At Cybriant, we are big fans of Jim Collins’s book, Good to Great. This is a classic book for business leaders that describes how Mr. Collins and his team researched 1,435 established companies to find common traits of those businesses that made a leap from average to great results. The principles that are discussed in the book include lessons on eggs, flywheels, hedgehogs, and other essentials of business.
Let’s talk Hedgehogs
In his famous essay “The Hedgehog and the Fox,” Isaiah Berlin divided the world into hedgehogs and foxes, based upon an ancient Greek parable: “The fox knows many things, but the hedgehog knows one big thing.” Mr. Collins asks in his book, ” Are you a hedgehog or a fox?”
Cybriant understands that when it comes to managed SIEM, we are hedgehogs. According to the book Good to Great, a hedgehog concept is a simple, crystalline concept that flows from deep understanding about the intersection of three circles: 1) what you are deeply passionate about, 2) what you can be the best in the world at, and 3) what best drives your resource engine.
We are hedgehogs because we are deeply passionate about understanding SIEMs – how they work, how to get the proper data out of them, and what to do with that data. We are the best in the world at this because we have the top talent on staff, of course! What drives our resource engine is SIEM, SIEM, SIEM. SIEM implementations, training, monitoring, and so much more. We live and breath SIEM.
So, why do you need a Hedgehog for your SIEM?
One of our partners, AlienVault, was included in the recent Gartner Magic Quadrant for SIEM. This is awesome news! If you already use AlienVault, you know that you are working with the best. But, not every company has the resources to make it (or whichever SIEM you chose) work properly for them.
According to Gartner, there are four “cautions” when it comes to AlienVault. Here’s how a hedgehog, like Cybriant, can help assist with those potential weaknesses when it comes to your SIEM:
Caution #1: USM provides NetFlow capture, basic statistics, and context for assets, but cannot generate alerts from NetFlow.
With the recent 5.4.x AlienVault release the ability to generate alerts from NetFlow has been addressed, but we would always recommend using the right tool for the job.
AlienVault is a phenomenal correlation engine that can take a lot of data from disparate sources and discover threats from seemingly innocuous information. It does this by taking data from Active Directory, antivirus engines, firewalls, intrusion detection, and/or anything that can produce a log message for analysis. Each of these sources is simply a single slice of the pie just like NetFlow. Additionally, there are technologies that specialize in analyzing nothing but NetFlow to discover behavioral events and how they may be a threat. AlienVault will take those kinds of specialized tools and create a holistic threat analysis so that you get the whole pie and not just a single slice.
Caution #2: Integration of unsupported data sources is cumbersome compared with competing products. Alternatively, users can request AlienVault develop a plug-in to enable the integration.
The fact of the matter is that there is no data analysis engine that can parse and integrate every technology on the market without some sort of expertise, understanding of the data, and ability to create an integration.
Cybriant Engineers regularly write plugins and integrations for the AlienVault platform. For simple products that are “unsupported” by AlienVault, it may take an hour to write a plugin. For very complex products with hundreds (or more) of rule variations on messages in logs, it will take longer. Through literally thousands of implementations, the Cybriant team has yet to find a product that cannot be integrated (or have a plugin created) as long as it outputs data.
Caution #3: Although identity activity can be linked with assets, USM provides only basic enrichment of event data with user context; and identity and access management (IAM) integration is limited to Active Directory and LDAP.
There are many tools that can integrate with AlienVault to provide enriched user data, and out of the box, AlienVault has some built-in IAM capabilities. Additionally, the USM Anywhere product has advanced user enrichment functionality with lAM and IDM software. However, when we encounter cases where a user had a problem with their SIEM we typically discover that one of a couple of things has occurred:
- The necessary data isn’t being fed into the SIEM (either by lack of logging verbosity or other configuration issues).
- The Security Analyst (or is more often the case: Overworked Systems Administrator) performing the analysis doesn’t have the experience necessary to do a data deep dive.
Think of it this way, if you have a musical instrument and don’t correctly tune it then it will sound terrible. Similarly, if the data isn’t correct being sent to the SIEM and the system isn’t tuned to excel at processing the data then a Security Analyst will get poor results. Additionally, like a musical instrument, you could have the best-made instrument in the world, but if the musician doesn’t know how to play it then it will sound terrible. With a SIEM, if the Analyst (Administrator/etc.) doesn’t have the experience and dedicated training required to be successful then the results will be poor.
At Cybriant our SIEM Analysts have a deep understanding of both how the SIEM should be configured and how to discover threats using the SIEM. These are two distinctly different skills. Additionally, our SIEM Analysts have direct and instant access to the rest of our team members who specialize in different fields (such as Implementations, Malware Analysis, Forensic Analysis, etc.). This means that instead of a single Security Analyst who is hunting down alarms, Cybriant has an entire Security Task Force who is actively monitoring your infrastructure.
Caution #4: AlienVault’s workflow capabilities do not include integrations with external ticketing systems or role-based workflow assignments.
The traditional AlienVault USM does not have integrations with external ticketing systems, and so the Cybriant Security Operations Center solves this issue by having rigorous Processes and Procedures in place. Without Processes and Procedures, workflows and integrations are typically handled in a hodgepodge manner instead of a hedgehog manner.
Additionally, with USM Anywhere USM, AlienVault now has integrations with external ticketing systems. And so Cybriant can simply utilize our already existing great Processes and Procedures along with the automation to keep costs low for our customers.