Log Analysis as a security tool has been around for a long time and become a staple of good security architecture. For years Security Information and Event Management (SIEM) tools have been required to discover security threats between applications, security tools, and operating systems in any environment. However, many professionals who have used these tools could likely attest that their lack of efficacy, and often report resenting the time and resources they spend on them. In blog post, we explore common reasons these tools fail to detect and respond to threats in your environment, as well as how ActZero MDR can help.
Logs Don't Capture Security Information
A SIEM captures logs and netflows, but for the most part, tracing these don't help with detecting attack behavior. Logs are written to debug programs/operating systems - not to report security attacks. To successfully detect an attack, we have to look beyond firewalls and antivirus for additional security information like who is connecting to systems on your network, what files are being changed (and how), and for unauthorized changes to your OS.
What means for SIEM: Most SIEM projects list all applications and hope to warehouse all the data in case they need it, never asking if it can be used in a security context. The idea of using all collected data and logs in the hopes of detecting anything is false logic - the collection itself won't detect or stop an active or potential attack.
What means for MDR: MDR writes log files that matter for security purposes and collect relevant logs from Firewall/IPS/URL filters. Armed with the correct information, it acts to stop an attack using a built-in EDR.
It's Too Expensive To Log Everything
SIEM licensing has always been modeled around events per second, the number of log sources and storage. model forces you to be selective about what is being logged and typically avoids the endpoint altogether.
What means for SIEM: You are forced to build your collections based on your licensing allowances.
What means for MDR: MDR sensors log everything by default without configuration required. Information processed is not limited by licensing, allowing more comprehensive, timely, and accurate detection and response.
You Define the Use Cases
Every SIEM project requires you to define your own use cases. is typically an expensive and lengthy project that never seems to end.
What means for SIEM: A customer shouldn't have to define all kinds of attack behaviors - it is the job of the security vendor to tell them what an attack even looks like.
What means for MDR: ActZero MDR provides rules based on machine-learning and real-world attacks and thereby automatically defends against such attacks.
Reporting Is Vague
The SIEM market has built a number of tools to aggregate data and visualize information. is sometimes hard to see at scale using charts in familiar spreadsheet formats such as Pie Charts, Bar Charts, Line Charts, or Table data.
What means for SIEM: Trying to produce reports on "Top 10" events of a particular category won't provide you with information you can act on.
What means for MDR: ActZero MDR offers a continuously refined dashboard and reporting structure to allow for actionable intelligence. An example of is our monthly PPA report.
SIEMs Only Alert
SIEMs provide email alerts in response to their rules - sometimes thousands more emails a day than a human can read or monitor! naturally impedes the recognition or detection of an attack.
What means for SIEM: Filtering through emails and systems alerts at a high volume to provide incident response in an inefficient, laborious methodology prone to human error.
What means for MDR: ActZero MDR service offers automated responses based on intelligent rules that are not completely contingent on human triage. automated MDR service offers quarantining, terminating and file extraction without you having to get involved.
How Managed Detection and Response Helps
ActZero Managed Detection and Response provides logging from security tools at scale with the ability to detect and respond to threats on both endpoints and the network. ActZero provides rules based on Threat Intelligence and machine learning and a team of security experts reviewing incidents. creates additional value from your security tools and monitors all activity from your endpoints with the ability to react and inform for a more efficient security service. ActZero offers a much more effective platform to avoid the pitfalls of buying and maintaining a SIEM or having an MSS manage a SIEM. See how we can help by Requesting a Demo today!