securonix next-generation siem - spectrami...built on big data, securonix next-generation siem...

DATASHEET

Securonix Next-Generation SIEMHarness the Power of Big Data Using Machine Learning

The cybersecurity landscape is getting more complex. Hackers continue to innovate, and business technologies generate increasing amounts of data. This is making legacy security monitoring solutions obsolete as they struggle with an inability to scale and weak rule-based threat detection techniques.

Built on big data, Securonix Next-Generation SIEM combines log management, user and entity behavior analytics (UEBA), and security incident response into a complete, end-to-end security operations platform. It collects massive volumes of data in real-time, uses patented machine learning algorithms to detect advanced threats, and provides artificial intelligence-based security incident response capabilities for fast remediation.

Collect, Detect, and Respond to Advanced Threats

SEARCH AND INVESTIGATE

OPEN HADOOP PLATFORM

COLLECTAny Data

DETECTUnknown Threats

RESPONDAutomated Action

Link Analysis Dashboard & ReportsSearch & Threat Hunting

Real-time Enrichment

Automated Playbook

Response Bot

Case Management

Connector Framework

Context Enrichment

Incident Response

Insider Threat

Cloud Security

Cyber Threat

Fraud

Machine Learning

Threat Chains & Risk Scoring

DATA

LEARN MOREwww.securonix.com

LET’S TALK+1 (310) 641-1000

14665 Midway Rd. Suite #100, Addison, TX 75001 | ©2018 Securonix 0619

Product Features

Big Data Architecture

• Powered by Hadoop, a massively scalable, fault-tolerant opendata platform that ingests hundreds of terabytes per day andsupports economical long-term data retention.

• An open data model means you can maintain a single copyof your data in an open data format and make it available toother applications as needed.

• Unlimited long-term retention with over 90% compression.• 100% native Hadoop components certified on Cloudera and

Hortonworks.• Cost is based primarily on identity instead of by events per

second or gigabytes, so costs are predictable, even as your data requirements increase.

Built-In User and Entity Behavior Analytics

1453

1166

875

583

292

0

Jan

1, 20

13

Jan

2, 2

013

Jan

3, 2

013

Jan

4, 2

013

Jan

5, 2

013

Jan

6, 2

013

Jan

7, 2

013

Outlier

Baseline

Behavior Analysis Peer Analysis Event Rarity Analysis

60%

80%75%

95% 92%

Division

Job Key

JaneDoe

Dept

Manager Title

• Built-in UEBA with patented machine learning algorithmsaccurately detect advanced and insider threats.

• Stitch together a series of events over time using threat chainmodels in order to surface the highest risk events.

• Securonix comes with out-of-the-box applications delivered inthe form of threat models and built-in connectors that enablerapid deployment and quick time to value.

• Continuously refresh use case content through the ThreatLibrary and Threat Exchange.

Threat Hunting and Investigation

• Securonix Spotter enables blazing-fast threat hunting usingnatural language search.

• Searching for threat actors or indicators of compromise issimplified with visual pivoting available on any entity in orderto develop valuable threat context.

• Visualized data can be saved as dashboards or exported instandard data formats.

Intelligent Incident Response

• Securonix Investigation Workbench allows you to rapidlyinvestigate incidents by pivoting on anomalous entities andtracing associated activities and events.

• Built-in incident playbooks include configurable automatedremediation actions to shorten time to respond.

• Comprehensive incident management andworkflow capabilities allow multiple teams tocollaborate on an investigation.

• Securonix Response Bot is an artificial intelligence-basedrecommendation engine that suggests remediation actionsbased on previous behavior patterns of Tier 3 analysts.

For more information about Securonix Next Generation SIEM visit www.securonix.com/products/securonix-next-generation-siem/

Securonix UI

Hive/Impala

Spark Streaming

Kafka Zookeeper YARN

Spark

HBase

HDFS

SOLR Cloud

DATASHEET

Securonix User and Entity Behavior AnalyticsDetect Unknown Threats Using Behavior Analytics and Machine Learning

Product Features

Entity Context Enrichment

Insider Threat Cyber Threat Cloud SecurityFraud• Data Exfiltration• Privileged Account Misuse• Patient Data Snooping• IP Theft• Access Anomalies

• Pass-The-Hash• Lateral Movement• Ransomware• Beaconing, DGA• Phishing

• Anomalous Data Sharing• Privilege Misuse• Data Exfiltration• Unauthorized Login & Access• External Attacks

• Payment Fraud• Retail Fraud• Customer Fraud• Internal Fraud• Trade Surveillance

Today’s cyber threats are more sophisticated, executed on a larger scale, and have the ability to spread rapidly. For example, in 2017 WannaCry infected 45,000 systems across 74 countries within 24 hours. Traditional correlation-based security monitoring tools are not capable of detecting advanced threats like these because they lack the ability to scale, lack a broader context, and have weak analytic capabilities.

Securonix User and Entity Behavior Analytics (UEBA) leverages patented machine learning and behavior analytics to analyze and correlate interactions between users, systems, applications, IP addresses, and data. The solution learns what normal behavior patterns are and creates baselines in order to identify outliers. Light, nimble, and quick to deploy, Securonix UEBA comes with pre-packaged use case content to detect advanced insider threats, cyber threats, fraud, cloud data compromise, and non-compliance. Built-in link analysis, automated response playbooks, and case management workflows allow you to investigate and respond to threats quickly, accurately, and efficiently.

Address a Wide Range of Use Cases

Cloud & App

Security

Search & Link

Analysis

Incident Response &

Case Management

Extensible to SIEM

Entity Context

Machine Learning & Packaged

Apps

• Build a comprehensive profile of every entity in your environment: users, IP addresses, and hosts.

• Real-time enrichment of events with entity context including identity, asset, geolocation, threat intelligence and data from lookup tables.

• Point in time IP attribution ties dynamic IP addresses to entities.


LET’S TALK+1 (310) 641-1000


Behavior Analytics and Machine Learning

1453

1166

875

583

292

0

Jan

1, 20

13

Jan

2, 2

013

Jan

3, 2

013

Jan

4, 2

013

Jan

5, 2

013

Jan

6, 2

013

Jan

7, 2

013

Outlier

Baseline

Behavior Analysis Peer Analysis Event Rarity Analysis

60%

80%75%

95% 92%

Division

Job Key

JaneDoe

Dept

Manager Title

• Apply sophisticated, patented machine learning algorithms to event data in real time to accurately detect advanced and insider threats.

• Stitch together a series of events over time using threat chain models in order to surface the highest risk events.

• Securonix comes with out-of-the-box use cases delivered in the form of threat models and built-in connectors that enable rapid deployment and quick time to value.

Investigation and Intelligent Incident Response

• Securonix Investigation Workbench allows you to rapidly investigate incidents by pivoting on anomalous entities and tracing associated activities and events.

• Built-in incident playbooks include configurable automated remediation actions to shorten time to respond.

• Comprehensive incident management and workflow capabilities allow multiple teams to collaborate on an investigation.

• Securonix Response Bot is an artificial intelligence-based recommendation engine that suggests remediation actions based on previous behavior patterns of Tier 3 analysts.

Data Privacy

• Robust role based access controls mean that different user groups will only see the data they are entitled to.

• Data masking protects protect an individual’s data and privacy and prevents users from accessing sensitive data unless they have a specific need to.

• A full audit trail means that you will be able to track and investigate all activity in the solution.

• Privacy capabilities approved and certified by more than 15 works councils across Europe and Asia Pacific.

For more information about Securonix UEBA visit www.securonix.com/ueba

Data Masking

Audit Trail

Role Based Access

Security Hardening

DATASHEET

Product Features

Flexible Multi-Tenant Architecture

SNYPR Cloud PlatformAlign Your Security Monitoring With Your Cloud Strategy

As cloud usage has grown, the need to secure your cloud applications and data has also grown. Legacy on-premises solutions often struggle to gain adequate visibility into the cloud, while the capabilities of cloud-based solutions often haven’t caught up to their on-premises versions. The SNYPR Cloud Platform gives you complete cloud security visibility while benefiting from the reduced cost and overhead that comes with deploying in the cloud.

Securonix Cloud Platform

•A multi-tenant architecture lets you use as much resources as needed for your organization now.

•Individual tenant IDs and dedicated tenants are used to maintain complete data segregation.

•Use on-premises or cloud-based remote ingesters for data collection.

•Instant deployment with quick time to value.

•Automated content updates give you instant access to the latest use case content from Securonix.


LET’S TALK+1 (310) 641-1000

14665 Midway Rd. Suite #100, Addison, TX 75001 | ©2018 Securonix

Secure by Design

Benefit from Cloud to Cloud Security

•SOC 2 Type 2 certified.

•Data is kept encrypted while it is in transit, and data at rest can be encrypted if you choose to.

•Limit access to your data using granular, role-based access control.

•Detailed logging capabilities ensure a full audit trail of all activities within the solution.

•Extend seamless security monitoring across your cloud environment without needing to rely on on-premises solutions that were not designed for the cloud.

•Analyze user entitlements and events to look for malicious activity using built-in APIs for all major cloud infrastructure and application technologies.

•Eliminate blind spots when you can correlate between on-premises data and cloud data to analyze end-to-end activities and detect actionable threat patterns.

•Take advantage of a strong cloud security ecosystem to collect cloud logs and support automated response.

Simplified Operations and Management

•SnyprEye enables simplified deployment and configuration for both tenants and Hadoop components.

•Monitor nodes, clusters, and all application jobs, including imports, analytics, and storage.

•Receive alerts and notifications for node issues, cluster issues, and application issues.

For more information about the SNYPR Cloud Platform visit www.securonix.com/platforms/snypr-cloud/

0219

DATASHEET

Securonix SOAR Benefits

Securonix SOARFastest Mean Time to Resolve Advanced Threats

The approach of sending alerts directly from legacy security information and event management (SIEM) to security orchestration, automation, and response (SOAR) creates an overload in the SOAR solution with too many false positives that are not actionable. By adding a best-in-class user and entity behavior analytics (UEBA) layer in between, Securonix is able to prioritize high risk threats and reduce the alerts into SOAR by over 90 percent.

•Improve operational efficiency when automation and orchestration is applied to prioritized, high-risk threats instead of low-value SIEM alerts.

•Reduce mean time to resolution (MTTR) using robust automation capabilities with 275+ connectors and 3000+ playbook actions delivered by CyberSponse.

•Extend advanced analytics to incident response using an artificial intelligence-driven recommendation engine that learns the actions analysts take in response to threats and uses what it learns to recommend or automate future response actions.

•Speed up investigation with built-in real-time user and entity context.

SIEM SOAR

Too Many Low Value Alerts

Legacy SIEM Approach

Too Many Low Value Incidents

Securonix Approach

SIEM Alerts & Log Events

User Entity Attribution

Threat Chains

SOARBehavior Analytics

Too Many Low Value Alerts Fewer High-Risk Alerts + Entity Context Fast, Efficient Response

VS

Securonix SOAR, combined with Securonix SIEM and UEBA, balances automation and orchestration with behavioral analytics for a more prioritized and streamlined incident response.

Prioritize Advanced Threats and Reduce Noise Using Advanced Analytics


LET’S TALK+1 (310) 641-1000


Rapid Time to Value With Wide-Ranging Integrations

Automate Response With Built-In Playbook Actions

Security incidents, if not acted upon in a timely manner, can cause a lot of damage in a very short time. Securonix SOAR provides automated incident orchestration and response with 275+ connectors and 3000+ playbook actions.

Securonix automated incident response playbooks are provided out-of-the-box and are fully customizable. They provide you the means to automate or partially automate the actions you take in response to an incident.

Response Bot is an artificial intelligence-driven recommendation engine. It uses supervised machine learning to study patterns of analyst actions and based on that recommend or automate future actions.

For more information about Securonix SOAR visit www.securonix.com/products/security-orchestration-automation-and-response/.

INVESTIGATEREMEDIATE

ENRICHINGEST

TRIANGECONTAIN

?

Malware Beaconing

Access Threat Intel Enrichments

Known Bad Domain?

Triage Securonix Endpoint Anomalies

External Reputation Lookup

Verify Securonix Traffic Anomalies

VirusTotal

PassiveTotal

AbuseIPDB

WHOIS

Potential Suspicious

Traffic?

Randomly Generated Domain?

Rare User Agent?

Domain Rarity Score?Rare File

Hash? IDS/IPS Alert?

Triage Securonix Endpoint Anomalies

Vulnerability Scan

Nessus QualysKnown

Vulnerability Found?

Vulnerability Scan

Initiate scan on connected hosts

Deploy Patch System Lock Down

Tanium Carbon Black Palo AltoBlock IP Action

Playbook

Playbook Steps

Parent/Child Process

Anomaly?

Rare Process on Machine?

YES NO

NO

YES

Beaconing Traffic Alert

YES

Extend Analytics to Incident Response With Response Bot

0219

DATASHEET

Securonix Network Traffic Analysis Advanced Threat Monitoring Combining Network Traffic, Security Logs, Entity Context

Customers today struggle to detect the sophisticated slow and low attacks which require monitoring a blend of network traffic activity, user actions, and system behavior patterns. Stand-alone network traffic analysis tools can monitor traffic and detect network traffic anomalies, however, such anomalies without user and system context are less actionable and just add to the noise.

Securonix provides you with a single platform that monitors and correlates network traffic events, security events, and user activities to detect the most advanced threats.

•Identify advanced threats that standalone NTA or security information and event management (SIEM) solutions are not able to detect.

•Improve efficiency and lower the operational overhead related to training and enablement when you only need to use a single console and database for all events.

•Rapid investigation and response using text-based search and link analysis on context enriched events and built-in security orchestration, automation, and response (SOAR) capabilities.

•Reduce false positives by over 90% by prioritizing threats using Securonix threat chains that span across network and security events.

Securonix NTA Benefits

Combine Network Traffic, Security Logs, and Entity Context to Detect Advanced Threats

Network Sensors

Enriched Network Events

Threat Hunting

Advanced Threat Detection

Network TrafficDashboard/Reports

Raw Network Traffic

SOAR

Add Context Threat Chain Analysis

With Securonix Network Traffic Analysis (NTA), Securonix Next-Gen SIEM can provide customers with a single platform that monitors and correlates network traffic events, security events, and user activities, using built-in user and entity behavior analytics (UEBA) to detect the most advanced threats.


LET’S TALK+1 (310) 641-1000


Detect and Prioritize Advanced Threats with Network Traffic Analysis

Straightforward Threat Hunting

Advanced cyberattacks are usually slow and low and involve multiple steps. Detecting such threats requires monitoring and correlating indicators of compromise (IOC) across event sources.

Securonix uses threat chain analytics to stitch together IOCs across network traffic, security events, and user actions to detect advanced threats. Securonix threat chains are based on industry standard kill chain models such as the MITRE ATT&CK framework.

Securonix Spotter enables blazing-fast threat hunting using natural language search.

The Securonix Investigation Workbench allows you to search for threat actors or indicators of compromise with visual pivoting available on any entity in order to develop valuable threat context.

Visualized data can be saved as dashboards or exported in a standard data format.

Data insights include reports on network traffic with built-in, shareable dashboards. Securonix also includes out of the box reports and the ability to create custom visualizations and reports as needed.

For more information about Securonix NTA visit www.securonix.com/products/network-traffic-analysis/.

SIEM and UEBA Alerts

Network Traffic Alerts Threat Intelligence

SECURONIX THREAT CHAIN

Time (Days/Weeks)

Example: Phishing/Malware (Cyber) Threat

Phishing Alert New Service Network Scanning

Hidden C2 Communication

User/Host Monitoring – SIEM/UEBA(Email/Windows/Host)

Network Traffic Monitoring – NTA(East-West Traffic/dpd.log/North -South Traffic )

Improve Network Traffic Visibility

0819

DATASHEET

Securonix Security Data LakeUnlimited Scalability with Rapid Search

Today’s digital world generates a vast amount of data. The three Vs of big data — volume, velocity, and variety — have made security log management a big data problem. Securonix Security Data Lake, powered by Hadoop, is a highly scalable, fault tolerant, open data platform that ingests massive amounts of data and supports reliable and economical long-term data retention.

At the time it is collected, data is super enriched with contextual information including user, asset, IP address, geolocation, and network intelligence. This transforms raw log data into meaningful security insights that can be accessed using Securonix Spotter’s blazing-fast search. Additionally, the open data format lets you keep a single source of log data and make it available for visualization, analysis, and reporting by other applications.

Massively Scalable Security Log Management

IDENTITY

HOST

PERIMETER

MALWARE

NETWORK

CLOUD

ENTERPRISE APPS

THREATINTELLIGENCE

CO

NN

EC

TOR

LIB

RA

RY

INDEXED DATA(APACHE SOLR)

LONG TERMSTORAGE

(HADOOP HDFS)

SU

PE

R E

NR

ICH

ME

NT

SHARE WITH EXTERNAL APPLICATION

OPEN DATA MODEL

Collect & Retain

Enrich & Correlate

Search & Investigate

Data Insights

Report

Product Features Scalable Big Data Architecture

Securonix UI

Hive/Impala

Spark Streaming

Kafka Zookeeper YARN

Spark

HBase

HDFS

SOLR Cloud

• Powered by Hadoop, a massively scalable, fault-tolerant open data platform that ingests hundreds of terabytes per day and supports economical long-term data retention.

• An open data model means you can maintain a single copy of your data in an open data format and make it available to other applications as needed.

• Unlimited long-term retention with over 90% compression.

• 100% native Hadoop components certified on Cloudera and Hortonworks.


LET’S TALK+1 (310) 641-1000


Threat Hunting and Search

• Securonix Spotter enables blazing-fast threat hunting using natural language search.

• Searching for threat actors and IOCs is simplified with visual pivoting on any entity to develop valuable threat context.

• Visualized data can be saved as dashboards or exported in a standard data format.

Data Insights and Reporting

• Data insights with built-in shareable dashboards.

• Use out-of-the-box reports or create ad-hoc reports as needed.

• Includes compliance management reports with built-in packages that cover all major mandates, including PCI DSS, SOX, HIPAA, FISMA, and ISO 27001.

Connector Library and Context Enrichment

HRMS/IDENTITY SIEM/SECURITY EVENTS PERIMETER/PROXY ENTERPRISE APPS THREAT INTEL CLOUD APPS ENDPOINT NON-TECH FEEDS

DATA• Built-in connector framework with support for

cloud applications, cloud infrastructure, enterprise applications, identity and HR data, and non-technical data feeds.

• Unstructured data parsing with REGEX.• Simple parsing rules defined through UI. • Real-time enrichment of data with identity, asset,

geolocation, threat intelligence and data from lookup tables.

Predictable Identity-Based Pricing

1

CO

ST

T IME (YR)

2 3 4 5

Volume

Based

PricingTRADITIONAL SIEM PRICING

SECURONIX PRICING

• Cost is based primarily on identity instead of by events per second or gigabytes, so costs are predictable, even as your data requirements increase.

• Deploy on commodity hardware, which is much more cost efficient compared to legacy log management products with proprietary hardware requirements.

• With optional Securonix Threat Monitoring Services, Securonix will also manage your threat monitoring for you, giving you time back to focus on your core business.

For more information about Securonix Security Data Lake visit www.securonix.com/security-data-lake/

2018 Gartner Magic Quadrant for Security Information and Event Management (SIEM)

The Securonix SNYPR Security Analytics Platform provides SIEM capabilities via an on-premises solution or as a SaaS-delivered option. SNYPR leverages a Hadoop platform to provide event and data collection and management, analytics that include rule-based and advanced analytics (also sold stand-alone as its UEBA solution), and operational functions such as dashboards, incident management and response, and reporting. Premium apps (and app bundles) provide prepackaged behavior models, rules, reports and dashboards across a variety of security monitoring use cases related to privileged accounts, data security, access, cyberthreats, patient data, fraud and trade surveillance. Incident investigation and threat hunting activities are supported by Securonix’s Spotter feature. Securonix licenses are term-based, priced on the number of identities in an organization (per EPS pricing is also offered) for SNYPR.

Over the past 12 months, Securonix has focused on delivering two updates to the Security Analytics Platform (6.1 and 6.2). The emphasis has been on adding features to improve incident management and response via recommendations for response actions and automated plays, and enhancements to threat detection analytics focused on network traffic analysis.

Large enterprises seeking flexible deployment options and a range of security monitoring use cases with optional analytics add-ons oriented to specific vertical needs should consider Securonix.

Strengths

• Licensing options are decoupled from data volumes by using the number of identities as the metric for all elements of the solution — for Security Analytics Platform and individual and bundled apps. Securonix can license based on EPS as required, but it is not an option that Gartner clients are adopting.

• Securonix’s data management tier is flexible and can ingest an extensive set of data sources and formats that are applied to both streaming and batch analytics. Support for archiving data to AWS S3 is available.

• The use cases supported out of the box and via premium content are extensive and support a variety of monitoring scenarios across security and risk management (e.g., insider threat, fraud analytics, medical apps and technologies).

• Securonix has flexible delivery models, including a SaaS option that removes the need to deploy and manage a Hadoop platform, as well as support organizations where a majority of its data is being generated within IaaS or PaaS.

• Customer feedback for Securonix is positive overall.

Gartner 2017: A Comparison of UEBA Technologies and Solutions

Securonix, the oldest and most mature of the UEBA vendors (founded in 2008), offers UEBA solutions, structured as two platforms and multiple modules. Predating the definition of UEBA/UBA markets, Securonix started as a set of tools for event and risk analysis, user pro ling, and identity matching, ultimately becoming a flagship UEBA vendor.

Relevant products include:

• Securonix UEBA: A UEBA tool

• Securonix SNYPR: A Hadoop-based platform for security data collection and analysis with modular log management, SIEM and UEBA capabilities in a single platform

Securonix addresses all top UEBA use cases covered in this document. Clients report successes with using the tool for:

• Finding malicious and accidental insider threats

• Performing deep custom application monitoring and analytics

• Data theft detection

• Identifying account compromise

Clients report that the vendor was able to address vertical or company-specific analytics problems well by using Securonix's consulting services.

Securonix uses a combination of statistical methods, unsupervised machine learning (in the eld for many tasks), supervised machine learning (both in the lab and in customer environments, such as for malicious domain detection and malicious user agent detection), fuzzy logic, user-written rules and other methods.

Securonix has recently made forays into broader security monitoring use cases (Securonix SNYPR can operate without and sometimes instead of a SIEM) and into deeper vertical and industry- specific applications (such as for healthcare application monitoring and financial fraud detection). Securonix also retains some focus on IdM and access management use cases, but these are not discussed in this document.

Gartner research indicates that customers praise the tool for flexibility, ability to address deep vertical analytics uses cases and support for custom application data. On the other hand, customers report that professional services and customizations are highly advisable (if not truly mandatory) for a successful deployment. Securonix reports having more than 150 production customers as of early 2017.

Technical Professional Advice

securonix next-generation siem - spectrami...built on big data, securonix next-generation siem...

Documents