Securonix SIEM as a service has behavior analytics baked in

Organizations that want to concentrate on finding and removing threats using advanced techniques like user and device analytics would find a perfect match in the Securonix SIEM.

User hands on a laptop keyboard have a digital overlay reflecting data/analytics/tracking.
HAKINMHAN / Getty Images

Securonix began as a maker of traditional security information and event management (SIEM) devices way back in 2007. Then around 2009, the company started to branch out into user and entity analytics, where it made quite a name for itself. Now, Securonix is combining those two areas of expertise into a cloud SIEM that is offered as a service.

Unlike most SIEMs, users don’t need to connect other cybersecurity programs or devices into the Securonix service. It comes with its own identity modeling engine, behavioral analytics, traffic analysis capabilities and the ability to uncover threats and suspicious activity with very little setup. The Securonix SIEM works by looking at user and device behavior and then applying machine learning and threat intelligence to rank both known threats and anomalous events that could be indicators of compromise. It’s also adept at grouping incidents into threat chains that link seemingly disparate actions into threat campaigns in the same way as an advanced threat hunter.

Currently the Securonix SIEM only works with Amazon Web Services. Technically, the SIEM’s code is also available for installation in other clouds or on-prem, but setting it up this way you would lose all of its instant updates and other support, so it’s probably best to use it exclusively with AWS for now.

Setting up the SIEM is very quick. AWS cloud assets can immediately be tied with the SIEM, while physical assets require a small collector. The collector, which can be deployed as a virtual machine, collects data, compresses it, encrypts it and then sends it to the SIEM for analysis. While Securonix doesn’t actually monitor the threats that the SIEM uncovers, it does ensure that it has the most recent threat intelligence and that its machine learning engine is operating efficiently.

To access the SIEM, users log into a secure portal that provides access to their company’s threat data. The main dashboard can be configured based on a user’s role, so the CSO might get an overview of threats and corrective actions while a threat hunter might see grouped indicators of compromise. Most members of the security team will probably want to initially come to the main window where the top threats, violations and violators are ranked.

Securonix Dash CSO

The main dashboard for the Securonix SIEM can be configured based on the role of the person using it. Here, both the top threats and the top anomalies on the protected network are ranked for security personnel.

The SIEM differentiates between known threats and potential indicators of attacks or compromise. A known threat, like a Carbanak attack or a Zeus malware variant infecting a system, are listed in one area since the threats are already defined and security teams will want to remediate them right away.

Anything anomalous or an activity that trips the Securonix behavior analytics engine is grouped as a so-called violation. That could include things like suspiciously operating child processes, someone or something tampering with an audit log, a machine making connections to a known malicious host or anything else that might indicate an attack. The same logic is applied to the violators window, which lists the users and devices that might be under attack or performing a malicious activity themselves. Both violators and violations could be innocent or authorized activity, but the more nefarious seeming those actions are, the higher they will rank.

Securonix Overview CSO

In addition to ranking threats and anomalies, Securonix can visually show the kind of attacks that are assaulting a network as well as where they originate. This can all be exported into a report suitable for high-level meetings or company officials.

One of the most impressive aspects of the Securonix SIEM is its ability to group seemingly unconnected events and show how they are related. This process can uncover advanced attacks and even potentially unmask threat campaigns.

Securonix Threat Chain CSO

One of the impressive features of the Securonix SIEM is its ability to create threat chains by linking seemingly disparate events into campaigns. This threat hunting type process happens completely automatically, and can include relevant events that occurred months or even years ago.

For example, during the testing the SIEM was able to group a phishing incident with the fact that the machine where it came in began to exhibit suspicious behavior a few minutes later. It then showed that there was an unpatched vulnerability on that same machine that was enabling the nefarious activity to take place. It also identified the user on that machine and any IP addresses that were being utilized. Finally, it was able to show us other machines with the same vulnerability and whether or not the phishing mail had also arrived on them.

Securonix Reports CSO

The platform comes preloaded with various reports or actions that administrators can take, like sorting users according to their managers or checking to see if there is any activity from terminated employees. Administrators can modify those default actions or create their own.

And it’s not just current attacks and suspicious actions that the Securonix SIEM can uncover and link together. One of the advantages to being based in the cloud is the unlimited space to store event data. In another instance, we were able to connect nefarious activity happening in real time to a breach that occurred on a demo network over nine months ago. Because of that, low and slow attacks won't be able to avoid detection from the Securonix SIEM.

Of course, users will need to pay a larger hosting fee to store massive amounts of threat data.

Pricing for the Securonix SIEM is based on two factors. The number of users being protected is used to determine the main price. (This is based on actual users, not how many devices they use.) And there is a hosting fee that rises as more data is stored. That way, customers can do a cost benefit analysis to decide how far back they need the Securonix SIEM to go when looking at historical anomalies and threat data.

Once a threat is uncovered, there are several playbooks that can be run to automatically remediate the problem. Descriptions of the threat and the recommended ways to remove it in order to protect a network from future incursions are also given.

Securonix Full Drill Down CSO

The top level Securonix SIEM dashboard is easy to use, and advanced users can drill down to find mountains of metadata surrounding each event if needed.

The Securonix SIEM is a great tool for busy enterprises that might have enough security personnel to respond to threats, but don’t want to get bogged down in the support and management of their cybersecurity infrastructure. And unlike SIEMs that need to be connected to other platforms and programs to begin collecting and logging security events, the Securonix SIEM starts working almost immediately within the AWS cloud, with only a small collector employed to protect on-prem assets.

Organizations that want to concentrate on finding and removing threats using advanced techniques like user and device analytics would find a perfect match in the Securonix SIEM. This is especially true if they don’t want to get into the business of managing and maintaining cybersecurity tools. The Securonix SIEM as a service is one of the best ways to ramp up their protection without a lot of hassle, and with almost no overhead required.

Copyright © 2020 IDG Communications, Inc.

Subscribe today! Get the best in cybersecurity, delivered to your inbox.