Comparing Detection Capabilities of SIEM Solutions with Their Costs
The proper use of SIEM supports multiple security purposes, including:
Scenario based detection is the first step of successful detection. Most of the SIEM solution have “if X followed by Y then it’s a Z attack” type of scenarios [1]. SIEM solutions have separate correlation engines to detect this type of attack.
As an example, SureLog has a separate correlation and detection engine. IBM Qradar utilizes EventGnosis Complex Event Processing product as a correlation engine mainly. RSA uses Esper CEP for correlation. LogRhythmand McAfee are some other SIEM solution which has a separate correlation engine[1].
Although those type of detections is required, it is not sufficient. Practical threat detection using lists and ‘simple’ indicators like TI is a must. List/watchlist management is a must for threat detection and behavior analysis. Lists are essentially tables of data, and you can think of them as an Excel-like table with multiple rows and columns. Lists are different in each of the SIEMs on the market. Some are simply a single column which you can use for e.g. IP Addresses, and others are up to 20 columns that can support a significant amount of data. Log retention policies typically don’t apply to Lists, so you can keep them for as long as needed.
Lists can also help simplify long and complicated queries. Instead of writing a single query, you can put the results of the first part of a query into a List, and then have the second query run against the values in the List.
As you can see, Lists can be very useful for SIEM end users. Overlooking List functionality during a SIEM design can have profound impacts.
Traditional SIEM correlations are not good at holding state for long periods.
Some of the SIEM solutions like SureLog and IBM Qradar has advanced list/watchlist management. ArcSight has “Active Lists”, Splunk has “Lookups” and Securonix has “Lookup Tables” with advanced management features.
Next-Gen SIEMs solve this traditional SIEMs list/watchlist management drawback. SureLog dynamically adds, delete, modify, count, sum list items dynamically or manually. Managing lists (simple lists, multi-dimensional lists, complex lists) with rules dynamically and concurrently is a must for modern SIEM solutions. ANET SureLog has additional list operators like count, sum, compare, check case sensitivity.
IBM Qradar Reference Data
SureLog List Management
LogRhythm, RSA NetWitness, McAfee, FortiSIEM also has a list management feature. Detection features of SIEM products differ from product to product [1]. While List functionality differs per SIEM, it’s important to understand how your SIEM works and ensure it meets your requirements . You do your research. Some example of list management capability of SIEM solutions are:
AlienVault:
Dynamic list usage in correlation rules is not supported in AlienVault. It is not possible to develop a rule like If a VPN user connected after business hours and the user is not in VPN white list, alert.
The only way to implement a simple Active Lists is to develop a code.
www.alienvault.com/blogs/security-essentials/how-to-use-ossim-usm-active-lists-with-python-scripts FortiSIEM:
But even if you can develop a Python Scripts, there is no key: value, reference set, reference map, multi-dimensional type of lists. AlienVault SIEM does not support updating multiple lists at the same time (more than one list) by a single rule (only one rule). Also, AlienVault does not support list operators like count, sum, compare, check case sensitivity.
Dynamic list usage in correlation rules is limited to one dimension.
McAfee:
There is no key: value, reference set, reference map, multi-dimensional type of lists. The only available operators are “IN, NOT IN”. Also the only way of removing items from a watchlist is time based. Also, FortiSIEM does not support updating multiple lists at the same time (more than one list) by a single rule (only one rule). Also, FortiSIEM does not support list operators like count, sum, compare, check case sensitivity.
LogPoint:
There is no key: value, reference set, reference map, multi-dimensional, type of lists. McAfee SIEM does not support updating multiple lists at the same time (more than one list) by a single rule (only one rule). Also, McAfee SIEM does not support list operators like count, sum, compare, check case sensitivity.
LogPoint supports two kinds of lists; Static List and Dynamic List. Also LogPoint supports tables, but there is no reference set, reference map, multi-dimensional type of lists.
Also, if you are looking for a GUI for list/watchlist management, LogPoints works over queries. Dynamic lists and table updates are the only query-based. Also, LogPoint SIEM does not support updating multiple lists at the same time (more than one list) by a query. Also, LogPoint SIEM does not support list operators like count, sum, compare, check case sensitivity.
RSA NetWitness Platform:
RSA has a limited list management capability. There is no key: value, reference set, reference map, multi-dimensional, type of lists. Also, RSA SIEM does not support updating multiple lists at the same time (more than one list) by a single rule (only one rule). Also, RSA SIEM does not support list operators like count, sum, compare, check case sensitivity.
There are many other correlation features to check [1] . But without an advanced list/watchlist management, it is not possible to detect advanced attacks.
Profiler
Example profiler Use cases:
Profiler is a way of detection deviations from normal or expected behavior. SureLog, IBM QRadar, LogRhythmhas a profiler. Exabeam, Securonix, Microfocus Interset has also profiler with its UEBA solutions.
- User who has never used removable drives previously or worked overtime starts behaving uncharacteristically by logging in after office hours using a removable drive and uploading data to wikileaks.org. He/she leaves the organization shortly after this.
- User begins searching for new employment opportunities by surfing job websites. Before leaving the organization, he/she steals confidential information using a thumb drive. The frequency of the thumb drive usage is higher than what he/she used to do previously.
- User downloads keylogger and obtains a list of passwords of different employees of the organization. Next, he/she uses a thumb drive to transfer this list of passwords to the supervisor’s machine and tries searching for the supervisor’s password. Once successful, he/she logs into the supervisor’s machine and broadcasts an alarming mass e-mail creating panic in the organization. This type of malicious activity comes from system administrators when they become disgruntled with their supervisors.
- The ratio of DNS traffic to HTTP traffic for each host
Machine Learning
SureLog, IBM QRadar, Microfocus, LogRhythm, Exabeam, Securonix, NetWitness Platform has NLP/ML/AI modules like DGA detection, outlier detections, rarity detection, similarity detection. LogPoint uses 3rd party UEBA tool Fortscale (RSA Now).
Both pure ML/AI/NLP based UEBA solution and SIEM solutions with UEBA modules need an ML model or an outlier for each scenario. They are using unsupervised behavioral anomaly detection (Outlier detection) techniques with the objective of finding out anomalousness or abnormal changes in user behavior over time. However, an anomalous activity is not necessarily malicious that can lead to an insider threat scenario. So ML or AI is not a silver bullet. UEBA or ML/AI module wants to address talent shortage but actually exacerbates it. So working on a well-defined model or detection scenarios may give a less false positive. Do your search and ask the right questions.
AlienVault, McAfee, FortiSIEM has no profiler/ML/AI feature and LogPoint uses 3 rdparty UEBA component as an additional component with additional price.
UEBA tool Niara’s (Now HP Aruba IntroSpect) Co-Founder says that:
SIEMs promised to aggregate disparate data sources and perform analytics on it and failed miserably. Therefore, the problem must be in looking at multiple data sources. We will focus on just network traffic, apply machine learning to it and detect breaches in real-time.
These claims are laughably incorrect, and even quite dangerous in selling a false bill of goods [4]
Most of the time UEBA is used interchangeably with security analytics and replacing technology of SIEM. But they are different [5]
Some of the UBA use cases are very rule-based and do not extend beyond the “IF AND THEN “ correlations [6].
Do your research, use the guidelines and factor out what is most important for you. A lot of what is sold as AI is simply marketing, says Eugene Kaspersky
Some other details of selecting the right SIEM solutions can be found in this article [7].
Cost of Detection
Famous SIEM products will be as costly as 10 times of a cost-effective solution with similar features. So do your research. You can find a cost-effective SIEM solution as well as the best one.
The procurement and roll-out of SIEM products (either proprietary or open-source) for organizations with a limited cyber-security budget are often seen as too costly.
Factors That Affect SIEM Cost
The license cost varies too much. The Elastic stack license is free. And there are products with hundreds of thousands of license prices. There are cost-effective solutions like SureLog also. When it comes to deployment and consulting costs, there are free solutions like Elastic stack. You do not pay for consulting if you solve your problems by yourself. SureLog deployment and consulting cost is also cost-effective. Hardware cost is the other factor that affects the total project budget. Storage costs, especially hot storage requirements, affect project costs. SureLog hardware requirements, especially the disk size requirement, is less than 1/10 of the closest rival [6].
When it comes to UEBA, Gartner says
“So, now, I am sitting here listening to UEBA / UBA clients gush about how great their UEBA is with application log analysis and application security monitoring. They bring up all sorts of esoteric applications (machine parts management, medical research support, financial transaction processing, etc) and then wax poetic about how great their UEBA tool is for revealing insights from the log data and how it saved them so much dough, despite the fact that they paid $1,000,000 for their UEBA.” [6]
Hardware Requirements&Costs: ArcSight:
There are cost-effective solutions. The prices start at a few thousand dollars. Some of them also have UEBA features with cost-effective prices. Do your search and ask the right questions. Otherwise may pay additional tens of thousands of dollars for the only additional %10–15 feature set.
Exabeam:
Also ArcSight requires additional VM or physical machine for smart collectors and logger.
Splunk:
2 TB/Day which is nearly 80 K EPS
No public data are available. There is a complaint with this from potential customers.
LogRhythm:
Securonix:
Splunk works on 80 machines with 32 core and 128 GB RAM on a bank. Additionally, 15 machines for test and 15 machines for dev.
For a deployment of the Securonix platform expecting 5,000 EPS we would require the following infrastructure:
3 x Hadoop Master (56 CPU / 256 Gb RAM per node)
2 x Compute/Storage (56 CPU / 256 Gb RAM per node)
1 x Search (56 CPU / 768 Gb RAM per node)
SureLog:
The storage requirement for 180 days of indexed data would be in the region of 22 Tb, assuming an average raw event size of around 600 bytes. This valuable data provided by Jamie Sarakinis -Senior Sales Engineer at Securonix-
For Max 5000 EPS, mean 2500 EPS correlation rate, single machine (All-in-One)
License Costs
16 core with 96 GB RAM and 5 TB disk.
Storage Costs
License costs start from a few thousand dollars and reach hundreds of thousands of dollars. Do your search and ask the right questions. Otherwise may pay additional tens of thousands of dollars for the only additional %10–15 feature set.
IBM Qradar:
Hot storage requirements vary. On-prem and cloud hot storage requirements are different. Each SIEM solution has specific hot storage requirements:
Rapid7 Insightidr:
1000 EPS for a 180 days hot storage requirement for 1400 bytes log size is 8 TB.
SureLog:
Rapid7 Insightidr is a cloud solution. InsightIDR does not have any other limits on the amount of data that you can store. InsightIDR stores your logs for 13 months so they are available for log search, visualization, and investigations. By default, you have 3 months of “hot” storage and 10 months of “cold” storage. Hot storage data is immediately available in log search. Rapid7 does not store your data past the 13-month retention period. If you do not upgrade your data retention plan, your log data will no longer be accessible. If you need a longer retention time, you have to pay more. There is no option for more than three months of hot storage option.
References
1000 EPS for a 180 days hot storage requirement is 1 TB.
2- https://www.peerlyst.com/posts/domain-generational-algorithm-dga-detection-in-surelog-ertugrul-akbas
4- https://jaxenter.com/myths-and-realities-behind-security-analytics-122343.html
6- https://blogs.gartner.com/anton-chuvakin/2017/01/13/why-siems-fcked-up-application-log-analysis/
7- https://www.peerlyst.com/posts/how-to-select-the-right-siem-solution-ertugrul-akbas
8- https://www.reddit.com/r/AskNetsec/comments/b5b7od/exabeam_system_requirements/
Originally published at https://www.peerlyst.com on April 28, 2020.
