Blog post

SIEM/ DLP Add-on Brain?

By Anton Chuvakin | February 27, 2015 | 4 Comments

SIEMsecuritynetwork forensicsmonitoringloggingfutureanalyticsData and Analytics Strategies

Initially I wanted to call this post SIEM has no brains”, but then questioned such harshness towards the technology I’ve been continuously loving for 13 years 🙂 In any case, my long-time readers may recall this post called “Pathetic Analytics Epiphany!” (from 5 years ago) [and this one from 8] where I whine incessantly about the lack of actual analytic capability in our log analysis tools such as SIEM and log management (“search and rules? that’s it?! WTH!”). Well, I didn’t just whine, I tried to do something about it.

Now in 2015, the situation has started to change … but sadly not much in SIEM tools themselves. The good news is that we now a decent number of vendors that offer, essentially, an add-on brain for your SIEM. Some can also add a brain to your DLP, since it turned out that DLP is pretty brainless as well…

These new vendors (whether they are classified by us as UBA or not) essentially focus on 2 problems:

  • Reduce/refine/prioritize alerts coming from other tools (SIEM, DLP) by applying algorithms to the SIEM output i.e. alert flow (e.g. this is a rare type, this is not common for this source, this has never triggered at night, etc)
  • Detect better and/or detect new, difficult threats by applying algorithms to the SIEM input and/or fusing the SIEM data with other data

On the detection side, they may be effective with things like:

  1. One example – many people’s favorite! – is finding compromised user accounts. You can read about it here – to compare “the SIEM way” and “the analytic way” (UBA way, in this case)
  2. Another is malicious domain detection (DGA-cooked domains detection, in particular) – sure, you can rely on threat intelligence feeds of “bad domains”, or you can ML the sucker like these folks do here (sure, “the known bad way” is easier, but guess how helpful it would be for finding freshly created bad domains?)
  3. Exfiltration detection via interesting channels (DNS for exfil, anybody?) has been on the target list for those “add-on brains”; after all, humans tend to burn out after looking for outbound firewall logs non-stop for a weak or two :–)

[note that the above 3 items are devilishly hard to do with just SIEM alone – and impossible with a SIEM NOT crewed by a skilled and motivated SIEM team!]

So, why isn’t this in all SIEM tools?! [A short answer is: beats me …]

Longer answer: There are political and economical reasons, but there are also performance engineering reasons. Remember the old days of SIEM when a SQL query hitting the database to run a report “Top User Logins by Count For Last 7 Days” took 3 hours? [“Stop complaining, its Oracle, man!” was the typical response.] Now try something more 2015-style, such as “match a set of 3000 threat indicators [such as IPs or domains] vs historical log data over the last 60 days” (we call it “TI retro-matching” and it is useful a long list of reasons) – BOOM! down goes your SIEM. And this was trivial matching – not analytics, really. A lot of SIEM deployments are spec’d out to run close to maximum performance (more useful discussion here); you can think of this as sort of SIEM coffin corner: go faster – airframe breaks, go slower – become a big drag on the budget and crash. If I want to use your SIEM for any unsupervised learning, as I did back in the day, you will need to dramatically increase hardware – or wait a looooooooooooooooooooong time for results.

Finally and to be fair, some SIEM vendors (very few!) are starting to think about it, but – seriously, guys – you could have totally owned this 5 years ago! BTW, I’ve been asking many of those emerging analytics-focused vendors (whether UBA or not) on “why don’t you think that SIEM vendors will crush you?” and received many exciting answers …

Blog posts on the security analytics topic:

The Gartner Blog Network provides an opportunity for Gartner analysts to test ideas and move research forward. Because the content posted by Gartner analysts on this site does not undergo our standard editorial review, all comments or opinions expressed hereunder are those of the individual contributors and do not represent the views of Gartner, Inc. or its management.

Comments are closed


  • David Casey says:

    Anton, you’ve been out of the trenches too long 🙂

    Please get in a room with real world Cyber Security Operations Analysts and Cyber Security Incident Responders…. NOT the CISO, or CIO, or anyone from management. Just the guys and gals fighting the actual battles. Talk off the record with them. You will discover that there are far, far more impactful issues that prevent them from using their SIEMs effectively.

    To be even more cryptic, you could put a fully functioning AI in today’s SIEMs (as opposed to ML) and it will not change the issues plaguing Cyber Security Operations. Hint: Its not the technology.

    And for the record, what you described above is already in at least one MQ leading SIEM product. Email me if you want to learn more.

    • @David Thanks for the comment. Of course, the majority of SIEM failures is NOT the technology, and I spent quite a bit of time getting this message out to people, both at and before Gartner. Way too many lack good people to run their SIEMs and don’t think about the operational processes. I’d take an inferior SIEM and a good team over a market leading SIEM and poor/insufficient team any day…

      I will definitely email you re: SIEM MQ leader having this; I just went thru the conversations with [some] of them and I see nothing even remotely similar – well, not in reality [they “all have it” in marketing :-)]

    • And, to set the record straight: I very rarely (almost never) speak with CIOs, occasionally with CSOs, but in most cases with people who “do stuff”, operate, run, execute, etc.

  • David Casey says:

    LOL. All good Anton. I just wanted to make sure that the majority of source material comes from us boots-on-the-ground folks. No marketing spin from us. Just the hard reality of secops.