Log Analysis as a security tool has been around for a long time and become a staple of good security architecture.  For years Security Information and Event Management (SIEM) tools have been required to discover security threats between applications, security tools, and operating systems in any environment.  However, many professionals who have used these tools could likely attest that their lack of efficacy, and often report resenting the time and resources they spend on them.  In this blog post, we explore common reasons these tools fail to detect and respond to threats in your environment, as well as how IntelliGO MDR can help.

Logs Don't Capture Security Information
A SIEM captures logs and netflows, but for the most part, tracing these don't help with detecting attack behavior. Logs are written to debug programs/operating systems - not to report security attacks. To successfully detect an attack, we have to look beyond firewalls and antivirus for additional security information like who is connecting to systems on your network, what files are being changed (and how), and for unauthorized changes to your OS.

What this means for SIEM: Most SIEM projects list all applications and hope to warehouse all the data in case they need it, never asking if it can be used in a security context.  The idea of using all this collected data and logs in the hopes of detecting anything is false logic - the collection itself won't detect or stop an active or potential attack.

What this means for MDR:  MDR writes log files that matter for security purposes and collect relevant logs from Firewall/IPS/URL filters. Armed with the correct information, it acts to stop an attack using a built-in EDR

It's Too Expensive To Log Everything 
SIEM licensing has always been modeled around events per second, the number of log sources and storage. This model forces you to be selective about what is being logged and typically avoids the endpoint altogether.  

What this means for SIEM: You are forced to build your collections based on your licensing allowances. 

What this means for MDR: MDR sensors log everything by default without configuration required. Information processed is not limited by licensing, allowing more comprehensive, timely, and accurate detection and response. 

You Define the Use Cases
Every SIEM project requires you to define your own use cases. This is typically an expensive and lengthy project that never seems to end. 

What this means for SIEM: A customer shouldn't have to define all kinds of attack behaviors - it is the job of the security vendor to tell them what an attack even looks like.

What this means for MDR: IntelliGO MDR provides rules based on machine-learning and real-world attacks and thereby automatically defends against such attacks.

Reporting Is Vague 
The SIEM market has built a number of tools to aggregate data and visualize information.  This is sometimes hard to see at scale using charts in familiar spreadsheet formats such as Pie Charts, Bar Charts, Line Charts, or Table data.  

What this means for SIEM: Trying to produce reports on "Top 10" events of a particular category won't provide you with information you can act on.

What this means for MDR: IntelliGO MDR offers a continuously refined dashboard and reporting structure to allow for actionable intelligence. An example of this is our monthly PPA report

SIEMs Only Alert
SIEMs provide email alerts in response to their rules - sometimes thousands more emails a day than a human can read or monitor! This naturally impedes the recognition or detection of an attack.

What this means for SIEM: Filtering through emails and systems alerts at a high volume to provide incident response in an inefficient, laborious methodology prone to human error.

What this means for MDR: IntelliGO MDR service offers automated responses based on intelligent rules that are not completely contingent on human triage. This automated MDR service offers quarantining, terminating and file extraction without you having to get involved.

How Managed Detection and Response Helps
IntelliGO Managed Detection and Response provides logging from security tools at scale with the ability to detect and respond to threats on both endpoints and the network.  IntelliGO provides rules based on Threat Intelligence and machine learning and a team of security experts reviewing incidents.  This creates additional value from your security tools and monitors all activity from your endpoints with the ability to react and inform for a more efficient security service.  IntelliGO offers a much more effective platform to avoid the pitfalls of buying and maintaining a SIEM or having an MSS manage a SIEM.  See how we can help by Requesting a Demo today!

See how IntelliGO can help You

New Call-to-action

Subscribe To Our Blog

New Call-to-action

Let us know what you thought about this post.

Please comment below.