What We Do
How we do it
Our Threat Response Unit (TRU) publishes security advisories, blogs, reports, industry publications and webinars based on its original research and the insights driven through proactive threat hunts.
View Threat Intelligence Resources →
Jan 19, 2023
Increased Activity in Google Ads Distributing Information Stealers
THE THREAT On January 18th, 2023, eSentire Threat Intelligence identified multiple reports, both externally and internally, containing information on an ongoing increase in Google advertisements…
Read More
View all Advisories →
About Us
eSentire is The Authority in Managed Detection and Response Services, protecting the critical data and applications of 1500+ organizations in 80+ countries from known and unknown cyber threats. Founded in 2001, the company’s mission is to hunt, investigate and stop cyber threats before they become business disrupting events.
Read about how we got here
Leadership Work at eSentire
Dec 13, 2022
eSentire Named First Managed Detection and Response Partner by Global Insurance Provider Coalition
Waterloo, ON – December 13, 2022 – eSentire, Inc., the Authority in Managed Detection and Response (MDR), today announced it has been named the first global MDR partner by Coalition, the world’s first Active Insurance provider designed to prevent digital risk before it strikes. Like Coalition, eSentire is committed to putting their customers’ businesses ahead of disruption by improving their…
Read More
e3 Ecosystem
We provide sophisticated cybersecurity solutions for Managed Security Service Providers (MSSPs), Managed Service Providers (MSPs), and Value-Added Resellers (VARs). Find out why you should partner with eSentire, the Authority in Managed Detection and Response, today.
Learn more
Apply to become an e3 ecosystem partner with eSentire, the Authority in Managed Detection and Response.
Login to the Partner Portal for resources and content for current partners.
Blog — Nov 10, 2015

SIEMian monkey business

4 minutes read
Speak With A Security Expert Now

If you believe deploying SIEM (Security Information and Event Management) with your perimeter security is an effective defense against the ever-growing threats facing your corporate network then read on, or you may learn the truth the hard way.

SIEM was born of SIM (Security Information Management). SIM was the result of a period of massive corporate malfeasance in the early days of the 21st century. Enron, Worldcom and others were the primary motivators of Sarbanes-Oxley. A new regulatory regime that drove compliance officers to deploy SIM as a means of providing evidence their financial control policies were in place and enforced.

As with most accounting-focused initiatives, it was rearward facing. The compliance model driving SIM delivered on weekly, monthly, quarterly and annual reporting requirements, which ultimately captured past incidents.

As SIM became commonplace in publicly traded companies (think ArcSight), some people thought that there was a security play for SIM. And just like that, SIEM was invented as a new security product category.

The need to manage security logs wasn’t something new. In the early days of IDS (remember ISS RealSecure), there was quite a bit of excitement. IDS systems were rapidly deployed. By the early 2000s, they were commonplace. But the IDS systems created a new problem: they generated enormous amounts of data in the form of logs/alerts. Unfortunately, in the real world of signature-based anomaly detection, (the core brain of most IDS systems), there’s a lot of false positives. IDS systems had real limitations in their ability to produce black and white results. They produce lots of gray. Gray is a problem. Gray is noise. And noise means extra work.

The response to this noise was to outsource IDS logs to a 3rd party. Companies couldn’t justify having resources sift through the massive logs in search of threats. By this time, a market called Managed Security Service Providers (MSSP) was already in flight. This market was created because firewall management became quite difficult.

Firewalls like Checkpoint's were powerful but required some skill to manage effectively. These skills were in short supply (just as security skill remains in short supply to this day). So MSSPs stepped up to concentrate the talent around a model that supported many corporate networks. It was valuable and so the MSSP market grew. The IDS noise problem was something MSSPs were ready and willing to help solve. However managing IDS logs/alerts requires a different approach than a change-control firewall policy service.

Moving the noise generated by IDS systems to “expert”, MSSPs solved one problem, (or at least gave the perception of solving one problem) - “We have smart people looking for threats in our IDS logs.”

But the honest, often unheard truth is that ultimately, relying on logs leaves you incapable of taking the appropriate action because the noise can’t become a signal without better context.

No matter how long you stare at an IDS log event, it won’t become any more informative. The same is true for the vast majority of security log events. But let’s put that primary flaw in log-based security aside for a moment.

Today we have powerful security devices, like NGFW, IPS/IDS, endpoint and everything in-between deployed with watered-down policies that compromise the efficacy of the perimeter. And even using the word perimeter is a bit of a joke today with the mobility of endpoints.

I think Amit Yoran, the CEO of RSA Security stated the problem beautifully in his 2015 RSA keynote titled “Escaping Security’s Dark Ages” when he said:

“Nonetheless, many security professionals base their programs on the futile aggregation of telemetry from these virtually blind IDSes, AV platforms, and firewall logs, implementing the glorious and increasingly useless money-pit, known as the SIEM. I know it didn’t surprise many of you when last year’s Verizon Data Breach Investigations Report asserted that less than one percent of successful advanced threat attacks were spotted by SIEM systems. Less than 1%. The terrain has changed but we’re still clinging to our old maps. It’s time to realize that things are different.“

Relying exclusively on a SIEM to identify and manage threats is reckless; it’s an accounting “rear-view mirror” perspective that can only inform you of known threats based only on the insights gleaned from perimeter defences, which are essentially useless when it comes to new and innovative attacks. And without additional context, you can't identify an actual threat from a mundane false positive.

It’s only going to get harder to protect your networks. You have to embrace the reality that your perimeter and endpoint security products, no matter how powerful, will ultimately fail when dealing with anything other than yesterday’s attacks. The security game has shifted from prevention to detection. The new game plan demands not just an effective perimeter defence to block background radiation, but also requires continuous monitoring that doesn’t rely on a SIEM for its visibility into threats.

Security is hard. But it can be a lot easier if you focus on managing threats effectively and stop worrying about who’s pretending to deliver security by staring at your logs.

View Most Recent Blogs

eSentire is the Authority in Managed Detection and Response, protecting the critical data and applications of 1500+ organizations in 80+ countries from known and unknown cyber threats. Founded in 2001, the company’s mission is to hunt, investigate and stop cyber threats before they become business disrupting events. Combining cutting-edge machine learning XDR technology, 24/7 Threat Hunting, and proven security operations leadership, eSentire mitigates business risk, and enables security at scale. The Team eSentire difference means enterprises are protected by the best in the business with a named Cyber Risk Advisor, 24/7 access to SOC Cyber Analysts & Elite Threat Hunters, and industry-leading threat intelligence research from eSentire’s Threat Response Unit (TRU). eSentire provides Managed Risk, Managed Detection and Response and Incident Response services. For more information, visit www.esentire.com and follow @eSentire.