Transcription
Managed SIEM vs.eSentire MDRWhen security information and event management (SIEM) hit its stride as a security monitoring solution in the early 2000s, collecting security datalogs, aggregating them in a central repository and conducting trend and correlative analysis was a natural evolution in response to overwhelmingsecurity sprawl.While efficacy has increased, daily breach headlines still indicate the limitations of visibility achieved solely by SIEM technology. In addition, threatactors are achieving their objectives faster than ever. Managed SIEM and SIEM-reliant MDR service providers require clients to have internalcapabilities to rapidly confirm and contain threats before adversarial objectives can be achieved. In recent studies, having adequate resources tocontain a threat has proven more critical than ever with 54 percent of threat actors indicating they can complete a breach in less than 15 hours. Incontrast, data breach studies indicate organizations are struggling to keep pace, averaging 196 days to identify a breach and 70 days to contain it.As digital transformation continues to create new vectors of attack, comprehensive protection requires visibility and signal fidelity with integratedresponse that exceeds what SIEM-reliant managed security service providers (MSSPs) and MDR vendors can deliver.While, the value of a fully optimized SIEM cannot be denied, SIEMs are but one piece of the comprehensive solution required to minimize thecritical detection-to-response time frame. To visualize the strengths and weaknesses of a SIEM-reliant solution, the following chart highlights criticalattributes aligned to detecting and disrupting threat actors across the Cyber Kill Chain.ServiceOverall depth ofvisibilityContainmentcapabilityCore competencyExternal ReconSIEMLowIDS / IPSHighNoBreadthYesThings in motionEndpoint Detection &ResponseHighUEBALowYesProcess Vulnerability visibilityDepends on tallationInternal ReconCommand andControlData CollectionExfiltrationDepends on configurationsDepends on configurationsDepends on configurationsDepends on configurations(Highly Contextual to Insider/APT)Depends on configurations(Highly Contextual to Insider/APT)Depends on configurations(Highly Contextual to Insider/APT)Depends on configurations(Highly Contextual to Insider/APT)1
As the above chart shows, SIEM-reliant solutions are a powerful component in providing breadth of visibility. However, limitations across depth andintegrated response can lead to increased threat actor dwell times for organizations that do not have the complimentary technologies, people andprocesses to adequately correlate and coordinate rapid detection and response. To visually convey comprehensive threat coverage, all securityservice providers can be plotted against four axioms: visibility, detection capabilities, signal fidelity and integrated response.eSentire CoverageVISIBILITYManaged SIEM CoverageFull Visibility Regardless of Deployment ModelNon-vetted Alert Forwarding (email or call)Threat Validation Client Required ThreatContainmentMultiple Telemetry Sources (Endpoint Network)Threat Validation Managed Remote ThreatDisruption ContainmentSingular Telemetry SourceDETECTIONCAPABILITYRESPONSELow Level (ex. Log, Net Flow)Known Unknown Behavioral Commodity Custom TIMedium (ex. Full telemetry in some, limited in others)Known Unknown Commodity Custom TIKnown Commodity Threat IntelligenceHigh (ex. Full endpoint, PCAP, Log, Vulnerability, etc.)SIGNALFIDELITYAs organizations are faced with a growing vendor landscape, SIEM-reliant security providers can be enticing. However, limitations should berecognized and the potential risk to your organization understood. To help your decision-making process, eSentire has compiled a comparison ofeSentire’s MDR services versus MSSPs and MDR providers that are solely or primarily reliant upon SIEM technologies.2
Managed SIEM ComparisonObjective: Identify the gaps in Managed SIEM Solutions in comparison to eSentire MDReSentireManaged SIEMPLATFORM AND SERVICESVISIBILITYNetwork (PCAP Level)Endpoint (Full telemetry)Log (On-premises and Cloud)VulnerabilityTechnologies esNETWORKesENDPOINTesLOG Managed Vulnerability Scanning Q RadarSplunkLogRythmInsight IDRAlienVaultExabeamMANAGEMENTPlatform and agent management(with caveats)MONITORING24x7x365DETECTION OVERVIEWDetection FocusDetection and investigation of new/suspicious signals (not detected/triggered by traditional technologies,signatures, UBA, etc.) representingpotential malicious activity thatbypasses traditional security controls.Detection of potential events aretriggered from feeding technologies,integrated correlation rules andcomplimentary machine learningprocesses.CONTINUOUS TUNINGMerge and manage the signal set into a standardconfiguration that is deployed to all boxesPossiblyRefinements and updates to account for client’sspecific environment are done continuously as client’senvironment changesUnlikelySITUATIONAL AWARENESSMonitoring and investigation of signals that aregenerated from any source that don’t currently have aknown explanation for why they would be firingUnlikelyInvestigate and determine a root cause for adetection event that doesn’t have an existing knownexplanation within a 20 minute SLO3
eSentireManaged SIEMRESPONSE CAPABILITIES / FEATURESResponse FocusUnlimited embedded end-to-endincident response capabilities included(no-retainers, no extra fees) withfocus on minimizing time frame fromdetection to containment (performedon client’s behalf) and improvement ofclient’s overall security posture.Orchestration, playbooks, andautomations accelerate investigations.Managed SIEM solutions alert onpossible intrusions based on loginformation available and add contextfor client personnel. Responsibilityfalls on the client to further investigate,correlate with additional telemetryoutside of logs, confirm and containthreats.PROACTIVE THREAT HUNTINGHypothesis-driven investigation (knowledge of a newthreat actor’s campaign based on threat intelligencegleaned from a large pool of crowdsourced attack data)PossiblyInvestigations that are based on known IOC (Indicator ofCompromise)Analytics-driven investigations (based on advancedanalytics and machine learning)PossiblyINCIDENT RESPONSE LIFE CYCLE DELINEATION OF RESPONSIBILITY (CLIENT VS PROVIDER)Forensic investigationeSentireClient / ProviderEvent Management / False Positive nce on Network Hardening Post EventeSentireProviderTactical Threat entConfirmation of Post Event HardeningeSentireClientMonitor for Re-entryeSentireClientFORENSIC INVESTIGATIONFull network, endpoint and log signal integration: can gatherand interpret endpoint (full telemetry) and network data (packetlevel) as well as perform searches inside client logs to assist inproviding more data for information during an investigationLogs: can perform searches inside client logs to assist inproviding more information during an investigationNetwork: can gather and interpret forensic data (pcaps,netflow, metadata) from network choke points relevantto the investigationEndpoint: can gather and interpret forensic data(process flows, execution chains, etc) from affected hostsrelevant to the investigationTACTICAL THREAT CONTAINMENT ON CLIENT’S BEHALFNetwork: can implement client-wide TCP disruptionat the chokepoint to stop an attacker from attemptingagainst other targetsEndpoint: can fully isolate compromised internalhosts as part of response so lateral spread within theorganization from an identified compromised endpointis containedREMEDIATIONFull remediation support after alert and investigationbeyond scope of services.4
eSentireManaged SIEMesNETWORKNo capability outside of potential IPS/IDS feeding SIEM (below assumes afunctioning IPS/IDS is feeding SIEM)INDIVIDUAL SERVICE BREAKDOWNNETWORKMonitors ingress & egress chokepoints on yourcompany network(s)Monitors decrypted spansPossiblyReal-time inspection of every packet utilizing full packetcaptureDETECTION CAPABILITIESSignaturesMachine LearningPossiblyBehavioral BasedPossiblyAnomaly BasedPossiblyInvestigation of signals not seen in clientenvironment beforeActive Threat HuntingEvent Management / False Positive ReductionTactical Threat Containment (“kill” TCP connections onclient behalf)AlertsRemediation GuidanceFull Forensic InvestigationCo-Managed Remediation5
eSentireManaged SIEMesENDPOINTNo capability outside of potentialEDR technology feeding SIEM (Belowassumes a functioning EDR product isfeeding SIEM)INDIVIDUAL SERVICE BREAKDOWNENDPOINTMonitors company assets at the endpoint levelProvides host-level visibilityDETECTION CAPABILITIESSignaturesMachine LearningPossiblyBehavioral BasedPossiblyUBAPossiblyAnomaly BasedPossiblyInvestigation of signals not seen in clientenvironment beforeActive Threat HuntingEvent Management / False Positive ReductionTactical Threat Containment (host isolation on clientbehalf)AlertsRemediation GuidanceFull Forensic InvestigationCo-Managed Remediation6
eSentireManaged SIEMesLOG Managed SIEMINDIVIDUAL SERVICE BREAKDOWNLOGSFully managedDepends on providerCo-managedDepends on providerCloud-based deploymentDepends on providerOn-premises deploymentDepends on providerDETECTION CAPABILITIESCustom rule setsMachine LearningUBABig Data AnalyticsAttacker Behavior AnalyticsThreat Intelligence IntegrationMONITORS, CAPTURES AND INSPECTS LOGS FROM THE FOLLOWING SOURCES:Security Events (IDS, Endpoint, DLP, VPN, WebFilters, Honeypots, Firewalls, IAM, etc.)Network Logs (Routers, switches, DNS servers,WAP, WAN, Data Transfers, VPC, etc.)Applications and Devices (Application Servers,Databases, Intranet Applications, Web Applications,SaaS Applications, Cloud Hosted Servers, etc.)AWS (CloudTrail, Config, Inspector, S3, etc.)Google Cloud PlatformMicrosoft Azure (Active directory, Azure audit,Azure SQL, Office365)Database (Amazon DynamoDB, SQL Server,MongoDB, MySQL, Oracle, etc.)Web Server (Apache, Tomcat, IIS, Nginx)DevOps (Docker, GitHub, Kunernetes, Jenkins, etc.)IT Infrastructure (Configuration, Locations, Owners,Network Maps, Vulnerability Reports)Operating System (Host Metrics, Linux, Windows,Windows Performance)Web Server (Apache, Tomcat, IIS, Nginx)Self-service queryingDepends on providerSelf reportingDepends on providerPortal with data visualizations7
eSentireManaged SIEMesRECON (Managed VulnerabilityService)Managed SIEMINDIVIDUAL SERVICE BREAKDOWNVULNERABILITYRegular Internal and External ScansAd hoc scanningRemediation guidanceComprehensive reportingCo-managed modelCustomer access to VM PlatformCustomer access to create custom dashboardsand reportingWeb Application ScanningPCI Approved Scanning VendorMDR IntegrationDedicated Vulnerability Management Service TeamMonthly service callsExecutive summariesScanner maintenanceQuarterly Review of asset groups andconfigurations8
eSentire, the global leader in Managed Detection and Response (MDR), keeps organizations safe fromconstantly evolving cyber attacks that technology alone cannot prevent. Its 24x7 Security OperationsCenter (SOC), staffed by elite security analysts, hunts, investigates, and responds in real-time to knownand unknown threats before they become business disrupting events. Protecting more than 5.7trillion AUM in the financial sector alone, eSentire absorbs the complexity of cybersecurity, deliveringenterprise-grade protection and the ability to comply with growing regulatory requirements. For moreinformation, visit www.esentire.com and follow @eSentire.
Splunk LogRythm Insight IDR AlienVault Exabeam MANAGEMENT Platform and agent management (with caveats) MONITORING 24x7x365 DETECTION OVERVIEW Detection Focus Detection and investigation of new/ suspicious signals (not detected/ triggered by traditional technologies, . (Active directory, Azure audit, Azure SQL, Office365 .
