Recent cybersecurity breaches have impacted a range of sectors, from finance to professional services to the public sector, proving that early detection of cybersecurity threats and reducing overall risk are not simple tasks. As the data center continues to become software defined and workloads continue to flow across hybrid environments to take advantage of the lowest cost infrastructure, it becomes increasingly difficult to manage risks. From compliance to cybersecurity, agencies are leveraging Security Information Event Management (SIEM) software to avoid cyber breaches.
SIEM software provides an approach to cybersecurity that offers real-time data collection and analysis of recent events from a variety of sources. This single viewpoint makes it easier to spot abnormalities and detect possible threats. But even with a SIEM platform successfully deployed, there are still a number of difficulties that can arise. For example, 45 percent of IT leaders indicated that the high false-positive rate of SIEM software due to static rules is the biggest issue with the platform. Other potential difficulties include:
• Finite Data Retention Rates: Unfortunately for many agencies that have deployed a SIEM, the underlying platform is unable to scale to the volume or variety of information that is required in this fast-paced, hyper-connected world without running up against cost or technology constraints. Such pressures can force agencies to limit data retention time to months instead of years, inhibiting the ability of security operations centers to get complete contextual visibility across multiple years.
• Limited Flexibility for Analytics Capabilities: SIEMs offer a great platform for descriptive and diagnostic analytics across a subset of information for real-time dashboards. But search-based analytics can be limiting for analysts. Without the ability to leverage open source analytic innovation at scale, agencies can struggle to detect sophisticated unknown attacks within a SIEM’s rigid framework.
• SIEM Lock-In: As proprietary software, SIEMs require a proprietary data storage and a specific SIEM data format. Such nuances make it extremely difficult to break away from this format, and once data is put into this format, only SIEM-certified applications can access and analyze that data.
How can agencies augment SIEM capabilities in a cost effective way? Open source data analytics and machine learning platforms have offered security operations centers a path forward. By adopting a modern platform, organizations have a single place to store and analyze data that can run on-premise or in the cloud while providing secure and compliant enterprise visibility.
Increased and Cost Effective Visibility
Off-loading data from a SIEM to a data analytics platform helps agencies reduce SIEM storage and indexing costs while also increasing the variety and volume of data accessible for analytics. Landing data on a robust data analytics platform coupled with structuring it in an open source community’s defined open data model allows agencies to break vendor lock-in, store multiple years’ worth of data at a lower cost, and open up data ingest for any type of data.
Expanded Analytics Flexibility
Optimizing SIEM with a modern platform for machine learning and analytics grants agencies the opportunity to open up analytics flexibility. Executing these analytic techniques across larger volumes of diverse information allows agencies to significantly reduce IT and cybersecurity risk through earlier detection, investigation and response. And by deploying open source analytic libraries across a robust data analytics platform, agencies can continue to expand their analytic scope without having to change platforms for future advanced analytics use cases.
Improved Deployment Options
A strong data analytics platform can be deployed on-premise or across multiple clouds, thus affording agencies a multi-cloud strategy. Such a strategy avoids the potential for vendor lock-in and downtime, and enables agencies the ability to easily migrate workloads between clouds to take advantage of low-cost environments. Spinning up transient clusters for specific data processing needs or analytic use cases while still being able to scale storage or compute independently allows agencies to experiment quickly without having to invest in up-front infrastructure costs.
The cybersecurity threat landscape is ever-changing and augmenting SIEM systems offers federal agencies much-needed agility to deliver 24/7 insight. Leveraging a next generation advanced analytics and machine learning platform alongside a SIEM provides a strong future-proofed infrastructure that can empower agencies as they undergo efforts to beef up cybersecurity by optimizing SIEM deployments, opening up the possibilities for machine learning and analytic use cases. Significantly reducing the cost of storing and ingesting data with open source technology can allow agencies to expand their enterprise visibility, break vendor lock-in and provide the analytics they require to stay safe.