Transcription
Security Information and Event Management (SIEM)Mid-Market AnalysisAn Executive Brief Prepared forAlienVault Christopher KisselAnalyst, Threat SensingCybersecurityFebruary 2018Excerpts K17D-011
Introduction This Executive Brief is based on the Frost & Sullivan report, “Security Information and Event Management(SIEM)—Global Market Analysis, Forecast to 2021,” published July, 2017. This abbreviated brief focuses on the SIEM requirements of mid-market organizations and an analysis ofthe vendors who serve this market, including in-depth coverage of AlienVault . The Market Overview, The Last Word—Predictions , and The Last Word—Recommendations sectionsare excerpt wholly from the original Frost & Sullivan report. Content from the original report has been updated to reflect pricing, features and product vision forAlienVault’s cloud-based USM Anywhere platform, however AlienVault’s overall unified securitymanagement approach that originated with their all-in-one physical appliance remains unchanged. AlienVault’s cloud-based platform is designed to address the needs of mid-market organizations, but alsooffers features that allow enterprises and managed security service providers (MSSPs) to centrallymanage larger deployments. Worth noting, but not presented in excerpt form here, is AlienVault was cited as having the Point ofCompetitive Differentiation for Best Approach to SIEM small-to-midsized business (SMB) in the originalreport.Source: Frost & Sullivan2
Market Overview3
Market Overview Traditionally, SIEM has served three important functions and this remains true today1.SIEM is used to prove compliant practices (noting that there are numerous industry compliancestandards).2.SIEM is used as a way to formalize storage. Data is normalized and logged for recall.3.The SIEM engine initiates the first part of a forensics investigation. In the event that a breach isuncovered, the SIEM is used to access all related directory groups, OS, applications, or otherapplicable similarities to determine how far a breach has spread. SIEM vendors compete with other security analytics platforms such as VM, network access control(NAC), intrusion detection systems, threat intelligence, and others for threat sensing. The same approximate procedures that are used in a forensics investigation can be used to reduceincident mean-time-to-detect and mean-time-to respond. Increasingly, SIEM is being used to coordinatean integrated, multi-level cyber defense posture. When SIEM is integrated with firewall, advanced threat detection (ATD), vulnerability management (VM),network access control (NAC), mobile device management (MDM), IDS (intrusion threat detection (IDS),threat intelligence platforms, and other platforms it improves the efficacy of both SIEM and the integratedplatforms. The bidirectional flow between platforms is inevitable. Pernicious attacks like zero day threats evadedetection from perimeter-based systems. However, at some point the signature ends up on the SIEM. Even barring that, each system can tell the other what to be on the lookout for. If a SIEM is detectinganomalous behavior, the SIEM can tell the intrusion detection/intrusion protection system (IDS/IPS) aboutthe signature type it is seeing.Source: Frost & Sullivan4
Market Overview (continued) With enterprises, the overlay of SIEM with other cyber defense technologies fortifies the network gridand creates a continuous security intelligence defense. In smaller markets, compliance with regulatory mandates remains an imperative. Additionally,companies like AlienVault and SolarWinds gained an initial advantage by building all-in-oneappliances. However, IBM, HPE ArcSight, and McAfee have closed the gap in all-in-one platforms and cloudbased SIEM tools often integrate multiple cyber defense technologies on the same platform. The nerve center of SIEM is the central console. The large vendors claim almost infinite scalability—but for all intents and purposes a central console can view 500,000–1,000,000 EPS. SIEM dashboards provide visibility of the network as well as agility within select fields such as enduser, most used applications, most vulnerable endpoints, etc. The best dashboards are truly interactive. Any number of events (device types, OS, applications,network mapping, etc.) can be isolated in the best SIEM with a mouse click. Investigations can be recorded for future reference. The results of investigations can be incorporatedinto the establishment of new rules or alarm thresholds.Source: Frost & Sullivan5
Midsized Business Competitive EnvironmentMidsized SIEM Market: Competitive StructureGlobal, 2017Number of Companies in the MarketCompetitive FactorsKey End-user GroupsDeployment Options24Compliance reporting and auditing, threat prioritization,extensibility, access to tech support/customer service.IT directors, some SOCs or managed service providersCloud-based deployment, managed detection and response (MDR), SIEMas-a-service, co-managed SIEM, and all-in-one-applianceMajor Market ParticipantsRetail, factories, municipalities, smaller governments agencies.Market Share of Top 3 Competitors52.1%Other Notable Market ParticipantsHospitals and other healthcare, regional banks.Distribution StructureChannel partners, system integrators, direct sales, VARs.Note: Content added. Midsized Business Competitive Environment did not appear in the original reportSource: Frost & Sullivan6
Top Competitors (Midsized Markets)SIEM Midsized Market: SWOT Analysis, Global, 2017CompanyStrengthsIntegrated SIEM, VM,AlienVault threat detection over allplatformsWeaknessesRelative newness to Cloud(1 years)Affordable Log andSolarWindsEvent Manager (LEM)deployed as a hardenedLEM does not have an as-aService optionapplianceFirst-mover CloudAlert LogicArctic WolfEventTrackerThreatsStrong pricing inCompanies trying to matchconsideration of its coretechnologies wins businessUSM Anywhere all-in-onecapabilitiesMore than half ofSolarWinds customers havemultiple productsManaged detection andresponse services (MDR)Good approaches to cloud,Bigger SIEM vendorsoptionhybrid cloud, and datacenter environments.shifting focus to midsizedmarketsEarly innovator inLack of vertical marketProducts scale well asEndpoint detection andmanaged threatdetectionspecific SIEM andcompliance reportingcustomers expand theirbusinessesresponse (EDR) and SIEMas-a-ServiceOffers SIEM, predictiveCo-managed SIEMSIEMphonic MDR Edition isthreat analytics, andendpoint monitoringapproach sometime difficultfor IT teamsfor businesses that do nothave a heavy IT presenceDefender SIEM-as-aservice approachGround-up productLogRhythmOpportunitiesdevelopment; Intuitive,effective toolsNote: Content added. Midsized market SWOTanalysis did not appear in the original reportNo on-premises appliancePlatforms handling big datarequirements on backendDifferentiates through,All-in-one XM appliance isexpensiveUEBA, SIEM specificfeatures and customerserviceNot a factor in managedSIEM or SaaS.Source: Frost & Sullivan7
Analysis of AlienVault Technology Approach to SIEM8
Analysis of AlienVault Technology Approach to SIEMAlienVault Strategies and Approaches to Midsized Businesses (continued) Native to the AlienVault USM Anywhere platform is integrated security monitoring postures thatincludes asset discovery, vulnerability assessment, intrusion detection, behavioral monitoring, and SIEMto deliver threat detection, incident response, and compliance management capacity. Network and host intrusion detection is standard to the AlienVault USM Anywhere platform. The tie inbetween SIEM and intrusion detection is an important differentiator; AlienVault Labs Threat Intelligenceapplies appropriate event correlation rules against the raw event log data collected, as well as the eventstriggered by in the built-in intrusion detection software. Another shared resource for the cloud-based appliance is shared threat intelligence from the AlienVaultOpen Threat Exchange (OTX ). The AlienVault Labs Security Research Team leverages the datawithin OTX to analyze threat activity using a set of machine-learning analysis systems to look for trends,behaviors, and translates that activity into the threat intelligence that is delivered to USM Anywhere. The AlienVault Threat Intelligence includes correlation rules, IDS signatures, vulnerability signatures,plugins, reports and dynamic incident response templates developed by the AlienVault Labs securityresearch team. These items are updated continuously to keep threat detection capabilities up to date with new andemerging threats, avoiding the need for resource-constrained security teams to spend time researchingthreats. Threat information from OTX and from AlienVault Labs Threat Intelligence are uploaded to the cloudplatform 5‒7 times a week.Source: Frost & Sullivan Analysis9
Analysis of AlienVault Technology Approach to SIEM (continued)AlienVault Strategies and Approaches to Midsized Businesses AlienVault built USM Anywhere from the ground-up to monitor cloud environments as well as onpremises environments from one unified solution, rather than trying to kludge their successful onpremises appliance for cloud. USM Anywhere is comprised of two components. The cloud-based USM Anywhere server is responsiblefor event correlation, event storage, event analysis, and provides the interface to the user to investigate,analyze, and respond to incidents. Sensors are deployed for data collection, asset scanning, vulnerabilityscanning, and environment awareness. It collects and shares the resulting information with USMAnywhere for processing. However, cybersecurity platforms, no matter how expansive, need to be developed for integration withother platforms to give SOC teams greater visibility and command over their environments:oPlugins and AlienVault AlienApps . AlienVault has important all-in-one security features andAlienVault Labs Threat Intelligence which collect more than 14 million threat indicators daily.However, cybersecurity platforms, no matter how expansive, need to be developed for integrationwith other platforms to give SOC teams greater visibility and command over their environments.For several SIEM vendors an API is the communication fabric between platforms; AlienVault callsthese plugins. The AlienVault Labs Security Research Team regularly updates its plugin library toincrease the extensibility of the USM platform; the plugins enable USM Anywhere to accept thirdparty data.Source: Frost & Sullivan Analysis10
Analysis of AlienVault Technology Approach to SIEM (continued)AlienVault Strategies and Approaches to Midsized Businesses (continued)oEven more than an API integration, AlienVault wanted to offer its customers greater securityprotections through platform integrations. Enter AlienApps —AlienApps are modular, extensibleadditions to USM Anywhere that allow AlienVault to collect data from API-based systems, analyzeand visualize the data via pre-built dashboards, and provide orchestrated security response with thirdparty applications.oPlugins and AlienApps (continued). Currently, AlienApp integrations with Cisco Umbrella andMcAfee ePolicy Orchestrator are standard in an USM Anywhere deployment. In addition to McAfeeePO and Cisco Umbrella, USM Anywhere now also includes an AlienApp for Office 365, and one thatmonitors G Suite (a.k.a. Google Apps). AlienVault adds new AlienApps on a monthly basis. For themost current list of AlienApps, refer here: https://www.alienvault.com/products/alienappsoThe use of cloud for data collection through Amazon Web Services (AWS). AlienVault utilizescloud-native log aggregations through integration with CloudTrail, CloudWatch, and S3. The AWS S3bucket has a native elastic load balancing (ELB) feature that contains header information about eachHTTP and TCP request. Once an ELB is configured, a client can use the platform for statisticalanalysis, diagnostics, and data retention.oData collection through Microsoft Azure. USM Anywhere logs and creates Events associated withthe specific Azure Storage Tables containing Windows Security Events, Internet Information Services(IIS) and SQL Events that the user enables in the Azure Console using Azure Diagnostics feature.oElasticsearch. AlienVault uses Elasticsearch built specifically for clustering to access data.Source: Frost & Sullivan Analysis11
AlienVault for Enterprises and MSSPsAlienVault for Enterprises and MSSPs In the MSSP SOC, the MSSP SOC analyst suffers from agent-fatigue, alert-fatigue, and the stress oftrying to associate the meanings of alerts from multiple tools. We mentioned the integration of SIEM, VM, IDS, and endpoint discovery on the same platform. Thisintegrated approach saves the SOC analyst time by avoiding the need to reference multiple tools whenresearching alarms. Additionally, threat intelligence from AlienVault Labs and the Open Threat Exchange (OTX ) helps toenrich the log data from multiple sources to detect malicious activity, to correlate network traffic withknown malware from external threat feeds, and then to initiate (or automate) threat response. USM Anywhere is federation-ready, meaning it offers the ability to take multiple sensors and appliancesand send alerts or perform analytics from one central, managed console. See AlienVault USM Central Datasheet. Federation allows enterprises and MSSPs to leverage the platform from a central SOC that can thenoversee the administration, operations, and security monitoring functions of satellite offices or clientenvironments. USM Anywhere Sensors gather data, and USM Anywhere Secure Cloud encrypts data in storage and intransit. The USM Anywhere platform includes additional features like integrated ticketing, automated responseand security orchestration with key cybersecurity vendors to increase incident response efficiency.Source: Frost & Sullivan Analysis12
Midsized Business SIEM Pricing13
Midsized Business SIEM Pricing—AlienVault AlienVault customers are migrating to the cloud-based USM Anywhere platform for several importantreasons:oScalability/extensibility. To add capacity, companies only need to add sensors and change thelicense. USM Anywhere has a tier-based pricing model based on customer consumption. Theminimum contract is a one year engagement, however, the pricing is a monthly. The minimummonthly subscription is 250 GB, and the largest standard engagement is 10 TB.oThe burden of hardware is borne by AlienVault. USM Anywhere is fully hosted in AlienVault’sSecure Cloud, eliminating all the costs associated with having to drop a server into a data centerenvironment (facility, cooling, power, and ongoing maintenance).oA company’s limited manpower is better served elsewhere than in SIEM management andanalytics. SIEM is a terrific platform that is capable of compliance, threat detection, and theenforcement of rule- and role-based access conditions. AlienVault hosts the threat analytics allowingIT/sec teams to deploy resources elsewhere in the network. AlienVault also has built-in, continuouslyupdated correlation rules avoiding the need for internal expertise and manpower to research threatsand write correlation rules.oProtected Audit-Trail : Keeping critical security audit information in an off-site location helps ensurethat information is protected and not tampered with.Note: This content is not as originally included in the full published report.The changes to the content reflect AlienVault product upgrades and tactical approaches as of February 2018.Source: Frost & Sullivan Analysis14
Midsized Business SIEM Pricing—AlienVault (continued)oSecurity of the cloud. The security of the cloud infrastructure provider, combined with the addedlayer of security controls provided by the cloud vendor, ensure that customer data is secured andprotected within the cloud solution.oAlienVault takes care of the storage. All USM Anywhere tiers come with one sensor included,90 days of hot storage and one year of cold storage. Hot storage is readily searchable. Added coldstorage can be purchased to store raw logs and events longer contingent upon the use cases.Note: This content is not as originally included in the full published report.The changes to the content reflect AlienVault product upgrades and tactical approaches as of February 2018.Source: Frost & Sullivan Analysis15
Midsized Business SIEM Pricing—AlienVault (continued)USM Anywhere versus Building Your Own SOC Naturally, AlienVault competes with other companies as a service provider for security-as-a-servicebusiness. The other alternative is for companies to build their own SOC. When a company builds its own SOC, one of the benefits is a company can customize its securityposture. However, there are two major cots associated with building an internal SOC: The Cost toAcquire Cybersecurity Technology and The Cost Related to Hosting Cybersecurity Technology(see the next two pages). The assumptions used in the next two tables are:vThe business has roughly 3,000 endpoints.vThe company has a “medium” Internet presence (it does not handle personally identifiableinformation (PII), nor does it regularly handle online transactions).vThe company requires one SOC analyst.This important caveat should be made. The costs do vary based upon the type of business, the number oflocations, the number of remote workers and how a company internally values cybersecurity. With mostcompanies, cybersecurity budgets compete with IT and operational budgets. The degree to which acompany values cybersecurity is subjective. Unfortunately, a commitment to cybersecurity often comesafter a breach.Note: This content is not as originally included in the full published report.The changes to the content reflect AlienVault product upgrades and tactical approaches as of February 2018. Source: Frost & Sullivan Analysis16
Midsized Business SIEM Pricing—AlienVault (continued)Estimated Cost to Acquire Cybersecurity Technology for Midsized BusinessesType of TechnologyAnnualCostsExplanation of Costs, Alternative, and ImplementationThe one-time hardware cost of an all-in-one appliance is 25,000. AdditionalSecurity Information and EventManagement (SIEM) 25- 40,000 collectors may be 5,000 a piece. When SIEM is used for incident detectionVulnerability Management (VM) 17- 25,000 surface and finding vulnerabilities before an intruder does is important.Intrusion Detection System(IDS) 10- 30,000 obtained for as little as 3,000. The solution is ultimately not robust enough.Network Behavior AnalyticsDetection (NBAD) 10- 15,000 discrete software module. NBAD is often integrated into enterprise-gradeand response, it does require a significant amount of tuning on the front-end.VM is an essential tool toward prevention. Shoring up the network securityA unified threat management (UTM; an alternative to IDS) system can beIDS systems generally start at 30,000 annually.This would be the approximate price of analytics purchased for NBAD as aSIEM.User and Entity BehavioralAnalytics (UEBA) 10- 15,000External threat feed service 3,000SUM of Technology AcquisitionThis would be the approximate price of analytics purchased for UEBA as adiscrete software module. UEBA would include statistical baselines whichdoes save some time in what analysts have to do tune a SIEM. UEBA is oftenintegrated into enterprise-grade SIEM.Many companies will use open-source software for this or join vendorcommunities. Other sources like VirusTotal have commercial versions.The 75,000 is a hard-deck cost. Many factors can add to this: the number ofoffices, the number of remote workers, and the type of business (if credit-card 75- 128,000 centric much more security is required) among other considerations. Selfevidently each added end-user/device adds incremental costs.Source: Frost & Sullivan.Note: This content is not as originally included in the full published report.The changes to the content reflect Alien
o Plugins and AlienVault AlienApps .AlienVault has important all-in-one security features and AlienVault Labs Threat Intelligence which collect more than 14 million threat indicators daily. However, cybersecurity platforms, no m
