Add value to SIEM deployment
Why it matters
SIEM solutions have been around for over a decade and are becoming a standard tool for security operations. Despite this, there are several challenges that may prevent users from getting a full value out of the SIEM. The most prominent among them:
- How to get a comprehensive coverage of the data sources
- Volume of the events leads to alert exhaustion and operating cost increase
- Alert is just the first step. Investigating the alerts remains largely manual work
How we can help
SensorFleet solution can help on multiple fronts:
- A core Instrument on the Sensor platform for adding value to SIEM is Log Forwarder. This local log target can ingest logs from multiple sources and pass them to SIEM using SensorFleet native services, making it easy to gain coverage. Furthermore, Log Forwarder can perform pre-filtering and buffering of the logs, helping with the data volume.
- Once the Sensor has been deployed, new detection Instruments can be added dynamically. How does adding new data sources help with the volume? Several SensorFleet Instruments provide discrete and actionable alerts, such as new network assets or services discovered, optimizing quality over quantity.
- After a high priority alert, the hard work of investigation begins. SensorFleet platform supports a range of forensic data collection Instruments, such as Traffic Recorder, Netflow and PassiveDNS. When used together with LogForwarder or detection Instruments, wealth of data related to alerts will be right at the fingertips of the responder.
Decoupling the data collection layer from analytics will be beneficial for longer term development of an organization’s cybersecurity capabilities, providing the freedom to change SIEM or SOC operator solutions and services. Data collection layer itself, when implemented with SensorFleet cyber capability fabric, can be independently augmented with the new capabilities.