Post by rabiakhatun on Nov 3, 2024 5:11:58 GMT -5
Do you know how Gartner has harmed the information security market? It has taught us to choose not the solution to our problems in information security, but abbreviations of protection classes (NGFW, WAF, VM, DLP, EDRM, SIEM, etc.). But this is not what we need - we need to prevent the implementation of unacceptable events or, for old-school apologists, to fight threats and violators that are relevant to us. It makes no sense to choose NGFW if we do not know what threats it fights. The fact that a vendor has assigned an abbreviation to its product does not mean that the product is capable of fighting the corresponding threat.
This is the paragraph I started the post on content writing service Telegram with, which gradually moved on to firewalls, which are often judged by what they are certified for rather than what they actually do. Now I'd like to talk about SIEM .
What is SIEM? A security event management system, you will answer and you will be... right. But everyone has their own right. Some really evaluate such solutions by their ability to collect security events... from their own products, of which there are only two or three. Some know how to work with different products from different vendors. And some focus on detecting incidents. Some require built-in integration with GosSOPKA, while others want integration with SOAR/IRP?
By the way, can you describe the differences between SOAR and IRP?
In 2020, Positive Technologies conducted a study and, among other things, found out what typical tasks SIEM users set for themselves.
List of popular tasks for pilot implementation of SIEM (using MaxPatrol SIEM as an example)
And it seems that if the SIEM you choose can collect, store and process information security events, then we solve all our problems. But, alas, this is not so. CardinalOps has given birth to the third annual study of the ability of SIEM to detect threats.
You remember that the task of protective equipmentmake the unacceptable impossibledetect and reflect, no, not security events, but threats/attacks/information security incidents?
And here's what's interesting. The data collected by the analyzed SIEMs, which included Splunk, Microsoft Sentinel, IBM QRadar, Sumo Logic (MaxPatrol SIEM was not tested), allows us to cover 94% of MITRE ATT&CK techniques. Hooray, fanfares!.. But wait. They allow, but in reality they detect only 24% of the 196 techniques from the 13th version of the MITRE matrix selected for the study (why 196 and not 500, history is silent, but then the numbers would be even worse). That is, it's time for SIEM manufacturers to focus not on collecting more data, but on detecting more and faster in existing data.
This is the paragraph I started the post on content writing service Telegram with, which gradually moved on to firewalls, which are often judged by what they are certified for rather than what they actually do. Now I'd like to talk about SIEM .
What is SIEM? A security event management system, you will answer and you will be... right. But everyone has their own right. Some really evaluate such solutions by their ability to collect security events... from their own products, of which there are only two or three. Some know how to work with different products from different vendors. And some focus on detecting incidents. Some require built-in integration with GosSOPKA, while others want integration with SOAR/IRP?
By the way, can you describe the differences between SOAR and IRP?
In 2020, Positive Technologies conducted a study and, among other things, found out what typical tasks SIEM users set for themselves.
List of popular tasks for pilot implementation of SIEM (using MaxPatrol SIEM as an example)
And it seems that if the SIEM you choose can collect, store and process information security events, then we solve all our problems. But, alas, this is not so. CardinalOps has given birth to the third annual study of the ability of SIEM to detect threats.
You remember that the task of protective equipmentmake the unacceptable impossibledetect and reflect, no, not security events, but threats/attacks/information security incidents?
And here's what's interesting. The data collected by the analyzed SIEMs, which included Splunk, Microsoft Sentinel, IBM QRadar, Sumo Logic (MaxPatrol SIEM was not tested), allows us to cover 94% of MITRE ATT&CK techniques. Hooray, fanfares!.. But wait. They allow, but in reality they detect only 24% of the 196 techniques from the 13th version of the MITRE matrix selected for the study (why 196 and not 500, history is silent, but then the numbers would be even worse). That is, it's time for SIEM manufacturers to focus not on collecting more data, but on detecting more and faster in existing data.
