MORE RULES DOESN’T EQUAL BETTER SECURITY
The marketing for just about every SIEM type solution available touts huge numbers of “built-in” or “out of the box” rules included in the solution. The assumption seems to be that 700 built-in rules is supposed to be viewed as superior to 600. This assumption highlights a common misconception: More rules = more security.
For starters, we already discussed the mathematical impossibility of securing a network with a rules based approach. Math proves there is no winning the, “If we add this rule, we can detect this new type of threat,” game. 600, 700, or 10,000 rules, and their will always be a new rule to write.
Furthermore, on a large network, how many alerts are 600 rules going to trigger on any given day or hour? If the alert is worth having, it better be worth investigating. Without a large and dedicated team of talented professionals methodically investigating alerts, how are you going to investigate all of those alerts?
Finally, because most rules are based only on log data, they lack the context necessary to be accurate indicators of a problem. Instead of investigating and remediating real issues, security professionals spend their time chasing false positives. This creates a boy who cried wolf situation that tends to weigh on morale and increase the risk an important alert does slip through the cracks.
SIEMS are valuable IT tools, and having the proper rules in place can provide value to a security team. Problems occur, however, when organizations bolt on a rules-based solution and rely on it as the primary solution for detecting malicious insiders, APTs, and other advanced threats. 700 log-based rules cannot stand in for the accurate anomaly detection and alerts made possible by solutions capable of collecting, linking, and analyzing data from all data sources.
AristotleInsight is a big data security analytics solution implementing the UDAPE model. The solution collects, links, and organizes security data in order to establish baselines, conduct user behavior analysis, recognize anomalies, and detect advanced persistent threats.