Threat Hunting vs. SIEM

Introduction

To reduce attack surfaces and improve one’s cybersecurity posture, organizations can adopt two stances: a reactive approach and a proactive approach. The reactive approach involves traditional methods of detection (e.g., IDS and IPS) and prevention (e.g., firewalls and SIEM), whereas the proactive approach uses offensive tactics, such as those found in a threat-hunting program.

Threat hunting is the act of aggressively tracking and eliminating adversaries from your corporate network as soon as possible. Threat hunting discovers attacks, reduces the detection delta and stops adversaries from compromising your critical systems. Many organizations prefer to rely on measures such as SIEM to protect themselves; however, according to a TechBeacon survey, less than 25% of organizations are getting the full value from their SIEMs and only 32% are getting more than 80% of the value they expected. Due to advanced persistent threats (APIs) and breaches, SIEM solutions alone do not ensure reliable protection.

Therefore, both a reactive approach (such as SIEM) and a proactive approach (such as threat hunting) are indispensable and should be implemented in parallel to enhance the security posture of organizations. In this article, you will learn how an SIEM plan paired with threat hunting can complement each other in expanding the net of security for a company.

What Do I Need to Know About a SIEM System?

A SIEM — Security Information and Event Management — is a security solution that enables security professionals to discover, monitor, record and assess security incidents within a real-time IT environment and centralize all of their relevant data. A SIEM system offers various features, including security alerts, interpretation of logs, advanced analytics, profiling, threat intelligence feeds, forensics, dashboards and data aggregation. SIEM is the combination of two closely-related tools, namely:

  1. Security Information Management (SIM)
  2. Security Event Management (Read more...)

*** This is a Security Bloggers Network syndicated blog from InfoSec Resources authored by Chris Sienko. Read the original post at: http://feedproxy.google.com/~r/infosecResources/~3/0mbJ27YeThA/