Industry Updates

Correlation, Causation, or Checking Boxes

“I need a SIEM. I need a SOAR.” These are requests we field everyday from MSPs. Our first question is always, “What are you looking to accomplish?” Unfortunately, the vast majority of the time the answer  is, “I’m filling out an insurance form, and it says that in order to be eligible for cyber insurance, I need to be utilizing a SIEM and/or a SOAR.” This response makes my heart sink every time. Sure, checking the boxes on an insurance form is an important step to actually getting coverage (which is increasingly difficult to utilize should there be a need, but more on that later). However, making a decision simply by direction of an insurance form is not in the best interest of your clients, yourself, and most importantly, your cybersecurity posture.

Log Ingestion isn’t Enough

Why? There’s a problem in the SIEM/SOAR industry today. SIEM vendors are a dime a dozen. Most classify themselves as a SIEM simply because they can ingest logs. They’re not wrong. Ingestion is the primary function of the SIEM. However, ingestion is really only one part of the story. Can they read the logs?  Parse the logs? Turn the logs into actionable alerts?

Stopping at log ingestion is like taking the entire contents of your refrigerator, dumping them into a pot, and calling it a gourmet nine-course meal.  You’re going to end up with a disgusting, inedible, unidentifiable pile of sludge. On the other hand, if a chef takes inventory of that same refrigerator, parses the ingredients into nine distinct dishes, and then prepares them, you end up with a culinary delight. In order to effectively utilize a SIEM, your follow-up tools have to be able to complete the process – ingest, read, parse, alert.

So, what’s the real job of a SIEM, beyond checking the box on insurance compliance? It’s the first building block in strong XDR (incident detection and response on devices across the entire network). Now, XDR is not the end all, be all solution for cybersecurity protection. We still believe prevention is 100% possible and the best approach forward; but added telemetry, visibility, and correlation between potential threats is crucial to maintaining a posture of prevention.

Complete Visibility

Complete visibility is the first tenet of the BLOKWORX Blueprint for Prevention. In short, you can’t manage/remediate what you can’t see. If a breach occurs, the culprit is usually some rogue system that is not being monitored or somehow otherwise unidentified on the network. XDR adds additional visibility to the devices on your network, as well as what is happening on them. For example, many of our Partners see what threats were prevented on a MAED report monthly, but they’re left wondering what exactly was prevented, and on which machine. XDR fixes that by providing extra layers of data contributing to complete visibility.

Outside of endpoints, in the past, we haven’t been able to work with some firewall vendors because we were unable to do anything with the logs we ingested, and we were unwilling to be a silo for unusable data (AKA claim visibility without truly offering visibility). Our new platform opens up XDR capability to significantly more devices because now the data is not only ingestible, but readable and actionable.

Correlation + Causation = Better Remediation

With added log data, our networks are better connected. Endpoints, cloud, and firewalls all tell a story through log data; and now, we’re able to put those pieces together like a puzzle. Think of it this way. A person walks into Walmart and is captured on the in-store camera. They purchase a ski mask. Then, they walk to the hardware store and purchase bolt cutters and lock picking kit. Linear ingestion of events or capturing these events on multiple devices doesn’t trip any alerts for suspicious activity.

With XDR running across the network, these exact events within a short timeframe triggers alerts that something needs further investigation. Now, XDR doesn’t operate on in-store security systems, but the analogy holds for correlating data. Something could be innocuous on one device or another on your network, but pretty threat worthy when events tie together. This type of information allows us to better prevent threats, as well as more efficiently remediate if there’s a need. Log ingestion data just gained significantly more value for our organization and our partners.

Don’t Just Check a Box on SIEM/SOAR

When looking for a SIEM/SOAR provider, whether to attain insurance compliance or actually benefit your cybersecurity posture dig in. Determine what the organization is able to do with the data. How they’re going to be able to help you in the event of an attack. What they’re going to do to prevent an attack. Getting log data may seem like a pretty simple thing. At at the end of the day, though, in the name of defending livelihoods, this type of data can be the difference between a thwarted attack and a lost client. Check out our recent XDR webinar to learn more.