Have you ever wondered how long it will take until the use cases and playbooks developed for security operations are ready and starts to prove value to your organization? In my past, I worked extensively with security information and event management (SIEM) systems; a focal point for many organizations’ security operations.
In my experience I’ve found that one of the key challenges facing security operations has been around the time to value. Questions like, How quickly can the investment prove any return-on-investment (ROI)? Why is it taking so long to implement? What log sources are we monitoring and are they giving us the right visibility? Is it a threat-oriented use case (insider threat, threat hunting…), control-oriented use cases (privileged access abuse…), asset-oriented use cases (crown jewel programs…) or compliance-oriented use cases (HIPAA, GDPR, PCI etc.…)? frequently come up during discussions with security operation teams.
Although a SIEM does have a fundamental place in a security operations team as a focal point or repository, have you ever considered how to accelerate the SIEM investment you already made to make it even better? Or how to accelerate and simplify the number of use cases in a SIEM, while reducing development and maintenance costs in the process?
To implement a new use case, an organization must go through several different steps. Confirm the monitoring tool you want to use (e.g. which log source to get the data from); determine the data source requirements; understand the context of the use case and data requirements; identify new or affected processes and operational procedures by the use case implementation; develop, test and execute content to production; test and review performance; and continuously tune use case over life time.
With all the tools and use cases, the SIEM often generates a lot of noise for the security operations team. This renderers into a conversation around skill shortage, siloed technologies not working well together, information overload and a high total cost of ownership with constant (re)hiring, training and enablement of security teams.
What if there is a way to accelerate time to value, augment the investments you have already made and simplify the notion of use cases?
In a recent customer engagement, the customer wanted to have 89 use cases developed by an external partner managing the SIEM. The average cost to develop a use case means a sticker price of $10,000 for the customer. The cost to maintain that one use case is $2,500/year, adding up to a total annual maintenance cost of $222,500 in this example (note, this is manpower cost to do continuous validations etc, not any technology cost).
By levering network detection and response (NDR) from Vectra to focus on attacker behavior detections, combining security research and data science, a lot of these SIEM use cases fall into Vectra detection families with the following result:
- Direct support for 66 out of 89 use-cases out of the box, equivalent to $590,000 in use cases development cost
- Great part of the technology investment in Vectra is immediately off set by the saving in use cases development (a never-ending work)
- Vectra simplifies from a use case approach based on technologies to attacker behaviors and further reduced the complexity by minimizing 59 use cases to 22 detection families, resulting in 37 less use cases to maintain—close to $100,000 in use case maintenance saving per year
- In addition, Vectra helps reduce security inefficiencies, ineffectiveness and noise in the security operations center (SOC), by leveraging alert prioritization and accelerating adherence to compliance needs
Example of how use cases are simplified into Vectra detection families:
In short, combining SIEM with Vectra quickly becomes a conversation around time to value, how to augment the value of existing technologies and improve the life for a security operations analyst and ultimately helps your SIEM installation become more successful.
More on the technical values of NDR in relation to endpoint detection and response (EDR) and SIEM can be found here.