SIEM Cannot Detect (and Ignores) Zero-Day Attacks

The following is an excerpt from our recent whitepaper, “Why Traditional Cybersecurity Tools Cannot Defend Against Zero-Day and No Signature Attacks,” in which we dive into how traditional cybersecurity tools work, why this fundamentally limits them from being able to detect zero-day or previously unknown attacks, why the industry standard for breach detection is around six to eight months and how modern, contextually-aware AI overcomes the limitations of traditional cybersecurity solutions.

But I Have a Great (Expensive) SIEM Solution in Place…

SIEM has historically been referenced as an ideal, modern solution, but even the more robust market offerings are fundamentally limited. Here’s why.

SIEM works by installing heavy forwarders on multiple locations to the system of record that is then sent in raw data format that is time-series dependent to a middle tier. When someone writes a query or a rule against that data, even in the best case scenarios, the SIEM performs data normalization. Then, it structures and organizes based on the information in that system to produce a result based on the specified questions.

Organizations are exclusively depending on selective information forwarded to the SIEM. The information that inevitably exists outside the system of record — information relevant for zero-day attacks — is ignored.

But What About My Next-generation Firewall?

Vendors promote the newest generation of firewall technology by focusing on a 30-second response time when it comes to identifying signatures. Many of these solutions can, indeed, manage this limited capability, but fall short in a fundamentally important way. They don’t tell organizations anything about coordinated or no-signature attacks. The only attacks visible are those based on minor modifications to existing signatures.

Vendors clarify this function by claiming that most attacks fall into this modified signature category. But do they?

There is a new generation of attack techniques and coordinated attack techniques, including adversarial AI specifically designed to negate and undermine the entire message being sold by these next generation firewalls and cybersecurity platforms. Attackers are well aware that organizations are expecting modified signature attacks, so they have moved away from them to new methods outside the scope of traditional solutions.

State-sponsored and adversarial AI attacks are prevalent, using never-before-seen signature-based detections or attacks that circumvent next generation firewalls, end points, and cybersecurity systems as a whole. “State sponsored hackers are well equipped, well funded, and know how legacy, rules-based systems operate,” Coulehan says. “There is now significant, demonstrable evidence that coordinated attacks can and will compromise a cybersecurity system’s rule set, a baseline, or thresholds within the tools themselves.” The approach has proven more effective, and far less detectable, than simple modification of existing signatures.

Download the whitepaper:

Why Traditional Cybersecurity Tools Cannot Defend Against Zero-Day and No Signature Attacks

MixMode Articles You Might Like:

Cybersecurity Spend for Data Retention and Analysis is Out of Control and Largely Unnecessary

The Aggregation Model is Falling Short

Log Data is Not Effective as a Foundation for Prevention, Detection, Remediation or Analytics

Why Traditional Cybersecurity Tools Cannot Defend Against Zero-Day and No Signature Attacks

How AI is Contributing to Global Warming and What it Can Learn from Bitcoin

Incremental Stacking of Correlative Analysis Platforms Will Ultimately Prove Ineffective and Costly

*** This is a Security Bloggers Network syndicated blog from MixMode authored by Christian Wiens. Read the original post at: