Security information and event management (SIEM) tools represent a rapidly growing industry set to be valued at almost $4 billion by 2024. These solutions collect, normalize, aggregate, and analyze data from various sources to discover and detect threats.
SIEM tech also helps in pinpointing breaches and enabling teams to investigate intruders. Even still, less than one quarter of companies report seeing value in their SIEM, citing high cost and resource intensity as major obstacles to benefitting from more operationalized solutions.
A recent addition to this field is Elastic SIEM, part of a broader Elastic Security solution. With its technical capabilities, alternative pricing strategy, and open-source philosophy, Elastic SIEM is a compelling addition to this market.
Elastic Stack Overview
Elastic SIEM was developed by Elastic, a creator of several open-source projects, including Elasticsearch, Beats, Logstash, and Kibana. Each of these tools can operate as a standalone or in combination with third-party solutions. When used together, the combined solution is referred to as the Elastic Stack. This group of products is used to take, search, analyze, and visualize data in any format, from any source, in real-time – with each tool playing a specific role.
Elasticsearch acts as a search and analytics engine. It’s based on the Apache Lucene library and can quickly analyze huge amounts of data. Logstash is a data processing pipeline that collects and transforms data on the fly before sending it to the desired destination. Beats is a collection of data shippers that sit on servers or with containers and centralize data in Elasticsearch. Lastly, Kibana is a front end for this suite, serving as a dashboard for visualizing data and complex queries.
Elastic SIEM Features
The SIEM app is at the heart of Elastic SIEM. As an interactive workspace, it allows teams to analyze host-related and network-related security events. The hosts view provides key metrics and interaction with the Timeline Event Viewer. Users gain deeper insights into hosts, events, user authentications, unique IPs, and uncommon processes. The Network view shows key activity metrics and event tables. Analysts get insights on parameters such as top DNS domains, users, destination IPs, and more. The Timeline Event Viewer enables users to drag objects of interest in Kibana for further investigations. They can store evidence of an attack and share findings.
The SIEM app also features machine learning (ML) capabilities that improve anomaly detection operations. Elastic offers 13 anomaly detection jobs including anomalous Powershell script and anomalous path activity. These detection rules are aligned with the MITRE ATT&CK™ framework. As an example, Elastic SIEM can discover brute force attacks by identifying log messages from access rights management systems. To reduce false-positives, the app deploys user and entity behavior analysis (UEBA).
An Alternative Pricing Model
Elastic SIEM can be deployed in the cloud, on premises, or in a virtual or containerized environment. Users can select several commercial extensions, including ML-based anomaly detection and external alert notifications. Integrations are also available with third-party SOAR platforms, incident response systems, and case management platforms.
Another advantage of Elastic SIEM is its resource-based pricing model. Traditional SIEM vendors usually charge based on data ingestion rate, such as daily indexed volume or average events per second. Under this model, companies are disincentivized to collect data for fear of spiraling costs. In contrast, Elastic charges users only for the resources used to support their security operations. They can choose how much data to ingest and retain, as well as what security workflows are enabled on that data.
Benefits of Elastic SIEM being an open tool
Elastic boasts a thriving and supportive community through its SIEM Discuss Forum and #siem Slack channel. They’ve also embraced open development practices, with public Github issues where users can upvote requests and file new ones.
Elastic Stack uses an open JSON data model that exhibits no proprietary formats. Schema assumptions are documented in ECS, which means there’s no vendor lock-ins. There’s also no limitation to exporting data or adding additional data sources.
Elevate Your SIEM Game
Security teams face the daunting task of protecting ever-expanding attack surfaces. There’s more data, notifications, and alerts than ever before. Elastic SIEM offers a number of features designed to help teams perform better amidst this complexity.
To help analysts get ahead of new threats, RangeForce offers Elastic SIEM Basics, a hands-on training module and practice environment where your team can experience Elastic SIEM in motion. See an overview of Elastic SIEM and different Kibana features while resolving a customer ticket.
Explore our offerings and learn how to better use advanced SIEM solutions by signing up for a RangeForce demo here.
Join the RangeForce Community Edition to train in an on-demand cyber range.
Meet RangeForce at RSA and Infosecurity Conferences