• United States



Review: Seceon soups up standard SIEM

Jun 05, 20187 mins
Network SecuritySecurity

The Open Threat Management Platform essentially acts as both an SIEM and a frontline security appliance. Thrifty firms may want to consider eliminating some of their other cybersecurity programs if they duplicate what the OTM is doing, especially if the OTM is consistently catching what they miss.

Security alert for incoming threats.
Credit: Thinkstock

Security Information and Event Management (SIEM) systems have become cornerstones of most cybersecurity deployments, especially in larger environments where many disparate programs need somewhere to report alerts. Rather than tasking security analysts to watch over dozens of programs, the idea is to have them all report to a central, constantly monitored location.

The problem with standard SIEMs are twofold. First, on their own, they don’t do very much good. Some advanced platforms have their own monitoring abilities, but most simply collect information from whatever else is defending the network. Second, on the other end of the spectrum are organizations that have invested in potentially hundreds of security programs, or that are trying to protect hundreds of thousands of assets. For them, the SIEM gets easily overloaded, hiding some of the most important warnings in a sea of millions of other alerts.

The Open Threat Management Platform (OTM) from Seceon aims to simplify SIEM deployment, and potentially a lot of other security programs, for organizations at both ends of that spectrum. We tested OTM as both a standalone security product, and as an integrated part of a network of programs.

Seceon Dash John Breeden II

The top-level dashboard is clean and informative, but users can quickly drill down into specific concerns or alerts in just a few clicks.

Seceon can run completely on premises, in the cloud or in any hybrid environment. Once in place, it can collect information from a variety of sources. However, it also collects its own data and even has its own threat feed, which it uses to correlate with events occurring within a protected network. It reads all of the system and log files being generated by routers, firewalls and other communications equipment, and provides collector programs as agents for every Windows or Linux box. The collectors pull log and system files and send them into the pile of other data to be analyzed. If an organization wants to keep the full text of those logs, they can be copied and saved almost anywhere, even to slow tape drives for example, for full archiving.

Seceon Backup John Breeden II

It might seem like an odd extra in a SIEM to include a fully-automated backup tool, but it’s included so that organizations that are subject to cybersecurity audits can have a full and complete record of everything that was done regarding any and all incidents.

The Seceon OTM consists of two main components: the control and collection engine (CCE), and the analytics and policy engine (APE). Both work closely together, which is part of the secret sauce that makes everything work so well. In general, the CCE collects everything, and then extracts relevant pieces of information for processing by the APE. However, if the APE has already identified a specific threat or type of threat, then the CCE is able to recognize this in future data streams that it collects. It won’t send that information back to the APE to be processed again. And if automation, which will be described later, is activated, the CCE can go ahead and remediate the threat without bothering either the APE or human analysts.

Although the CCE is powerful enough to take some actions, the brains of the program is the APE. Data sent to the APE is broken down in several ways, including using threat modeling, behavior analysis, threat correlation with its threat feed, and analytics.In general, it uses a proactive threat detection model with machine learning to comprehend previous context. And it correlates data with its threat feed, which consists of over 70 open source threat feeds, consolidated into a single stream.

Seceon Dash2 John Breeden II

Not every alert is an indication of compromise, but even at the top level, the Seceon platform does a good job of describing the nature of each problem.

The APE, and to a lesser extent the CCE, can fulfill the roles of other security programs. For example, we were able to detect a piece of stealthy malware on a test system because the platform saw the threat beaconing out to a host, and correlated that with other collected data such as the number of new connections happening on the host and the number of bytes transferred. It also looked at historical data, such as how an authorized user traditionally used that machine, which didn’t match the usage pattern of the malware. Thus, Seceon was able to flag the program as malicious, even though the local antivirus program had not yet discovered it.

When we went to fix the problem, we allowed the Seceon OTM to watch and learn. Thereafter, if we wanted, it could automatically take the same actions against similar threats or the same virus landing elsewhere in the network. The level of automation allowed by the SIEM is completely configurable. We could set it to respond automatically to critical alerts, for example, or against threats made to specific assets. Or, we could tell it to automatically act against specific threat types, such as viruses, which may not require much human intervention or analysis. It even allowed granular control over things like automation time windows — so that we could set it to act independently over the weekend or at times when humans would not be around.

Seceon Automation Control John Breeden II

The Seceon Open Threat Management Platform allows for any level of automation, from fully automatic, to automatic responses based on time, assets, severity, threat type, or almost any other classification.

In addition to enabling automatic remediation of many threats, the interface allows for deep dives into suspicious events in what would be akin to threat hunting. It took no more than about three clicks to go from any top-level alert down to highly specific event traffic analysis. The OTM was even able to show us cross-communications within the network, the dreaded horizontal movement, by correlating the log files between assets and visually mapping those paths for easy analysis. The interface was so easy to use that administrators will probably obtain proficiency after only a few hours of training, at most.

Seceon Overlay Threats John Breeden

In addition to showing important information via text, the Seceon platform can visually show important threat hunting data, such as which systems are talking to one another within a protected network.

Pricing for the Seceon OTM is also surprisingly fair. Instead of charging based on the amount of data being processed, which might force some customers to hold back important information to try and save money, it’s based on the number of active devices being protected. This is further broken down into critical and non-critical assets, with the goal of encouraging firms to share every bit of their data with the platform to improve overall coverage and enable intelligent security automation much more quickly.

Because the Open Threat Management Platform is essentially acting as both an SIEM and a frontline security appliance, thrifty firms may want to consider eliminating some of their other cybersecurity programs if they duplicate what the Seceon OTM is doing, especially if the OTM is consistently catching what they miss. And organizations that are just starting to improve their cybersecurity posture could install the Seceon OTM and get an advanced SIEM, plus a lot of other defensive tools bundled into the same easy-to-use package.