Introduction
A breach is announced, details are released, and everyone wonders: does my organization have, or has it had, activity associated with the people or methods connected to this breach? Many organizations today can’t answer this question, as they can’t perform efficient historical analysis of past events. Anomali Enterprise provides this ability, with no impact to the SIEM.
Anomali Enterprise enhances SIEM technologies by extracting the most crucial information from SIEM data and allowing for historical searches of that data in a fraction of the time it would take to perform on a SIEM. While most SIEM solutions perform a critical role in organizations’ security infrastructures, they are generally incapable of deep retrospective analysis.
SIEM technologies generally do well with:
Collection of raw log data for store-of-record purposes (NIST 800-53)
Selective storage and indexing of data for near real-time analysis (and often cold storage for older data)
Parsing of data in to fields for near real-time analysis purposes, either by human analysts, correlation rules, anomaly behavior analysis, pattern discovery or some other type of near real-time analysis and detection
Matches logged activity to a limited set of basic threat intelligence indicator types such as IP’s or domains
Anomali Enterprise, on the other hand:
Only processes and stores fields that would be relevant in performing a deep (months or years) historical search
Stores and indexes all relevant data for fast and efficient historical searches
Links back to original raw logs when available
Matches all current and historical log activity to all known relevant indicators, including meaningful contextual threat model data, which includes threat bulletins, incidents, actor profiles, campaigns, TTP’s, and vulnerabilities
Why this matters
Do we have this? That’s often the fir ..
Support the originator by clicking the read the rest link below.
