SIEM is dead! Long live C.I.A.
For years, I have heard the benefits of log forwarding and collection. Send all your data to a SIEM and your security program will be better and more mature. In reality, every CISO I have spoken to for the last 5 years complains about SIEM and outside of compliance purposes, their SIEM provides little value. Some folks in the infosec community are claiming, much like anti-virus (AV) 10 years ago, SIEM is dead! Frankly in its current state, I agree.
Some of you will ask, “If SIEM is dead, what are we supposed to do?” That is the million-dollar question. My response is Open XDR. What does Open XDR have to do with the blog title? Well, normally you would think C.I.A. equals Confidentiality, Integrity, and Availability (not the Central Intelligence Agency). In this case, think Correlation, Integration, and Automation (if I could have found a place for V (visibility) I would have. Open XDR will give you that and more!
Open XDR, by definition, is all data sources (X) Detection and Response. Think about the App Store you use on your iPhone. When you first bought that phone (think platform), it came with a few apps preinstalled, and then you went and added a few apps to run on that platform. The pictures you took and sent via text, or uploaded to Facebook, all used a common platform underneath. Open XDR is the same concept.
Stellar Cyber has developed the first App Store for information security. What does this mean for you? A Correlated, Integrated, and Automated platform that gives you visibility across your security tool sets. The platform, in this case Starlight, allows you to plug your apps (think endpoint, AV, firewall, proxy, etc.) into it alongside the apps we provide (SIEM, SOAR, machine learning driven (ML)-IDS, Malware, deception, etc.). Underneath the covers we normalize, enrich, correlate, provide detections, and ultimately active and automated responses to mitigate those risks.
What makes Starlight open? First, through RESTful APIs, we can integrate with your existing endpoint tools, firewalls and CASB tools and extend their value to you. The value of the tightly-integrated App Store is to enable your ecosystem of vendors to work better together, which means Starlight can help you see more relevant events after integration and create your own tailored solution. Starlight ties both innate and integrated Apps into our Interflow™ technology, which streamlines anomaly detection and investigation by creating context among events. Interflow normalizes security data shared between integrated applications and third-party applications, driving single-pane-of-glass visibility and control across security toolsets.
In addition, Stellar Cyber provides the means for our user community to write their own apps, write their own parsers, write their own ML-IDS signatures, and share everything with the community. This community approach helps everyone improve the security posture and maturity of their respective companies.
Imagine a single pane of glass that allows you to see (visibility) all of your security controls, correlate across them all, and respond to those threats. This will lead to less security tool sprawl, fewer alerts, and better response times. That correlation and automation, fueled with accurate, actionable events, ultimately reduces the number of analysts you need to monitor and manage your security operations. SIEM is dead! Long live C.I.A.
Author: Dave Barton, CISO at Stellar Cyber