The Dirty Little SECRET OF SIEM: Fighting Today’s Overwhelming Digital Threats with Analog Tools

Posted by Avi Chesla on Jan 30, 2019 9:09:26 AM

 

Today’s cyber criminals are creating malware at a dizzying pace. It’s no longer humanly possible to keep up. AI is the only answer.

Imagine tens of millions of tiny drones the size of insects – with only some carrying a dirty bomb - attacking a city. What chance would we have of identifying the dangerous ones, in real time?

That’s an apt metaphor for describing the current state of cybersecurity, and the way in which conventional SIEMS – and there are tens of thousands of them in SOCs around the world – fail to handle the realities of today’s threat landscape.

Here’s why.

Traditional SIEM vendors force security teams to analyze the data rushing into an organization, and identify attacks, in real time. It’s analog. It’s rules-based. It can’t work.

In ancient cyber-history, a decade or more ago, there was at least a likelihood of success. Back then, the security community knew each of the malware signatures that attacked our networks. But today, when attackers are generating new malware threats, new attack vectors and tools every second, we’re sending our SOC teams out on an impossible mission. What we call a fool’s errand – a blind search for something without knowing exactly what they’re looking for.

To be fair, the industry did not ignore the vast proliferation of threats. But their response was flawed. They attempted to deal with the deluge by imposing classifications, an effort to manually write rules to organize malware into attack types and intents, in a futile attempt to create categories and sub-categories that would identify the potentially harmful ones.

The rules, of course, have to come from security analysts. Which brings us, inevitably, to “The Big Rules Problem.” Today, machine-generated malware is generated every second, and each of them must be given a name (or “file hash” or intrusion “network pattern”) that represents it. While most malware and intrusions types gets created to serve the same or similar purpose, trying to classify them is truly Mission Impossible - even if Tom Cruise ran your SOC. It’s like playing whack-a-mole on steroids.

If we go back to our insect drone metaphor – imagine trying to identify 20 of them? How about a hundred buzzing, AI-powered critters? A million? A million a minute? Even if a CISO has an unlimited budget and can hire 100 security analysts - forget the impossibility of recruiting that many in today’s crazy market - it is impossible to identify the true intent of this tsunami of malware, attack tools and intrusion types. And then declare victory in the war of man against machine. In fact, declaring victory is something that needs to be done every second…and second…and second.

So where does that leave us? The conclusion is obvious. The only way to understand and triumph over the deluge is by creating a new paradigm that goes from classification to rules-free security. Traditional SIEM vendors can’t move there because they are locked into their outdated technologies.

The new paradigm that can enable SIEM to finally live up to its promises will be driven by the power and future of Natural Language Processing (NLP), a branch of Artificial Intelligence that has the capacity to classify huge amounts of data automatically. This technology makes it possible to analyze vast amounts of data automatically, uncovering attacker intent and effectively weeding out the potentially destructive malware - the “real” attacks - from the distracting noise.

This advanced NLP technology enables you to transcend the “natural” limits of any single security analyst – giving them so much power they actually become Security Superheroes. It’s the virtual equivalent of a one-person army of analysts,

NLP gives them the exponential ability to classify attacker intent; with this sophisticated new automatic weapon, we will be able to finally defeat the malware enemy. Henry Ford once said that if you give people what they want, it wouldn’t be an automobile – it would be a faster horse. Conventional SIEMs are nothing more than faster horses.

ben-white-173778-unsplash drone

Photo by Ben WhiteonUnsplash

 

Topics: cybersecurity, Artificial Intelligence, SIEM, NLP