Have you ever wondered how long it will take until the use cases and playbooks developed for security operations are ready and starts to prove value to your organization? In my past, I have worked extensively with security information and event management (SIEM) systems; a focal point for many organizations’ security operations. In my experience I’ve found that one of the key challenges facing security operations has been around the time to value. Questions like - How quickly can the investment prove any return-on-investment (ROI)? Why is it taking so long to implement? What log sources are we monitoring and are they giving us the right visibility? Is it a threat-oriented use case (insider threat, threat hunting…), control-oriented use cases (privileged access abuse…), asset-oriented use cases (crown jewel programs…) or compliance-oriented use cases (HIPAA, GDPR, PCI etc.…)? frequently come up during discussions with security operation teams.
Although a SIEM does have a fundamental place in a security operations team as a focal point or repository, have you ever considered how to accelerate the SIEM investment you already made to make it even better? Or how to accelerate and simplify the number of use cases in a SIEM, while reducing development and maintenance costs in the process?
To implement a new use case, an organization must go through several different steps. Confirm the monitoring tool you want to use (e.g. which log source to get the data from); determine the data source requirements; understand the context of the use case and data requirements; identify new or affected processes and operational procedures by the use case implementation; develop, test and execute content to production; test and review performance; and continuously tune use case over life time.
With all the tools and use cases, the SIEM often generates a lot of noise for the security operations team. This renderers into a conversation around skill shortage, siloed technologies not working well together, information overload and a high total cost of ownership with constant (re)hiring, training and enablement of security teams.
What if there is a way to accelerate time to value, augment the investments you have already made and simplify the notion of use cases? In a recent customer engagement, the customer wanted to have 89 use cases developed by an external partner managing the SIEM. The average cost to develop a use case means a sticker price of $10,000 for the customer. The cost to maintain that one use case is $2,500/year, adding up to a total annual maintenance cost of $222,500 in this example (note, this is manpower cost to do continuous validations etc, not any technology cost).
By levering network detection and response (NDR) from Vectra to focus on attacker behavior detections, combining security research and data science, a lot of these SIEM use cases fall into Vectra detection families with the following result:
Example of how use cases are simplified into Vectra detection families:
In short, combining SIEM with Vectra quickly becomes a conversation around time to value, how to augment the value of existing technologies and improve the life for a security operations analyst and ultimately helps your SIEM installation become more successful.
Henrik Davidsson is director of sales business development at Vectra, where he is responsible for customer value creation & managed service providers. He has over 15 years’ experience in working with large enterprises, service providers and always stays in the frontline of new security challenges and coaching end customers and partners alike on how to augment their security posture and cyber resilience. Henrik has held leading position at companies such as Cisco, Juniper Networks, VMware, FireEye and NTT Security.