Cyber risk and advisory programs that identify security gaps and build strategies to address them.
MDR that provides improved detection, 24/7 threat hunting, end-to-end coverage and most of all, complete Response.
Our team delivers the fastest response time in the industry. Threat suppression within just 4 hours of being engaged.
Be protected by the best from Day 1.
24/7 Threat Investigation and Response.
Expert hunting, research and content.
Defend brute force attacks, active intrusions and unauthorized scans.
Safeguard endpoints 24/7 by isolating and remediating threats to prevent lateral spread.
Investigation and enhanced threat detection across multi-cloud or hybrid environments.
Configuration escalations, policy and posture management.
Detects malicious insider behavior leveraging Machine Learning models.
Customer testimonials and case studies.
Stories on cyberattacks, customers, employees, and more.
Cyber incident, analyst, and thought leadership reports.
Demonstrations, seminars and presentations on cybersecurity topics.
Information and solution briefs for our services.
MITRE ATT&CK Framework, Cybersecurity Assessment, SOC Calculator & more
If you believe deploying SIEM (Security Information and Event Management) with your perimeter security is an effective defense against the ever-growing threats facing your corporate network then read on, or you may learn the truth the hard way.
SIEM was born of SIM (Security Information Management). SIM was the result of a period of massive corporate malfeasance in the early days of the 21st century. Enron, Worldcom and others were the primary motivators of Sarbanes-Oxley. A new regulatory regime that drove compliance officers to deploy SIM as a means of providing evidence their financial control policies were in place and enforced.
As with most accounting-focused initiatives, it was rearward facing. The compliance model driving SIM delivered on weekly, monthly, quarterly and annual reporting requirements, which ultimately captured past incidents.
As SIM became commonplace in publicly traded companies (think ArcSight), some people thought that there was a security play for SIM. And just like that, SIEM was invented as a new security product category.
The need to manage security logs wasn’t something new. In the early days of IDS (remember ISS RealSecure), there was quite a bit of excitement. IDS systems were rapidly deployed. By the early 2000s, they were commonplace. But the IDS systems created a new problem: they generated enormous amounts of data in the form of logs/alerts. Unfortunately, in the real world of signature-based anomaly detection, (the core brain of most IDS systems), there’s a lot of false positives. IDS systems had real limitations in their ability to produce black and white results. They produce lots of gray. Gray is a problem. Gray is noise. And noise means extra work.
The response to this noise was to outsource IDS logs to a 3rd party. Companies couldn’t justify having resources sift through the massive logs in search of threats. By this time, a market called Managed Security Service Providers (MSSP) was already in flight. This market was created because firewall management became quite difficult.
Firewalls like Checkpoint's were powerful but required some skill to manage effectively. These skills were in short supply (just as security skill remains in short supply to this day). So MSSPs stepped up to concentrate the talent around a model that supported many corporate networks. It was valuable and so the MSSP market grew. The IDS noise problem was something MSSPs were ready and willing to help solve. However managing IDS logs/alerts requires a different approach than a change-control firewall policy service.
Moving the noise generated by IDS systems to “expert”, MSSPs solved one problem, (or at least gave the perception of solving one problem) - “We have smart people looking for threats in our IDS logs.”
But the honest, often unheard truth is that ultimately, relying on logs leaves you incapable of taking the appropriate action because the noise can’t become a signal without better context.
No matter how long you stare at an IDS log event, it won’t become any more informative. The same is true for the vast majority of security log events. But let’s put that primary flaw in log-based security aside for a moment.
Today we have powerful security devices, like NGFW, IPS/IDS, endpoint and everything in-between deployed with watered-down policies that compromise the efficacy of the perimeter. And even using the word perimeter is a bit of a joke today with the mobility of endpoints.
I think Amit Yoran, the CEO of RSA Security stated the problem beautifully in his 2015 RSA keynote titled “Escaping Security’s Dark Ages” when he said:
“Nonetheless, many security professionals base their programs on the futile aggregation of telemetry from these virtually blind IDSes, AV platforms, and firewall logs, implementing the glorious and increasingly useless money-pit, known as the SIEM. I know it didn’t surprise many of you when last year’s Verizon Data Breach Investigations Report asserted that less than one percent of successful advanced threat attacks were spotted by SIEM systems. Less than 1%. The terrain has changed but we’re still clinging to our old maps. It’s time to realize that things are different.“
Relying exclusively on a SIEM to identify and manage threats is reckless; it’s an accounting “rear-view mirror” perspective that can only inform you of known threats based only on the insights gleaned from perimeter defences, which are essentially useless when it comes to new and innovative attacks. And without additional context, you can't identify an actual threat from a mundane false positive.
It’s only going to get harder to protect your networks. You have to embrace the reality that your perimeter and endpoint security products, no matter how powerful, will ultimately fail when dealing with anything other than yesterday’s attacks. The security game has shifted from prevention to detection. The new game plan demands not just an effective perimeter defence to block background radiation, but also requires continuous monitoring that doesn’t rely on a SIEM for its visibility into threats.
Security is hard. But it can be a lot easier if you focus on managing threats effectively and stop worrying about who’s pretending to deliver security by staring at your logs.
Get notified of the latest news, intel and helpful tools & assets. You can unsubscribe anytime.
eSentire is the Authority in Managed Detection and Response, protecting the critical data and applications of 1500+ organizations in 80+ countries from known and unknown cyber threats. Founded in 2001, the company’s mission is to hunt, investigate and stop cyber threats before they become business disrupting events. Combining cutting-edge machine learning XDR technology, 24/7 Threat Hunting, and proven security operations leadership, eSentire mitigates business risk, and enables security at scale. The Team eSentire difference means enterprises are protected by the best in the business with a named Cyber Risk Advisor, 24/7 access to SOC Cyber Analysts & Elite Threat Hunters, and industry-leading threat intelligence research from eSentire’s Threat Response Unit (TRU). eSentire provides Managed Risk, Managed Detection and Response and Incident Response services. For more information, visit www.esentire.com and follow @eSentire.