attack patterns will be exactly the same, rendering traditional SIEMs that protect against only known threats useless.

A new SIEM for a new world uses AI and analytics to create varied attack patterns that contain valid evidence of the adversary’s characteristics, without pigeonholing them into a specific pattern that likely won’t happen again. Instead, the technology helps organizations predict how attacks will occur, long before they happen. And, armed with the ability to detect known and unknown threats, organizations can flip the tables and finally gain the upper hand over the very adversaries that have reigned for years.


Avi Chesla

Avi Chesla is Founder and CTO at empow. Avi is a recognized leader in the internet security arena internationally, with expertise in product strategy, cybersecurity, network behavioral analysis, expert systems and software-defined networking. Prior to empow, Avi was CTO and VP of Security Products at Radware, where he was responsible for defining, leading and executing the company’s strategic technology roadmap and vision, including the foundation and management of Radware’s Security Division, a provider of cyberattack mitigation solutions. Avi’s views on industry trends and best practices have been featured in articles and white papers and on the conference speaking circuit. He has earned more than 25 patents in the arena of cybersecurity solutions.

Related Post