Since I started at Cybereason, one of the most common customer questions I’ve gotten is “how is what you do better than a SIEM”? As someone who spent far too long in the SIEM industry (I was an industry analyst in the early days of SIEM, and then spent eight years at a SIEM vendor) I thought it’d be good to compare and contrast what we do at Cybereason with a SIEM tool.
For those not familiar with the term, Security Information and Event Management (SIEM) is a technology that collects logs from across all your security devices (like firewalls and IDS), servers, and network devices. In theory, having all these logs in one place lets you correlate, identify threats, search and investigate, and happiness ensues.
The problem is that most SIEM deployments never really get to where they need to be. Organizations spend months, years, and thousands of employee hours trying to get these technologies to work, but they seldom do. Here’s why.
1. Organizations and IT move too fast for a SIEM
Getting data into a SIEM is not easy. Each flavor of every system has its own way of creating logs and shipping them off to a central location. Even a medium-sized organization can have hundreds of flavors of operating systems, applications, and network devices, creating a monumental task just to get all the data in one place. Also, the rate at which companies are expanding IT and the devices and applications they need to support means that SIEM teams just can’t keep up.
2. SIEMs just aren’t smart enough
Telling a SIEM what to look for is really hard - especially when you’re looking across hundreds of flavors of devices, each with its own way of telling you what is going on. Sure you can set up a few rules, like “tell me when you see five failed log-ins followed by a successful log-in.”But that’s not an easy task, and requires expertise in building SIEM queries. But correlating all of these disparate events across all these different platforms, and drawing any meaningful conclusions is just beyond the capabilities of any SIEM.
3. SIEMs don’t scale
Collecting, normalizing, categorizing, analyzing, reporting, and archiving data across tens or even hundreds of thousands of events per second is processor intensive, memory intensive and I/O intensive. None of the SIEM players have come out with a technology that can analyze in real time and retrieve data quickly when needed as well as store it cost effectively.
4. SIEMs just don’t get the visibility you need
Nobody is using a SIEM to understand what is happening at endpoints - which is where hackers perform a majority of their work. Native endpoint OS logs aren’t great, but no SIEM can scale to handle the volume of logs you’d need to analyze endpoint data. So when an endpoint is off the corporate network - as they so often are these days with remote and traveling employees - you’re flying blind.
The upshot is that most SIEMs become expensive log reporting systems used for compliance purposes, rather than any useful threat analysis system. Sure, if you have nothing else to provide you with visibility into what’s happening in your environment, a SIEM is a quantum leap. But sooner or later most people start questioning how much value they’re getting given the money and effort they’re putting in SIEM deployments.
In contrast, Cybereason gives you:
- Visibility. Cybereason’s Endpoint Sensors monitor - in real time - every process, every connection, every user on every endpoint across the enterprise, whether it be a server at your corporate headquarters or a laptop in a Starbucks accessing Salesforce. This gives you an unparalleled understanding of everything that’s going on across your environment.
- True behavioral analysis. Cybereason’s Hunting Engine collects all the data from endpoint sensors, and uses a purpose-built, in memory graph to identify threats. The Hunting Engine analyzes in real time, and uses machine learning and statistical and behavioral analytics to get unparalleled detection of all elements of an attack, especially those threats that have ever been seen before.
- Ease of deployment. Cybereason is designed from the ground up to be easy to deploy. Cybereason’s Endpoint Sensor runs in user space, eliminating the risk of causing a “blue screen” and making rollout exponentially easier. Cybereason servers run in the cloud or on premise, depending on your preference, shrinking deployment planning time. Finally, Cybereason comes preconfigured with behavioral models so you can get value immediately when you roll out the sensor.
- Scalability. Cybereason is designed to scale. Cybereason has customers who have deployed to upwards of 500,000 machines. Even when deployed on that many machines, Cybereason still automatically pulls together and presents information about attacks from across the globe in a single, simple console.
- Automated response. Unlike a SIEM, with Cybereason, once you identify a threat you can automatically shut it down, prevent it from spreading elsewhere, isolate it, and perform full-blown remote forensics on the machine.
Our customers tell us they spend less money and less time and effort and get way more value from the Cybereason platform than any other tool they’ve deployed, including their SIEM.
Paul Stamp is Cybereason's Director of Product Marketing.