What's the difference between SIEM and Compromise Assessment?
There are very few documents available on the web regarding this topic so I thought we should put something together that might help people understand how Log collection, SIEM and Compromise Assessment all tie together whilst being fundamentally different.
Importance of Log Collection:
From a cybersecurity regard, logs can act as an indicator that something is not right. Regular log analysis can help identify suspicious activity on a network, however, given the amount of log data generated by networks, it is impractical to review all logs manually on a regular basis.
Log monitoring software (SIEM) takes care of that task by using rules (we'll come back to this) to automate the review of logs to only highlight events that look like potential threats.
SIEM solutions attempt to do this on a real-time reporting basis.
So, companies collect logs and want to analyse them in the most efficient manner to ensure they can quickly identify new threats using a SIEM solution and here is where Compromise Assessment enters the fold.
When companies wish to implement a SIEM solution they need to provide the SIEM with a set of rules that direct its attention to the most vulnerable areas of the network. As a SIEM is built on AI or Machine Learning, the SIEM will take several months of analysing data to learn about the network it is trying to protect and it will have challenges, what if there are adversaries already on the network who are using compromised user accounts and so look perfectly legitimate? How will the SIEM see these as a threat?
As SIEM delivers a real-time assessment on a network it takes a very narrow snapshot of the logs in play.
Another drawback is that not all SIEM's have the ability to read and parse binary files such as browsers logs, prefetch files, or registry hives which also reduces the scope of its analysis.
GuardYoo's Compromise Assessment helps IT Teams shorten the implementation period of a SIEM by providing a "map" of the company's attack surface.
Because GuardYoo delivers a retrospective analysis of log data that is up to 9months old, it takes a much wider and deeper look (not real-time) at what has been happening on the network.
By using proprietary Machine Learning algorithms, GuardYoo will identify patterns, anomalies, threats and weaknesses, that can help design rules that can help get a SIEM working at its maximum capability in a much shorter period of time.
There is a great cost-saving here as a result because you reduce the amount of time and effort the IT Team will need to spend on the SIEM itself.
GuardYoo can test multiple models on the same data because as it has been collected and isolated (as it's not done in real-time). What's significant is that ALL data is ingested in its raw format (not filtered, not aggregated) so GuardYoo can digest more data in a shorter period of time and can analyse multiple aspects (from user activity perspective, from processes perspective, from device perspective).
Once complete, GuardYoo ties everything together into one complete picture which can be used to design SIEM rules more efficiently.
The difference between SIEM and Compromise Assessment is GuardYoo's ability to merge different types of artefacts into one chain of action (registries hives, WMI queries, prefetch files, and others and others).
A Compromise Assessment can help IT Teams understand their infrastructure better and helps them design more precise rules for SIEM. This allows IT Teams to direct the SIEM to the most vulnerable parts of the infrastructure.
It is absolutely necessary to understand every aspect of the network, every local account, any violations regarding password policies, every service account used within the network and every device that has direct external communication with the external internet.
- Compromise Assessment helps teams to understand every aspect of their infrastructure by analysing what has previously been considered by some, as unusable data.
- Compromise Assessment delivers ready-to-use rules for SIEM solutions by identifying bottlenecks within an infrastructure.
- A GuardYoo Compromise Assessment can provide an inventory of all local user and service accounts within an infrastructure.
In our experience, to monitor all devices in an infrastructure, companies are spending large amounts of time, money and resources in maintaining lots of different cybersecurity solutions, with a lot of time wasted in trying to protect areas that are not under threat. In other words, they are trying to protect everything, which is impossible and exhausting.
By carrying out regular (twice per year minimum) Compromise Assessments, companies will understand where to direct their resources to achieve maximum efficiency and this is a much more effective approach.
GuardYoo's Compromise Assessment is not an alternative to SIEM, GuardYoo is an advocate of SIEM.
The key takeaway from this article is;
Do not compare Compromise Assessment & SIEM, these are two different approaches to cybersecurity that can, and should be deployed together as part of a logical cybersecurity strategy.
To learn more about how GuardYoo is helping other companies with their SIEM deployment, please contact us at info@GuardYoo.com