Visibility, Detection and Response Using a SIEM-less Architecture

March 20, 2019
Vectra AI Security Research team
Visibility, Detection and Response Using a SIEM-less Architecture

A major challenge of a good incident response program is balancing the need for visibility, detection and response with the cost and complexity of building and maintaining a usable and effective security stack.

Historically, security information and event management (SIEM) has been at the center of many security operations to cover a broad set of use cases, including threat detection, compliance reporting, alert centralization as well as providing analyst processes and workflows. For some organizations, a SIEM is ideal as a central point of all things related to threat detection and logs. For others, the ability to manage an effective SIEM is determined by their ability to retain talent. There are those facing a lack of skilled staff for blue team roles.

Unfortunately, a SIEM commonly introduces additional layers of overhead, and not every investigation or incident-response workflow needs to be in a SIEM. What becomes critical is knowing what events provide the highest signal-to-noise ratio for threat detection. So what good is a SIEM in a resource-constrained environment?

To answer that question, we need to start by defining the needs of threat detection and incident response:

  1. Visibility across the organization’s assets wherever they might reside. This could include data center and cloud workloads, company owned laptops, as well as BYOD and IoT devices.
  2. Correlation of security events and the ability to identify relationships between workloads and devices.
  3. Context of what happened associated with an actionable response.
  4. Repeatable processes and workflows that allow early-career analysts to quickly scale security skills and senior analysts to perform fast, conclusive investigations.
  5. Threat detection and investigation that can start from any point.

While I believe the network is the easiest way to get the broadest visibility and is a great starting point for knowing where to hunt, other data sources can enrich context.

Threat detection needs network and endpoint context as well as logs. And each of these data sources should be supported by specialized tools built specifically for visibility, detection and response in their respective data types that are built from the ground up to work together.

There is a new breed of SIEM-less security architecture that allows companies to leverage intelligent people with general IT experience to become the next-generation of security analysts. These specialized detection-and-response platforms provide easy-to-understand, repeatable processes that are the building blocks of an effective investigation, regardless of the type of threat you’re facing.

The three key components of this dynamic architecture consist of (1) network and endpoint detection and response (NDR and EDR) combined with (2) security automation and orchestration to bring together (3) incident response case management. Investigations can start anywhere—network, endpoint or security automation and orchestration—because key components of the architecture communicate with one other. Additional case enrichment and response enforcement is often provided by the perimeter security tools you already have.

This architecture is often used in customer environments with integration between Vectra, CrowdStrike, Demisto, and Palo Alto Networks. For example, integration via orchestration enables informed actions to occur based on tagging from Cognito, which triggers events, and automation in Demisto, and delivers valuable insights that enable security teams to build very effective blue teams.

With a better data source like NDR from Vectra and EDR from CrowdStrike, security analysts can eliminate the cost and complexity of SIEMs and while still enjoying the benefits of faster incident response. The Vectra Cognito platform was purpose-built to integrate with endpoint protection, orchestration, firewall, cloud, and virtualized data center security to support existing incident response workflows in a way that complements your organization.

These integrations include VMware, Microsoft Azure, Amazon Web Services, CrowdStrike, Carbon Black, Demisto, Splunk, Juniper, Palo Alto Networks and more. This enables security analysts to easily pivot between any platform or tool while delivering rich context about compromised host devices and threat incidents.

And if you can’t part ways with your SIEM because you perceive it as the center of your threat investigation universe, Cognito works well there, too (QRadar, ArcSight and Splunk).