13 Dec 2012

We are not SIEM

0 comments Permalink Thursday, December 13, 2012
Packetloop is not a Security Information and Event Management (SIEM) system. It's a (parser free) Big Data Security Analytics system and I just wanted to give you 10 ways they differ.
  1. Punishing us with Pie Charts - SIEM's have been punishing us with pie charts and meaningless alerts. Instead of quality analytics they generally throw up a pie chart (High, Medium, Low - Red, Orange, Green) and a spreadsheet (row and column) view of the world. They don't allow you to explore and explain your attack data. Packetloop specializes in security analytics providing multiple ways to quickly visualize, interact, explore and explain security events.
  2. Low fidelity input - SIEM's operate on and are required to parse device log data. They deal with a digest of the original incident as seen by a device, and as configured by the device administrator. Like a cryptographic hash you can't get the original data back after a device has interpreted and produced a log. Packetloop operates on Full Packet Captures and is able to analyse all information in the stream. This provides full fidelity data that can be analysed, stored, searched and filtered, repeatedly and from different perspectives if required. Operating on full packet captures gives your organisation the greatest percentage of options when it comes to detecting and managing a breach.
  3. You can't find incidents you don't log - SIEM is blink and you miss it technology. If you aren’t logging the information you don’t see it. If you don’t have the a signature set to alert to the incident it can’t possibly reach the SIEM. You are faced with a problem of silent evidence. You are never hearing about the attacks that are being perpetrated against your network. Packetloop doesn't rely on parsers and includes multiple sensors to produce indicators and warnings. Packetloop continually scans all network data for Zero Day attacks. Finding attacks in past data is exceptionally valuable for establishing a time line related to a breach or targeted attackers.
  4. Aggregation for scale removes precision - SIEM's aggregate data over time. Security events are grouped by hours then grouped by days, then weeks, then years. The details of the original incident are lost over time and are difficult to analyse. Packetloop stores terabytes of security event data and allows you to zoom from years to seconds with no loss of the original information. Any arbitrary time window can be analysed allowing you to Play, Pause and Rewind network data.
  5. Parsing, Parsing, Parsing - SIEM's are only as effective as the logs they are forwarded and can parse. The configuration of the device forwarding the log determines how much information the SIEM receives. If the log is not verbose enough, or sends information that cannot be parsed the quality of the information is degraded. Packetloop operates on network packet captures taken from live network taps. It requires no parsers and has access to all security and protocol information through deep packet inspection. No configuration needs to be applied to devices, no parsers and no complex integration work.
  6. No ability to share metrics - SIEM's are not built for multi-tenancy and don't provide any ways to share key metrics in the terms of frequency, severity, attack life cycles and trends related to attacks. Within Packetloop almost every metric presented to you has the global version (all customers) presented it beside it. So you can quickly determine whether you are overly targeted or accurately targeted compared to other customers on the platform.
  7. More and more IT instead of Analysts -  SIEM's require experts to deploy, configure and maintain. This generally equates to a number of full time employees to manage the parsers, the flow of information, upgrades, downtime etc. Packetloop operates in the Cloud (and soon on premise) as a turn-key service. Why have employees to maintain the infrastructure when you could do with some  really smart analysts to explore and report on your data? Simply capture your network traffic and upload using the Web, SFTP, S3 Bucket Copy or Send us a Disk. You can encrypt all data and provide a pass phrase prior to us processing the data.
  8. Made for the Cloud - Packetloop was made for the Cloud and for the express purpose of providing greater security to cloud-based assets. Normally customers sacrifice security controls when they deploy systems in the Cloud however through leveraging Packetloop a customer can have greater analysis, detection and incident response capabilities than they currently have on-site using their SIEM. 
  9. Bang for Buck - Packetloop is cost effective and will always provide overwhelming value for money. It's a stand against the expensive solutions we see rolled into customers every day. Solutions that cost $100,000's but provide very little benefit. We only charge you for the data you process and we will launch with a price that makes it an easy decision to upload.
  10. The future is bright - SIEM is a waning technology and due to the low feature space (quality of the input records) it's difficult for it to innovate. Sure there will be SIEM 2.0 which uses Big Data to scale but new insights and analytics will be difficult to conjure. Packetloop can extract information from any part of the network communication giving it a extremely dense feature space. The amount of interesting information is so vast that we are finding new ways to apply statistical analysis and machine learning every day.



No comments:

Post a Comment