Channel: CodeSection,代码区,网络安全 - CodeSec
Viewing all articles
Browse latest Browse all 12749

Why SIEMs F*cked Up Application Log Analysis?


This is going to be a short one: why do you think the SIEM vendors f*cked up application log analysis so badly?

Think about it, SIEM technology started roughly in 1997, so 20 years ago. 20 years is like 2 gazillion years in “IT years.” But even today I see a lot of people who equate SIEM with “IT infrastructure monitoring” (i.e. routers, servers, security applicances) or, worse, think that “SIEM is a network security technology.” I’ve long fought this view, but I essentially lost this battle …

So, now, I am sitting here listening toUEBA / UBAclients gush about how great their UEBA is with application log analysis and application security monitoring . They bring up all sorts of esoteric applications (machine parts management, medical research support, financial transaction processing, etc) and then wax poetic about how great their UEBA tool is for revealing insights from the log data and how it saved them so much dough, despite the fact that they paid $1,000,000 for their UEBA.

Why is that? What do UEBA tools know that SIEMs miss?

If you think, “ but wait, UEBA has ML andmagic AI stuff ”, think again. Well, it does, but some of theuse cases are very rule-based and do not extend beyond the “IF <this> AND <that> THEN <whatever>” correlations.

So, what is to blame here? Perhaps, some of these …

SIEM historical association with IT infrastructure, not business application, monitoring Lack of schema support for business application log data The very requirement to shove the data into a standard schema Obvious lack of out-of-the-box content (rules, alerts, dashboards, etc) for custom application security monitoring Heavy role of identity and entitlement data in application monitoring Requirements for inclusuion of non-IT data in analysis Or even … customers never pushing SIEM vendors to “do applications”?

… or even something completely different. All in all, it feels like the SIEM guys blew this one as well… and now need to catch up with the UEBAs.

Related blog posts about security analytics:

On UEBA / UBA Use Cases UEBA Clearly Defined, Again? Comparing UEBA Solutions (byAugusto) What Should Your UEBA Show: Indications or Conclusions? UEBA Shines Where SIEM Whines? The Coming UBA / UEBA SIEM War! Next Research: Back to Security Analytics and UBA/UEBA Sad Hilarity of Predictive Analytics in Security? Security Analytics Webinar Questions Answered On Unknown Operational Effectiveness of Security Analytics Tooling My “Demystifying Security Analytics: Sources, Methods and Use Cases” Paper Publishes Now That We Have All That Data What Do We Do, Revisited Killed by AI Much? A Rise of Non-deterministic Security! Those Pesky Users: How To Catch Bad Usage of Good Accounts Security Analytics Lessons Learned ― and Ignored! Security Analytics: Projects vs Boxes (Build vs Buy)? Do You Want “Security Analytics” Or Do You Just Hate Your SIEM? Security Analytics Finally Emerging For Real? Why No Security Analytics Market? <- important read for VCs and investors! More On Big Data Security Analytics Readiness 9 Reasons Why Building A Big Data Security Analytics Tool Is Like Building a Flying Car “Big Analytics” for Security: A Harbinger or An Outlier?

Category: application monitoring security siem ueba

Viewing all articles
Browse latest Browse all 12749