Review: Seceon soups up standard SIEM

Security Information and Event Management (SIEM) systems have become cornerstones of most cybersecurity deployments, especially in larger environments where many disparate programs need somewhere to report alerts. Rather than tasking security analysts to watch over dozens of programs, the idea is to have them all report to a central, constantly monitored location.

The problem with standard SIEMs are twofold. First, on their own, they don’t do very much good. Some advanced platforms have their own monitoring abilities, but most simply collect information from whatever else is defending the network. Second, on the other end of the spectrum are organizations that have invested in potentially hundreds of security programs, or that are trying to protect hundreds of thousands of assets. For them, the SIEM gets easily overloaded, hiding some of the most important warnings in a sea of millions of other alerts.

The Open Threat Management Platform (OTM) from Seceon aims to simplify SIEM deployment, and potentially a lot of other security programs, for organizations at both ends of that spectrum. We tested OTM as both a standalone security product, and as an integrated part of a network of programs.

John Breeden II

Seceon can run completely on premises, in the cloud or in any hybrid environment. Once in place, it can collect information from a variety of sources. However, it also collects its own data and even has its own threat feed, which it uses to correlate with events occurring within a protected network. It reads all of the system and log files being generated by routers, firewalls and other communications equipment, and provides collector programs as agents for every Windows or Linux box. The collectors pull log and system files and send them into the pile of other data to be analyzed. If an organization wants to keep the full text of those logs, they can be copied and saved almost anywhere, even to slow tape drives for example, for full archiving.

John Breeden II

The Seceon OTM consists of two main components: the control and collection engine (CCE), and the analytics and policy engine (APE). Both work closely together, which is part of the secret sauce that makes everything work so well. In general, the CCE collects everything, and then extracts relevant pieces of information for processing by the APE. However, if the APE has already identified a specific threat or type of threat, then the CCE is able to recognize this in future data streams that it collects. It won’t send that information back to the APE to be processed again. And if automation, which will be described later, is activated, the CCE can go ahead and remediate the threat without bothering either the APE or human analysts.

Although the CCE is powerful enough to take some actions, the brains of the program is the APE. Data sent to the APE is broken down in several ways, including using threat modeling, behavior analysis, threat correlation with its threat feed, and analytics.In general, it uses a proactive threat detection model with machine learning to comprehend previous context. And it correlates data with its threat feed, which consists of over 70 open source threat feeds, consolidated into a single stream.

John Breeden II

The APE, and to a lesser extent the CCE, can fulfill the roles of other security programs. For example, we were able to detect a piece of stealthy malware on a test system because the platform saw the threat beaconing out to a host, and correlated that with other collected data such as the number of new connections happening on the host and the number of bytes transferred. It also looked at historical data, such as how an authorized user traditionally used that machine, which didn’t match the usage pattern of the malware. Thus, Seceon was able to flag the program as malicious, even though the local antivirus program had not yet discovered it.

When we went to fix the problem, we allowed the Seceon OTM to watch and learn. Thereafter, if we wanted, it could automatically take the same actions against similar threats or the same virus landing elsewhere in the network. The level of automation allowed by the SIEM is completely configurable. We could set it to respond automatically to critical alerts, for example, or against threats made to specific assets. Or, we could tell it to automatically act against specific threat types, such as viruses, which may not require much human intervention or analysis. It even allowed granular control over things like automation time windows — so that we could set it to act independently over the weekend or at times when humans would not be around.

John Breeden II

In addition to enabling automatic remediation of many threats, the interface allows for deep dives into suspicious events in what would be akin to threat hunting. It took no more than about three clicks to go from any top-level alert down to highly specific event traffic analysis. The OTM was even able to show us cross-communications within the network, the dreaded horizontal movement, by correlating the log files between assets and visually mapping those paths for easy analysis. The interface was so easy to use that administrators will probably obtain proficiency after only a few hours of training, at most.

John Breeden

Pricing for the Seceon OTM is also surprisingly fair. Instead of charging based on the amount of data being processed, which might force some customers to hold back important information to try and save money, it’s based on the number of active devices being protected. This is further broken down into critical and non-critical assets, with the goal of encouraging firms to share every bit of their data with the platform to improve overall coverage and enable intelligent security automation much more quickly.

Because the Open Threat Management Platform is essentially acting as both an SIEM and a frontline security appliance, thrifty firms may want to consider eliminating some of their other cybersecurity programs if they duplicate what the Seceon OTM is doing, especially if the OTM is consistently catching what they miss. And organizations that are just starting to improve their cybersecurity posture could install the Seceon OTM and get an advanced SIEM, plus a lot of other defensive tools bundled into the same easy-to-use package.