Don’t call it a SIEM – How USM Anywhere does threat detection and response differently

August 10, 2020 | Rakesh Shah

Security Information and Event Management (SIEM) solutions have been the foundation of enterprises’ security operations and threat detection & response.  Even though USM Anywhere has many key SIEM features, it is much more than a SIEM.

Why?  To perform threat detection, SIEMs and purpose-built threat consoles collect data from security devices. These include network firewalls, endpoint devices, & vulnerability managers to directly from the cloud.   However, all too often, they collect disparate data sources without an organizing principle.  Instead, SIEMs build bigger (and exponentially growing) data lakes of unnormalized log data without a quick and easy way to truly understand the data.  

Of course, this may work for the world’s largest security operations teams which have the resources to find the proverbial needles in the haystack — or to deploy complex analytics engines to help find those needles.  They are now even offering orchestration solutions to automate the ever-increasing workload of alert triage and to help manual investigation of potential incidents. However, this does not solve the underlying problem.

In the end, they are building more and bigger haystacks and then delivering increasingly complex and expensive technology to help security professionals shift through those stacks.  But the underlying challenge of finding and responding threats quickly has not been solved; in other words, security teams can’t easily and quickly find the proverbial needles in the haystack. 

The legacy and big data SIEMs require that an enterprise customer has an informed security team that has the experience, expertise, and resources to sift through massive volumes of data and find the needles.  This is unlikely to succeed.  First, even the most well-funded security teams simply do not have the resources to keep up with the threats, and the legacy and big data SIEMs require this.

Second, these solutions help enterprises get the data in one place and then the security teams can broadly query the data to find the threats.  They do not actually help security professionals shift through the data intelligently and quickly.  As the SIEMs add even more assets to be monitored, they have to dynamically query against the asset data.  Try doing this at scale against endpoint, network, asset, and other data — all from disparate sources.  They simply cannot do this in real-time.  

What is AT&T Cybersecurity’s approach and why is different from others?

A solution is only as good as its smarts

USM Anywhere starts with being a threat intelligence delivery vehicle.  What does that mean?  First, our solution centralizes all visibility in a single place like other solutions, but there is a key difference.  It is designed for looking at the right data.  By correlating data from virtually anywhere, we can use common methods for consistency of data and to pull out key meta data.  For example, USM Anywhere can get data from diverse network devices, such as firewalls, web gateways and cloud services, or from endpoints’ network connections.

That’s the first step.  Then, by focusing on the threat actors and their techniques, tactics and procedures (TTPs), the data to be collected is really focused on the threats.  Building on the network data example, USM Anywhere can look for the network traffic indicative of connections to a command-and-control server even if the traffic is originating from different sources.  But it’s not looking at all the traffic.  USM Anywhere focuses only on the traffic that will help detect that threat. 

Rather than collecting massive amounts of log data and somehow finding an actionable threat, our solution surgically detects the threats that really matter.  This is done by focusing on only collecting the data needed to detect threats based on AT&T Alien Labs’ continuously updated threat intelligence, which powers USM Anywhere’s data collection and threat detection.  Furthermore, USM Anywhere coupled with the threat intelligence context categorizes the threat based on popular methodologies like the Cyber Kill Chain and MITRE ATT&CK to quickly understand the threat.  Threat intelligence, as a result, is not an afterthought - it is the starting point, the middle, even the end.

Intelligence is better when it’s sunny

Early on, USM Anywhere added visibility for AWS™ and Azure™ and recently added Google Cloud Platform™.  This is built on top of the existing platform sensors for on-premise environments.  With visibility into endpoints and SaaS via our agent and Alien Apps respectively, we arguably provide the broadest visibility anywhere, but more importantly the visibility is tied completely to our threat intelligence.  Alien Labs builds its surgical detection rules based on understanding the potential data sources tied to the threat.

Our approach combining broad visibility and threat intelligence means we only collect the data that really matters based on the threats detected by Alien Labs.  

Be selfish: What really matters is how a threat impacts you

The enterprise needs an evolving view of its environment.  What does normal look like?  What are the weak spots?  What is the impact of the threat to your environment?  

USM Anywhere understands what assets and users constitute what is normal.  It also identifies the vulnerabilities in your environment and adds the context needed to understand how easily each vulnerability can be exploited which in turn provides the information needed to understand how to mitigate.  When a threat is surgically detected utilizing the threat intelligence from Alien Labs, it can immediately tie the threat to an asset or a user.  Detecting the threat after collecting the right data is the first step.  From there, the impact of the threat really matters -otherwise security teams may be chasing after too many issues.

This becomes even more important as assets change dynamically.  As more enterprises depend on transient micro services that only live for a short period, the machine that the threat was on may be gone.  So, we added sensors intentionally to understand the asset, and now we have the concrete record of tying the asset to the threat.  USM Anywhere can help effectively drive resiliency in threat detection even as your IT systems change and threats evolve.

SIEMs can’t do this as they only possess the ability to process alerts.  For example, with containers, the ability to gather the logs is great, but the ability to understand the context is just as important. 

You have to do something about it

Security orchestration, automation, and response (SOAR) functions are buzzy nowadays. These capabilities really center on what to do about a threat after detecting it.  This starts with the capabilities in our AlienApps ecosystem, which offers deep integrations with leading security and issue tracking/IT ticketing tools to  help enable the most efficient response actions using the existing tools that an organization is already comfortable using. These integrations utilize the Orchestration rules in the USM Anywhere that can be automatically or manually executed.  From there, USM Anywhere provides a single pane to track an incident response with the Investigation pane. 

Does AT&T Cybersecurity’s different approach really matter when resources and time are really what is needed?

First, USM Anywhere was designed to be affordable, fast to deploy, and easy to use, unlike many other SIEM solutions.  It strives to eliminate the need to deploy, integrate, and maintain multiple point solutions in your data center. Also, as a cloud-hosted platform delivered as a service, USM Anywhere offers a low total cost of ownership (TCO) and flexible, scalable deployment options.

If you don’t have the bandwidth to manage a solution like this, check out AT&T Managed Threat Detection and Response (MTDR). It builds on our decades of AT&T’s expertise in managed security services and is based on the USM platform.  With critical features like 24 x 7 proactive security monitoring, security orchestration, and automation in a turnkey solution, you can quickly establish or scale your security program without the cost and complexity of building it yourself.

Rakesh Shah

About the Author: Rakesh Shah

Rakesh Shah leads product management for the USM products in AT&T Cybersecurity. Previously, he lead product management for insider threat, behavioral analytics, and security orchestration products at Forcepoint, a Raytheon company, and he also spent over 15 years at Arbor Networks in a variety of roles in product management, marketing, and engineering leadership roles. He holds a M.Eng. degree from Cornell University and a B.S. degree from University of Illinois at Urbana-Champaign, both in Electrical and Computer Engineering.

Read more posts from Rakesh Shah ›

TAGS: siem

‹ BACK TO ALL BLOGS

Get the latest security news in your inbox.

Subscribe via email

RSS

Get price Free trial