Let’s say I tell you that my daughter crawled today. However, you don’t know if my daughter is an infant or 30 years old. If you ask, and I tell you my daughter is an infant, you still don’t know if she’s already been crawling or today marks the first time. If this is the first time, that’s a notable event. If this does not mark the first time, you may wonder why I told you about a mundane, typical day. That’s what it’s like trying to manage security operations without the right context in your SIEM system.
What Can Data Security Tools Offer?
Trying to understand all that context without enough information isn’t the way to do effective work. You don’t want a team too tired and overwhelmed to do their jobs. In fact, 83% of cybersecurity experts report suffering from alert fatigue. IBM, as an example, monitors 150 billion events per day for clients worldwide to develop its Threat Intelligence Index. And, more than half of organizations report having to handle 1,000 security events per day, a task many are not equipped to manage.
Many organizations have moved to hybrid cloud architecture. Their data sprawls across a vast array of on-premises and cloud sources. In this case, legacy data security solutions often are the primary culprits in cluttering an otherwise efficient SIEM system. Those tools share each and every log with the SIEM. Sure, it is part of the noble effort of spotting data threats and stopping breaches, but this oversharing presents a range of problems. It brings increased SIEM and storage costs that come from the volume of logs being shared. It also makes it harder for your people to discern urgent risks from false positives.
SIEM is Not a Data Security Landfill
Often, in a quest to ensure that the SIEM is truly the eye in the sky to monitor all possible threat vectors, the other specialized security teams will share all logs with the SIEM system. While in theory it makes sense to toss every potential threat to the team tasked with running a response, in practice this creates a few issues.
Many SIEM solutions bill per number of events per second, so sending everything from the lowest priority risks on up ends up ballooning costs. Then you need to store this increased event volume somehow, presenting a second ballooning expense. Excess event noise buries actual threats beneath minor risks and false positives, increasing the time it takes to understand and respond to a potential data breach. Employee attrition spurred by alert fatigue — coupled with the overall cybersecurity skills gap — means holes in the workforce.
Context is King
So, what can you do to cut through all that noise? The answer is context.
If every event is sent over without context attached — the who, what, where and when, in most cases — the team managing the SIEM now must find the context themselves. They’ll sift through a sea of data that may not be relevant. That sea of event data can be reduced to a puddle through advanced analytics native to modern data security tools.
To illustrate, consider that a legacy data security solution looking at dozens or hundreds of data sources could be sending millions of events per day to a SIEM. With modern, contextual analytics, suddenly you can reduce these millions of events to thousands or hundreds of actionable, context-rich insights. That, in turn, allows security analysts to take action right away.
Suddenly, two critical pieces of a complete security program — database activity monitoring (DAM) and the SIEM — can work together to enhance security insight and teamwork across siloed teams, all while reducing costs and the time it takes to respond to threats.
Register for and watch the IBM Security Guardium and IBM Security QRadar Tech Day to learn more about how IBM Security supports the partnership of DAM and SIEM.
The post Turning Down the Noise: Adding Context to the SIEM With Modern Data Security appeared first on Security Intelligence.
This post appeared first on Security Intelligence
Author: Ryan Schwartz