What We Do
How we do it
Resources
SECURITY ADVISORIES
Oct 19, 2021
Hackers Infect Employees of Law Firms, Manufacturing Companies, and Financial Services Orgs. with Increasingly Pervasive Infostealer, SolarMarker
SolarMarker Infects 5X More Corporate Victims Using Over a Million Poisoned WordPress Pages Key Takeaways eSentire has observed a fivefold increase in SolarMarker infections. Prior to September, eSentire’s Threat Response Unit (TRU) detected and shut down one infection per week. Beginning in September, TRU averaged the detection and shutdown of five per week. SolarMarker is a…
Read More
View all Advisories →
Company
ABOUT eSENTIRE
About Us
eSentire is The Authority in Managed Detection and Response Services, protecting the critical data and applications of 1000+ organizations in 70+ countries from known and unknown cyber threats. Founded in 2001, the company’s mission is to hunt, investigate and stop cyber threats before they become business disrupting events.
Read about how we got here
Leadership Work at eSentire
LATEST PRESS RELEASE
Oct 12, 2021
eSentire Launches MDR with Microsoft Azure Sentinel Extending Response Capabilities Across Entire Microsoft Security Ecosystem
Waterloo, ON – Oct. 12, 2021 -- eSentire, recognized globally as the Authority in Managed Detection and Response (MDR), today announced the expansion of its award-winning MDR services with Microsoft Azure Sentinel, as part of its integration with the complete Microsoft 365 Defender and Azure Defender product suites supporting Microsoft SIEM, endpoint, identity, email and cloud security services.…
Read More
Partners
PARTNER PROGRAM
Partners
Our award-winning partner program offers financial rewards, sales and marketing tools and personalized training. Accelerate your business and grow your revenue by offering our world-class Managed Detection and Response (MDR) services.
Learn about our Partner Program
PARTNER RESOURCES
Apply today to partner with the Authority in Managed Detection and Response.
Login to the Partner Portal for resources and content for current partners.
Search
Resources
Blog — Nov 10, 2015

SIEMian monkey business

If you believe deploying SIEM (Security Information and Event Management) with your perimeter security is an effective defense against the ever-growing threats facing your corporate network then read on, or you may learn the truth the hard way.

SIEM was born of SIM (Security Information Management). SIM was the result of a period of massive corporate malfeasance in the early days of the 21st century. Enron, Worldcom and others were the primary motivators of Sarbanes-Oxley. A new regulatory regime that drove compliance officers to deploy SIM as a means of providing evidence their financial control policies were in place and enforced.

As with most accounting-focused initiatives, it was rearward facing. The compliance model driving SIM delivered on weekly, monthly, quarterly and annual reporting requirements, which ultimately captured past incidents.

As SIM became commonplace in publicly traded companies (think ArcSight), some people thought that there was a security play for SIM. And just like that, SIEM was invented as a new security product category.

The need to manage security logs wasn’t something new. In the early days of IDS (remember ISS RealSecure), there was quite a bit of excitement. IDS systems were rapidly deployed. By the early 2000s, they were commonplace. But the IDS systems created a new problem: they generated enormous amounts of data in the form of logs/alerts. Unfortunately, in the real world of signature-based anomaly detection, (the core brain of most IDS systems), there’s a lot of false positives. IDS systems had real limitations in their ability to produce black and white results. They produce lots of gray. Gray is a problem. Gray is noise. And noise means extra work.

The response to this noise was to outsource IDS logs to a 3rd party. Companies couldn’t justify having resources sift through the massive logs in search of threats. By this time, a market called Managed Security Service Providers (MSSP) was already in flight. This market was created because firewall management became quite difficult.

Firewalls like Checkpoint's were powerful but required some skill to manage effectively. These skills were in short supply (just as security skill remains in short supply to this day). So MSSPs stepped up to concentrate the talent around a model that supported many corporate networks. It was valuable and so the MSSP market grew. The IDS noise problem was something MSSPs were ready and willing to help solve. However managing IDS logs/alerts requires a different approach than a change-control firewall policy service.

Moving the noise generated by IDS systems to “expert”, MSSPs solved one problem, (or at least gave the perception of solving one problem) - “We have smart people looking for threats in our IDS logs.”

But the honest, often unheard truth is that ultimately, relying on logs leaves you incapable of taking the appropriate action because the noise can’t become a signal without better context.

No matter how long you stare at an IDS log event, it won’t become any more informative. The same is true for the vast majority of security log events. But let’s put that primary flaw in log-based security aside for a moment.

Today we have powerful security devices, like NGFW, IPS/IDS, endpoint and everything in-between deployed with watered-down policies that compromise the efficacy of the perimeter. And even using the word perimeter is a bit of a joke today with the mobility of endpoints.

I think Amit Yoran, the CEO of RSA Security stated the problem beautifully in his 2015 RSA keynote titled “Escaping Security’s Dark Ages” when he said:

“Nonetheless, many security professionals base their programs on the futile aggregation of telemetry from these virtually blind IDSes, AV platforms, and firewall logs, implementing the glorious and increasingly useless money-pit, known as the SIEM. I know it didn’t surprise many of you when last year’s Verizon Data Breach Investigations Report asserted that less than one percent of successful advanced threat attacks were spotted by SIEM systems. Less than 1%. The terrain has changed but we’re still clinging to our old maps. It’s time to realize that things are different.“

Relying exclusively on a SIEM to identify and manage threats is reckless; it’s an accounting “rear-view mirror” perspective that can only inform you of known threats based only on the insights gleaned from perimeter defences, which are essentially useless when it comes to new and innovative attacks. And without additional context, you can't identify an actual threat from a mundane false positive.

It’s only going to get harder to protect your networks. You have to embrace the reality that your perimeter and endpoint security products, no matter how powerful, will ultimately fail when dealing with anything other than yesterday’s attacks. The security game has shifted from prevention to detection. The new game plan demands not just an effective perimeter defence to block background radiation, but also requires continuous monitoring that doesn’t rely on a SIEM for its visibility into threats.

Security is hard. But it can be a lot easier if you focus on managing threats effectively and stop worrying about who’s pretending to deliver security by staring at your logs.

Mark McArdle
Mark McArdle Chief Technology Officer

As CTO at eSentire Mark defines new products that keep the company on the leading edge of the security threatscape.