Proactive Security and Threat Detection – it’s not That SIEMple

Real-time threat detection is an indisputably critical element for maintaining operational integrity across a rapidly changing mission critical environment. Knowing when your system has been compromised quickly can make the difference between a controllable incident and a headline grabbing, catastrophic data breach.

Most organizations cannot assign the time necessary to proactively monitor their environment.  Investigating potential incidents is a manual and time consuming process requiring resources to collect, correlate and search through multiple, disparate logs looking for the answer to whether something is a real incident. It’s looking for a needle in a haystack while more hay is piling on.  To do this very heavy lifting, most rely on Security Incident Event Management (SIEM) systems – such as SPLUNK or IBM QRadar.

The truth is, a SIEM-only reliant security strategy is unsustainable  and leads to a false sense of security that your SIEM is the ultimate authority on security threat detection and alerts. Unfortunately, SIEM technology is limited by the types of data and devices it is aware of on which it can alert.

It’s all Just Too Much

Even when the most basic, mandatory signatures and rules are applied, SIEMs alert on way too many events that are neither suspicious nor urgent.  You really don’t want to be alerted on every possible incident. It would prove impossible to investigate them all and so there would never be any progress.  You want to identify, in real-time, security events, driven by actual malicious activity.
Such massive amounts of raw activity also impact the quality of SIEM responses. SIEMs without environmental and industry context are not able to detect what’s business as usual vs. unusual but acceptable activity vs. what’s a legitimate potential threat. The unavoidable “alert overload” means security personnel eventually tune out alerts , making it easy for malicious activity to slip by, making the SIEM something used only when “looking back” for analysis. Obviously that means you’re too late.

The longer it takes to figure it out, the further ahead the criminals get, the more expensive the damage will be.

SIEM Limitations
  • SIEM results are based on log data only.
  • SIEMs are not contextually aware of HPE NonStop servers and other non-commodity devices, their applications or data.
  • Due to lack of context, SIEMs have a very high false positive rate and are very “noisy”.
  • Because of a fragmented SIEM market, there is a lack of standardization making it  difficult to detect events of disparate types
  • SIEMs rely on binary values or thresholds for alerts. SIEMs don’t know what they don’t know
They’ve got you when it comes to fees!

To add to the complexity, most SIEM vendors base license fees on the volume of data they consume.  This is definitely to their advantage. The data required to detect a breach is increasing. In fact, the more data you have on which to base your analysis on, the better your results.  Unfortunately for you, that means SIEM license fees will only go higher.

There’s a Better Way

Industry experts (and anyone responsible for SIEM management) say that current SIEM technology has reached limitations, which makes it inefficient without additional investments in technology and personnel to deal with modern cybersecurity threats.  Put that investment in solutions that automate real-time detection activity. This type of automation for investigating “in flight” activities with real correlation and the proper contextualization, can free up resources by nearly 80%. 

Financial Analysis/Cost Savings1
Benefit Year 1 Year 2 Year 3 TOTAL
Compliance $172,800 $177,984 $183,324 $534,108
Risk Reduction $215,338 $215,338 $215,338 $646,164
Security Ops Improvements $66,560 $68,557 $70,614 $205,731
Threat Intelligence Savings $47,600 $49,028 $50,499 $147,217
Total Benefits $502,298 $510,907 $519,775 $1,533,220
Let’s Make it all More Efficient

XYPRO’s XYGATE SecurityOne (XS1) is a security intelligence and analytics solution that automates the activity necessary to actively detect threats by combing through data in real-time and intelligently highlighting the actionable incidents that need immediate attention.

Not only does XYPRO possess unique expertise in this area, but our contextualization technology is patented.  XS1 consumes data not only via logs, but also a variety of agents and other sources unique to XYPRO and relevant to the NonStop server.

For example, the XS1 Integrity Monitoring (FIM) module efficiently monitors and alerts when key files or system configurations are viewed, deleted, modified or ownership has changed. It has the ability to identify who made the change and if the change put the system at risk or violated a policy. This intelligent form of real-time integrity monitoring simplifies monitoring activity and helps meet the strictest of compliance requirements.

Let’s Make it Worth it

XS1 does not rely on a consumption based licensing model. It is licensed per connected server.

The cost for each XS1 module remains the same regardless of the volume of data it consumes. For example, when 10 HPE NonStop events are forwarded directly to the SIEM, all 10 events have an effect on the SIEM license fees. With XS1, those same 10 events can be sent to XS1, which will then be correlated and a single contextualized incident to be forwarded to the SIEM.

This means instead of the SIEM receiving 10 raw events, it would receive a single incident, resulting in up to a 90% cost saving on SIEM license fees.

XYGATE SecurityOne identifies and tracks changes across your NonStop IT environment much more efficiently than SIEM technology alone.  By sending contextualized XS1 data to your SIEM, you’re now able to incorporate enriched NonStop data with meaning that can be coupled with data from your other platforms and applications to paint an overall risk profile of your IT environment. You’re suddenly nimble and able to quickly address real threats as they’re happening and BEFORE they do damage.

1Projected ROI over a three year period for a large US Based financial institution with multi-node NonStop environment