After 15 years of growth and maturity, security information and event management (SIEM) sits at the top of the enterprise security ecosystem. With its breadth of log collection, real-time monitoring, heads-up SOC displays, alert triage, and workflow and compliance, SIEM is the go-to system for security teams to manage enterprise risk.
The reach of enterprise SIEM also makes it a terrific platform for organizations to productively introduce exciting new technologies that are designed to deal with the fast-changing attack environment.
Add Security Analytics
Think about preserving all the value and investment (which includes training, process, run books and reporting) in SIEM with a boost from a new type of solution. A solution that leverages big data technologies running—new attack detection analytics that operate on logs, network and other security data sources to enable enterprise security teams to detect attacks that have eluded real-time defenses while accelerating incident investigation and response.
Aruba IntroSpect provides user and entity behavioral analytics (UEBA)- machine learning analytics and integrated incident investigation support that takes advantage of the storage and compute scale of big data to deliver:
- The Right Data at Scale. Selected high value and often complementary data sources (i.e., Active Directory and VPN logs, flows, packets, files, alerts, and external threat feeds) are mined for suspicious signals and stored for long-term investigation and context.
- Advanced Analytics. Next-generation supervised and unsupervised machine learning algorithms utilize these "weak" signals to build up an activity baseline that highlights not just anomalous behaviors but also the malicious intent of an entity (i.e., user, host, or IoT).
- Integrated Forensics at Your Fingertips. Once an alert has been identified, analysts have one-click access to layered forensics – from events contributing to a user or system's risk score down to the packet level – avoiding the swivel-chair investigations required to find, analyze and summarize critical data that is either in multiple systems or no longer online and available. Because IntroSpect natively collects, analyzes and incorporates network packet and flow data in addition to logs, alerts, and other data, an analyst can intercept attacks in progress and, in seconds, validate the attack and make decisions regarding the severity of the incident and the appropriate response plan.
- Seamless Integration. UEBA machine learning leverages many of the same logs and alerts that a McAfee Enterprise Security Manager, Micro Focus ArcSight, Splunk or IBM QRadar system so handily collects—and often supplements that visibility with efficient and cost-effective aggregation of high volume sources, such as DNS, that typically are not collected in a SIEM. This means that the investment already made for IT operations and compliance can be easily extended to produce additional value in terms of precision attack detection and accelerated incident response. In fact, a growing best practice is to deploy a UEBA solution alongside a SIEM with bi-directional integration, so that the SOC team can continue using their existing consoles and benefit from the attack detection and advanced threat hunting capabilities that IntroSpect provides.
Like the NOC and other key IT operations centers, SIEM-based SOCs perform a critical role in protecting the enterprise and providing the workflow for efficient threat and attack remediation. Integrating IntroSpect with a SIEM is like turbocharging an engine – new analytics find subtle attacks before they do damage and the incident response is cut from hours and days to minutes.
Get a visual overview of Aruba IntroSpect can help you find threats faster. View the infographic.
Larry Lunetta is vice president of security product marketing at Aruba, a Hewlett Packard Enterprise company.
