A SIEM explores log data to identify suspicious activity. The next-gen SIEM sources external data, exploiting the experiences of other IT systems to spot new attack vectors as soon as they start to roll out.
Next-Gen SIEMs use machine learning and other AI-based techniques to cut down detection time for malicious activity. This is called User and Entity Behavior Analytics (UEBA). This watches all activity on a system to work out what is considered “normal behavior.” Deviations from this standard raise alarms. The strategy uses a triage method in order to focus on potential threats for deeper tracking. Onboard improvements in detection methods speed up the first identification of a zero-day attack. That threat information gets uploaded immediately to the threat intelligence pool and downloaded by other Next Generation SIEMs around the world for immediate action.
Here is our list of the six best Next-Gen SIEMs:
- Exabeam EDITOR’S CHOICE This market leader enhanced its SIEM system with in-house developed UEBA and the acquisition of SkyFormation, which collects third-party security event data from cloud platforms and creates a CTI from it. This is a cloud-based service.
- LogRhythm A leading SIEM since 2003, this system has moved to the cloud and gone Next-Gen. You can also get this SIEM as an appliance or as software for installation on Windows Server.
- Rapid7 Insight Platform Classed as an XDR, this cloud platform has all of the elements of a next-gen SIEM.
- LogPoint A cloud-based metered log processing SIEM with UEBA and a CTI feed.
- FireEye Helix A security operations platform that includes SIEM, UEBA, and threat intelligence. This is a cloud-based system.
- LogSentinel One of the smaller players in the market, this cloud-based next-gen SIEM is strong on standards compliance.
Having already discovered the realities of developing and marketing a Next-Gen SIEM, it should come as no surprise that the best Next-Gen SIEMs are all the products of those big-name cybersecurity brands. Cloud-based SIEMs offer the fastest distribution of threat intelligence and also include the server time needed to process large volumes of log data.
The Best Next-Gen SIEMs
Getting a good Next-Gen SIEM is a time-consuming task. The key elements that make a SIEM “Next-Gen” are its threat intelligence pool and UEBA. However, how do you know whether each implementation is any good? Any software company can put together a central notification system but its power is entirely reliant on the service’s accessibility and the size of its contributing community.
Although there are vendor-neutral open standards for cyber threat intelligence (CTI), non-proprietary databases find it difficult to get off the ground. The major SIEM providers make sure to provide a CTI for their NextGen tools and more or less hard code the CTI access into their service. So, CTI selection is a little tribal and it means that, on balance, the big players in the cybersecurity industry have the edge.
If you don’t have time to fully research the entire Next Generation SIEM sector, go for the big names that evolved from rock-solid SIEMs. The well-established security software providers have invested very large budgets in the development of UEBA. Although often, great leaps forward in technology are driven by innovative entrants in the market, UEBA required a great deal of cash to develop and only the major, established brands could afford that outlay.
1. Exabeam (FREE DEMO)
Exabeam has been producing SIEM systems since 2013. This means that the company isn’t one of the longest-established businesses in the sector. However, that history was long enough to give it a substantial customer base by the time the NextGen movement arose. The company’s specialization in SIEM also gave it a focus that enabled it to concentrate investment on emerging Next-Gen facilities.
The Exabeam system is a cloud platform – like all of the other products on our list – which makes its delivery a lot simpler than on-premises systems. Customers don’t need to worry about keeping the software up to date because upgrades happen automatically behind the scenes, performed by Exabeam technicians.
Although this is not, strictly speaking, a managed service, the combination of operations staff maintaining the software and the servers that it runs on, expert support advice on-demand, and automated processes within the software means that you don’t need any on-site expertise in order to get a fully operational SIEM system protecting your network.
As it is a cloud-based system, the main performance bottleneck you will experience with Exabeam is your internet connection. All of the log messages generated by your system need to be uploaded to the Exabeam server. For large operations, that can mean a heavy data throughput. However, most business operations these days are heavily reliant on internet connectivity, so keeping your internet connection live and with sufficient capacity is probably already a service priority for your IT team.
Data uploads are managed by an on-site agent program and transmissions are protected by encryption. Upon the server, the Exabeam system receives, consolidates, and indexes all log messages, making throughput statistics available in the system dashboard and compiling live threat data as log messages pass through the cloud-based log server.
Exabeam uses UEBA, so its assessment of baseline activity is different for each customer. It is also able to aggregate its own database of warning signs by pooling the experiences of all of its customers. In 2019, Exabeam bought a company called SkyFormation. That business receives threat detection experience from 30 third-party cloud platforms and uses it to create a CTI database. The SkyFormation threat intelligence supplements the threat indicators collated by Exabeam. This large pool of CTI makes the threat hunting capabilities of Exabeam very powerful.
The fast processing power and large capacity of the Exabeam servers make searching through large volumes of log data very easy. The service deploys triage in its threat hunting strategy, comparing indicators of attack against its established activity baseline for that customer that is constantly adjusted through machine-leaning. When a likely starting point of a threat is identified, this incident is displayed in the dashboard and the focused activity tracking of Exabeam kicks in, looking for the next known action of a typical attack that starts with the detected incident. If that subsequent step is detected, it is also shown in the threat identification screen in the dashboard and the likelihood of an ongoing attack increases.
This staged feedback of Exabeam addresses one of the big problems of the SIEM strategy, which is that reporting on related events that are notified through log messages is a delayed response system. It works on historical data. The threat hunting feature of Exabeam brings that detection method to near-live.
Exabeam also offers Security Orchestration, Automation, and Response (SOAR), which it calls Incident Responder. This will interact with Active Directory, email servers, and firewalls to freeze accounts that seem to have been compromised or block access to communications from suspicious IP addresses.
Exabeam has all of the elements of a successful SIEM but its exception threat intelligence feed pushes it up to number one in our estimation.
EDITOR'S CHOICE
Exabeam is our top pick for a next-gen SIEM because it combines the experience of the Exabeam SIEM service with the innovative SkyFormation threat intelligence feed. Exabeam users benefit from the threat detection contributions of other Exabeam customers plus that of the user community of more than 30 other security platforms. Exabeam evolved its service from an on-premises SIEM system into a cloud-based security platform that gives its customers fast threat detection and automated responses.
Get access to a demo: exabeam.com/contact/get-a-demo/
OS: Cloud-based
2. LogRhythm
LogRhythm has been producing a SIEM solution since 2003, so the company has deep expertise in the field. Its system is now cloud-based with all of the efficiencies that that implies. It has also acquired UEBA, CTI, and SOAR to make it a Next-Gen SIEM.
LogRhythm includes its own network monitoring module that adds extra detection strategies to the log searches that it conducts. In this service, which LogRhythm terms Network Detection and Response (NDR), the system applies machine-learning to establish a baseline of expected traffic patterns, thus cutting down on false-positive reporting and reducing the volume of data that needs to be uploaded to the LogRhythm server for processing.
LogRhythm calls its platform the XDR Stack – XDR stands for extended detection and response. The layers in this stack are:
- AnalytiX – The log searching core of the SIEM.
- DetectX – The application of threat intelligence.
- RespondX – The SOAR element of the system that shuts down malicious activity.
As well as subscribing to this bundle, customers can choose two add-ons to enhance performance. These are:
- User XDR – A UEBA module that pre-filters log messages for upload.
- MistNet – A network-based intrusion detection system.
The cutting edge of LogRhythm’s service lies in its SaaS platform. However, you can also get the system to run on your site. This is available as an appliance pre-loaded with the LogRhythm software or as a software package that loads onto Windows Server. You can request a live demo of the cloud service.
3. Rapid7 Insight Platform
Rapid 7’s Insight Platform is a cloud-based SIEM. There are many terms applied to this service, which highlights the confusion over categorizing cyberdefense services. The company calls its service an IDR, which stands for Intrusion Detection and Response. It is also a form of XDR, which stands for Extended Detection and Response – a service that usually evolved out of EDR, which is an advancement on antivirus and stands for Endpoint Detection and Response. There is an EDR element in the Insight IDR package.
However, in the interests of simplicity, we will stick with the SIEM classification. In fact, the Insight platform is a Next-Generation SIEM because it includes UEBA and a threat intelligence feed. The Insight Platform includes a number of modules that fit together. However, you only need the InsightIDR service if you just want a NextGen SIEM. The second most interesting service in the Insight Platform that you should also consider is InsightVM, which is a vulnerability manager.
InsightIDR has all of the great features that you expect from a NextGen SIEM. As a cloud service, it includes fast processing power for log management and it also stores the log data for you. The log messages on your system get uploaded to the Rapid 7 servers where a consolidator puts them into a common format and indexes them for rapid searches.
The threat hunting service in InsightIDR is modified by a UEBA feature. This cuts out false positives by adjusting detection for normal behavior. The threat intelligence feed in the tool contributes to an attacker behavior analytics service. This looks through all log messages for indications of compromise.
A really nice added service in Insight IDR that the service’s main rivals don’t offer is its deception technology. The service can set up traps and honeypots for intruders, that draw the miscreants towards fully monitored fake data stores, making them immediately easy to identify.
InsightIDR is a little pricey, starting at $2,157 per month … yes, PER MONTH. That price means that the 30-day free trial of InsightIDR is a very valuable free gift.
4. LogPoint
LogPoint isn’t as widely used as the top three in our list. However, if the monthly subscription price of Rapid 7 InsightIDR was way out of your league or if you are a small or medium-sized enterprise with relatively low log data volumes, then the metered rate of LogPoint should interest you.
LogPoint recognizes that many businesses with low data processing volumes aren’t going to be interested in a blanket subscription rate for their Next Generation SIEM. Having said that, this SIEM system is deployed by some very large businesses, including Boeing and Airbus.
The LogPoint pricing structure is calculated on a combination of throughput indicators. These are the number of events per second (EPS) and the amount of data processed per day in gigabytes. The company doesn’t publish its rates for these factors. Instead, you need to contact them for a quote.
The LogPoint SIEM has integrated UEBA and its threat hunting is informed by threat intelligence gathered from incidences experienced by all of its customers. More than the other services on this list, LogPoint facilitates manual investigations as well as implementing automated detection processes.
There are automated responses built into the LogPoint system and the service includes “integrations” that enable it to interface with other security products both for data exchanges and for threat mitigation actions. You can book a demo to get a look at how LogPoint works.
5. FireEye Helix
FireEye is one of the leading cybersecurity solution providers and its SIEM service is called the Helix platform. The FireEye Helix platform is a next-generation SIEM service and it includes a threat intelligence feed that constantly adapts its threat hunting processes in response to evolving attack strategies. As well as UEBA, this service includes lateral movement detection that tracks illogical or abnormal user account activity.
Like LogPoint, Helix allows a degree of manual intervention. There is more ability in this system to set up your own playbooks and specify precisely how detected incidences should be managed. That means you can feed your own preferences into the automated responses performed by Helix. The screens for the dashboard are also customizable and it is possible to create your own report formats. The system includes automatic tailoring and report formats for standards compliance.
The Helix service includes integrations that allow you to plug in adaptations for data exchange and mitigation actions that coordinate with other security applications. You can take a self-guided tour of the Helix platform.
6. LogSentinel
If you want to know more about a newer, leaner SIEM provider that has taken a great leap forward in the NextGen field, then you should consider LogSentinal. This service excels at log management and rapid searches to bring its SIEM service to the forefront of the market. This company specifically aims its services at middle-sized enterprises.
This SaaS system is hot on logfile integrity monitoring and it includes UEBA and a threat intelligence feed, which mark it out as a NextGen SIEM. Extra services in this plan are phishing scans of emails, VPN log file protection, and video conferencing security.
The LogSentinel service isn’t limited to gathering log files from your site. It also includes a web application and website monitoring system that detects script changes and injection attempts.
LogSentinal offers a free trial of its NextGen SIEM and you can ask them for a guided demo. There is also a version of this cloud-based SIEM for use by managed service providers.
L’article 6 Best Next-Gen SIEM est apparu en premier sur Comparitech.
0 Commentaires