Security Information and Event Management (SIEM) Mid ...• However, IBM, HPE ArcSight, and McAfee have closed the gap in all-in-one platforms and cloud- based SIEM tools often integrate

1

February 2018Excerpts K17D-01

Security Information and Event Management (SIEM) Mid-Market Analysis

An Executive Brief Prepared for AlienVault®

Christopher KisselAnalyst, Threat Sensing

Cybersecurity

2

Source: Frost & Sullivan

Introduction

• This Executive Brief is based on the Frost & Sullivan report, “Security Information and Event Management

(SIEM)—Global Market Analysis, Forecast to 2021,” published July, 2017.

• This abbreviated brief focuses on the SIEM requirements of mid-market organizations and an analysis of

the vendors who serve this market, including in-depth coverage of AlienVault®.

• The Market Overview, The Last Word—Predictions , and The Last Word—Recommendations sections

are excerpt wholly from the original Frost & Sullivan report.

• Content from the original report has been updated to reflect pricing, features and product vision for

AlienVault’s cloud-based USM Anywhere™ platform, however AlienVault’s overall unified security

management approach that originated with their all-in-one physical appliance remains unchanged.

• AlienVault’s cloud-based platform is designed to address the needs of mid-market organizations, but also

offers features that allow enterprises and managed security service providers (MSSPs) to centrally

manage larger deployments.

• Worth noting, but not presented in excerpt form here, is AlienVault was cited as having the Point of

Competitive Differentiation for Best Approach to SIEM small-to-midsized business (SMB) in the original

report.

http://www.frost.com/sublib/display-report.do?searchQuery=SIEM&ctxixpLink=FcmCtx3&ctxixpLabel=FcmCtx4&id=K17D-01-00-00-00&bdata=aHR0cHM6Ly93d3cuZnJvc3QuY29tL3NyY2gvY2F0YWxvZy1zZWFyY2guZG8/cXVlcnlUZXh0PVNJRU1AfkBTZWFyY2ggUmVzdWx0c0B%2BQDE1MTc0MTE5NTQ2MDI%3D

33

Market Overview

4


Market Overview

• Traditionally, SIEM has served three important functions and this remains true today1. SIEM is used to prove compliant practices (noting that there are numerous industry compliance

standards).2. SIEM is used as a way to formalize storage. Data is normalized and logged for recall. 3. The SIEM engine initiates the first part of a forensics investigation. In the event that a breach is

uncovered, the SIEM is used to access all related directory groups, OS, applications, or other applicable similarities to determine how far a breach has spread.

• SIEM vendors compete with other security analytics platforms such as VM, network access control (NAC), intrusion detection systems, threat intelligence, and others for threat sensing.

• The same approximate procedures that are used in a forensics investigation can be used to reduce incident mean-time-to-detect and mean-time-to respond. Increasingly, SIEM is being used to coordinate an integrated, multi-level cyber defense posture.

• When SIEM is integrated with firewall, advanced threat detection (ATD), vulnerability management (VM), network access control (NAC), mobile device management (MDM), IDS (intrusion threat detection (IDS), threat intelligence platforms, and other platforms it improves the efficacy of both SIEM and the integrated platforms.

• The bidirectional flow between platforms is inevitable. Pernicious attacks like zero day threats evade detection from perimeter-based systems. However, at some point the signature ends up on the SIEM.

• Even barring that, each system can tell the other what to be on the lookout for. If a SIEM is detecting anomalous behavior, the SIEM can tell the intrusion detection/intrusion protection system (IDS/IPS) about the signature type it is seeing.

5


Market Overview (continued)

• With enterprises, the overlay of SIEM with other cyber defense technologies fortifies the network grid and creates a continuous security intelligence defense.

• In smaller markets, compliance with regulatory mandates remains an imperative. Additionally, companies like AlienVault® and SolarWinds gained an initial advantage by building all-in-one appliances.

• However, IBM, HPE ArcSight, and McAfee have closed the gap in all-in-one platforms and cloud-based SIEM tools often integrate multiple cyber defense technologies on the same platform.

• The nerve center of SIEM is the central console. The large vendors claim almost infinite scalability—but for all intents and purposes a central console can view 500,000–1,000,000 EPS.

• SIEM dashboards provide visibility of the network as well as agility within select fields such as end user, most used applications, most vulnerable endpoints, etc.

• The best dashboards are truly interactive. Any number of events (device types, OS, applications, network mapping, etc.) can be isolated in the best SIEM with a mouse click.

• Investigations can be recorded for future reference. The results of investigations can be incorporated into the establishment of new rules or alarm thresholds.

6


Midsized Business Competitive Environment

Midsized SIEM Market: Competitive Structure Global, 2017

Number of Companies in the Market 24

Competitive FactorsCompliance reporting and auditing, threat prioritization, extensibility, access to tech support/customer service.

Key End-user Groups IT directors, some SOCs or managed service providers

Deployment Options Cloud-based deployment, managed detection and response (MDR), SIEM-as-a-service, co-managed SIEM, and all-in-one-appliance

Major Market Participants Retail, factories, municipalities, smaller governments agencies.

Market Share of Top 3 Competitors 52.1%

Other Notable Market Participants Hospitals and other healthcare, regional banks.

Distribution Structure Channel partners, system integrators, direct sales, VARs.

Note: Content added. Midsized Business Competitive Environment did not appear in the original report

7


Top Competitors (Midsized Markets)

Company Strengths Weaknesses Opportunities Threats

AlienVault®Integrated SIEM, VM, threat detection over all platforms

Relative newness to Cloud (1+ years)

Strong pricing in consideration of its core technologies wins business

Companies trying to match USM Anywhere™ all-in-one capabilities

SolarWinds

Affordable Log and Event Manager (LEM) deployed as a hardened appliance

LEM does not have an as-a-Service option

More than half of SolarWinds customers have multiple products

Managed detection and response services (MDR)

Alert LogicFirst-mover Cloud Defender SIEM-as-a-service approach

No on-premises appliance option

Good approaches to cloud, hybrid cloud, and data center environments.

Bigger SIEM vendors shifting focus to midsized markets

Arctic WolfEarly innovator in managed threat detection

Lack of vertical market specific SIEM and compliance reporting

Products scale well as customers expand their businesses

Endpoint detection and response (EDR) and SIEM-as-a-Service

EventTrackerOffers SIEM, predictive threat analytics, and endpoint monitoring

Co-managed SIEM approach sometime difficult for IT teams

SIEMphonic MDR Edition is for businesses that do not have a heavy IT presence

Platforms handling big data requirements on backend

LogRhythmGround-up product development; Intuitive, effective tools

All-in-one XM appliance is expensive

Differentiates through, UEBA, SIEM specific features and customer service

Not a factor in managed SIEM or SaaS.

SIEM Midsized Market: SWOT Analysis, Global, 2017

Note: Content added. Midsized market SWOT analysis did not appear in the original report

88

Analysis of AlienVault® Technology Approach to SIEM

9

Analysis of AlienVault® Technology Approach to SIEM

Source: Frost & Sullivan Analysis

AlienVault Strategies and Approaches to Midsized Businesses (continued)• Native to the AlienVault® USM Anywhere™ platform is integrated security monitoring postures that

includes asset discovery, vulnerability assessment, intrusion detection, behavioral monitoring, and SIEM to deliver threat detection, incident response, and compliance management capacity.

• Network and host intrusion detection is standard to the AlienVault USM Anywhere™ platform. The tie in between SIEM and intrusion detection is an important differentiator; AlienVault Labs Threat Intelligence applies appropriate event correlation rules against the raw event log data collected, as well as the events triggered by in the built-in intrusion detection software.

• Another shared resource for the cloud-based appliance is shared threat intelligence from the AlienVault Open Threat Exchange® (OTX™). The AlienVault Labs Security Research Team leverages the data within OTX to analyze threat activity using a set of machine-learning analysis systems to look for trends, behaviors, and translates that activity into the threat intelligence that is delivered to USM Anywhere.

• The AlienVault Threat Intelligence includes correlation rules, IDS signatures, vulnerability signatures, plugins, reports and dynamic incident response templates developed by the AlienVault Labs security research team.

• These items are updated continuously to keep threat detection capabilities up to date with new and emerging threats, avoiding the need for resource-constrained security teams to spend time researching threats.

• Threat information from OTX and from AlienVault Labs Threat Intelligence are uploaded to the cloud platform 5‒7 times a week.

10

Analysis of AlienVault® Technology Approach to SIEM (continued)


AlienVault Strategies and Approaches to Midsized Businesses• AlienVault built USM Anywhere™ from the ground-up to monitor cloud environments as well as on-

premises environments from one unified solution, rather than trying to kludge their successful on-premises appliance for cloud.

• USM Anywhere is comprised of two components. The cloud-based USM Anywhere server is responsible for event correlation, event storage, event analysis, and provides the interface to the user to investigate, analyze, and respond to incidents. Sensors are deployed for data collection, asset scanning, vulnerability scanning, and environment awareness. It collects and shares the resulting information with USM Anywhere for processing.

• However, cybersecurity platforms, no matter how expansive, need to be developed for integration with other platforms to give SOC teams greater visibility and command over their environments:

o Plugins and AlienVault® AlienApps™. AlienVault has important all-in-one security features and AlienVault Labs Threat Intelligence which collect more than 14 million threat indicators daily. However, cybersecurity platforms, no matter how expansive, need to be developed for integration with other platforms to give SOC teams greater visibility and command over their environments.

For several SIEM vendors an API is the communication fabric between platforms; AlienVault calls these plugins. The AlienVault Labs Security Research Team regularly updates its plugin library to increase the extensibility of the USM platform; the plugins enable USM Anywhere to accept third-party data.

11

Analysis of AlienVault® Technology Approach to SIEM (continued)


AlienVault Strategies and Approaches to Midsized Businesses (continued)o Even more than an API integration, AlienVault wanted to offer its customers greater security

protections through platform integrations. Enter AlienApps™—AlienApps are modular, extensible additions to USM Anywhere™ that allow AlienVault to collect data from API-based systems, analyze and visualize the data via pre-built dashboards, and provide orchestrated security response with third party applications.

o Plugins and AlienApps (continued). Currently, AlienApp integrations with Cisco Umbrella and McAfee ePolicy Orchestrator are standard in an USM Anywhere deployment. In addition to McAfee ePO and Cisco Umbrella, USM Anywhere now also includes an AlienApp for Office 365, and one that monitors G Suite (a.k.a. Google Apps). AlienVault adds new AlienApps on a monthly basis. For the most current list of AlienApps, refer here: https://www.alienvault.com/products/alienapps

o The use of cloud for data collection through Amazon Web Services (AWS). AlienVault utilizes cloud-native log aggregations through integration with CloudTrail, CloudWatch, and S3. The AWS S3 bucket has a native elastic load balancing (ELB) feature that contains header information about each HTTP and TCP request. Once an ELB is configured, a client can use the platform for statistical analysis, diagnostics, and data retention.

o Data collection through Microsoft Azure. USM Anywhere logs and creates Events associated with the specific Azure Storage Tables containing Windows Security Events, Internet Information Services (IIS) and SQL Events that the user enables in the Azure Console using Azure Diagnostics feature.

o Elasticsearch. AlienVault uses Elasticsearch built specifically for clustering to access data.

https://www.alienvault.com/products/alienapps

12

AlienVault® for Enterprises and MSSPs


AlienVault for Enterprises and MSSPs• In the MSSP SOC, the MSSP SOC analyst suffers from agent-fatigue, alert-fatigue, and the stress of

trying to associate the meanings of alerts from multiple tools.

• We mentioned the integration of SIEM, VM, IDS, and endpoint discovery on the same platform. This integrated approach saves the SOC analyst time by avoiding the need to reference multiple tools when researching alarms.

• Additionally, threat intelligence from AlienVault Labs and the Open Threat Exchange® (OTX™) helps to enrich the log data from multiple sources to detect malicious activity, to correlate network traffic with known malware from external threat feeds, and then to initiate (or automate) threat response.

• USM Anywhere™ is federation-ready, meaning it offers the ability to take multiple sensors and appliances and send alerts or perform analytics from one central, managed console. See AlienVault® USM Central™ Datasheet.

• Federation allows enterprises and MSSPs to leverage the platform from a central SOC that can then oversee the administration, operations, and security monitoring functions of satellite offices or client environments.

• USM Anywhere Sensors gather data, and USM Anywhere Secure Cloud encrypts data in storage and in transit.

• The USM Anywhere platform includes additional features like integrated ticketing, automated response and security orchestration with key cybersecurity vendors to increase incident response efficiency.

https://www.alienvault.com/docs/data-sheets/av-usm-central.pdf

1313

Midsized Business SIEM Pricing

14

Midsized Business SIEM Pricing—AlienVault®


• AlienVault customers are migrating to the cloud-based USM Anywhere™ platform for several important reasons:

o Scalability/extensibility. To add capacity, companies only need to add sensors and change the license. USM Anywhere has a tier-based pricing model based on customer consumption. The minimum contract is a one year engagement, however, the pricing is a monthly. The minimum monthly subscription is 250 GB, and the largest standard engagement is 10 TB.

o The burden of hardware is borne by AlienVault. USM Anywhere is fully hosted in AlienVault’s Secure Cloud, eliminating all the costs associated with having to drop a server into a data center environment (facility, cooling, power, and ongoing maintenance).

o A company’s limited manpower is better served elsewhere than in SIEM management and analytics. SIEM is a terrific platform that is capable of compliance, threat detection, and the enforcement of rule- and role-based access conditions. AlienVault hosts the threat analytics allowing IT/sec teams to deploy resources elsewhere in the network. AlienVault also has built-in, continuously updated correlation rules avoiding the need for internal expertise and manpower to research threats and write correlation rules.

o Protected Audit-Trail : Keeping critical security audit information in an off-site location helps ensure that information is protected and not tampered with.

Note: This content is not as originally included in the full published report. The changes to the content reflect AlienVault product upgrades and tactical approaches as of February 2018.

15

Midsized Business SIEM Pricing—AlienVault® (continued)


o Security of the cloud. The security of the cloud infrastructure provider, combined with the added layer of security controls provided by the cloud vendor, ensure that customer data is secured and protected within the cloud solution.

o AlienVault takes care of the storage. All USM Anywhere™ tiers come with one sensor included, 90 days of hot storage and one year of cold storage. Hot storage is readily searchable. Added cold storage can be purchased to store raw logs and events longer contingent upon the use cases.


16



USM Anywhere™ versus Building Your Own SOC• Naturally, AlienVault competes with other companies as a service provider for security-as-a-service

business. The other alternative is for companies to build their own SOC.

• When a company builds its own SOC, one of the benefits is a company can customize its security posture. However, there are two major cots associated with building an internal SOC: The Cost to Acquire Cybersecurity Technology and The Cost Related to Hosting Cybersecurity Technology (see the next two pages).

• The assumptions used in the next two tables are:

v The business has roughly 3,000 endpoints.

v The company has a “medium” Internet presence (it does not handle personally identifiable information (PII), nor does it regularly handle online transactions).

v The company requires one SOC analyst.

This important caveat should be made. The costs do vary based upon the type of business, the number of locations, the number of remote workers and how a company internally values cybersecurity. With most companies, cybersecurity budgets compete with IT and operational budgets. The degree to which a company values cybersecurity is subjective. Unfortunately, a commitment to cybersecurity often comes after a breach.


17



Estimated Cost to Acquire Cybersecurity Technology for Midsized Businesses


Type of TechnologyAnnual Costs

Explanation of Costs, Alternative, and Implementation

Security Information and Event Management (SIEM)

$25-$40,000The one-time hardware cost of an all-in-one appliance is $25,000. Additional collectors may be $5,000 a piece. When SIEM is used for incident detection and response, it does require a significant amount of tuning on the front-end.

Vulnerability Management (VM) $17-$25,000 VM is an essential tool toward prevention. Shoring up the network security surface and finding vulnerabilities before an intruder does is important.

Intrusion Detection System (IDS)

$10-$30,000A unified threat management (UTM; an alternative to IDS) system can be obtained for as little as $3,000. The solution is ultimately not robust enough. IDS systems generally start at $30,000 annually.

Network Behavior Analytics Detection (NBAD)

$10-$15,000This would be the approximate price of analytics purchased for NBAD as a discrete software module. NBAD is often integrated into enterprise-grade SIEM.

User and Entity Behavioral Analytics (UEBA) $10-$15,000

This would be the approximate price of analytics purchased for UEBA as a discrete software module. UEBA would include statistical baselines which does save some time in what analysts have to do tune a SIEM. UEBA is often integrated into enterprise-grade SIEM.

External threat feed service $3,000Many companies will use open-source software for this or join vendor communities. Other sources like VirusTotal have commercial versions.

SUM of Technology Acquisition $75-$128,000

The $75,000 is a hard-deck cost. Many factors can add to this: the number of offices, the number of remote workers, and the type of business (if credit-card centric much more security is required) among other considerations. Self-evidently each added end-user/device adds incremental costs.

Source: Frost & Sullivan.

18



Estimated Costs Related to Hosting Cybersecurity Technology for Midsized Businesses


Related Costs Annual Costs Explanation of Costs, Alternative, and Implementation

Dedicated SOC Analyst $110-135,000

Security analyst jobs start at $75,000 a year and go up. We can assume that if a company has a dedicated SOC analyst that person would need to have at a minimum Tier 2 threat hunting abilities, and likely purchases or advises on the purchasing of tools (estimating salary and $15k in benefits) considered here.

Hardware Hosting Costs $5-10,000

The rough cost of hosting a server in a datacenter for a year is $1,450 in power-consumption. In the previous mentioned technology tables, we can establish two premise-built servers for security (VM and SIEM all-in-ones). This is an average cost - in some cases, the software can be spun up as a virtual machine. However, in other instances, new routing equipment or load balancing equipment may be required. A company may need to obtain more bandwidth to match security and operations needs and this too has a cost.

Related Hardware/Personnel $113-141,000 The deck charge and other likely pricing scenarios.

SUM of Technology Acquisition $75-$128,000 Shown earlier.

First Year Cost of Building a SOC $188-$269,000 Maintaining a SOC would be roughly 70-80% of a new SOC. However, maintaining a SOC is not an easy proposition either.

Source: Frost & Sullivan.

Subscription fees vary depending on the size of business, but most midsized businesses begin at $1,575 Standard Monthly Pricing.

https://www.alienvault.com/pricing?utm_source=google&utm_medium=cpc&utm_term=kwd-73712799973&utm_campaign=BRAND-NA-GGL-SE&gclid=EAIaIQobChMIjob4tPaA2QIVk_hkCh2ONQk7EAAYASAAEgJlyPD_BwE

19



USM Anywhere™ versus Building Your Own SOC—Main Takeaways• AlienVault in USM Anywhere shoulders the costs of infrastructure and storage.

• The soft costs in do-it-yourself costs are problematic. The time to acquire and maintain new cybersecurity technology is an ongoing pursuit.

• With USM Anywhere, adapting cybersecurity for a growing business is a relative easy proposition; a company can simply add sensors.

• The AlienVault Labs Security Research Team upgrades the analytics on USM Anywhere and integrates external threat feed data to create and maintain a strong cybersecurity posture.

• The first table lists SIEM, VM, NBAD, IDS, UEBA, and external threat feed data as defense technologies natively integrated on USM Anywhere which is true. Worth noting is AlienVault is improving each separate technology dynamically—not just in purchasing intervals.

• As importantly, the point about the depth of analytics is not limited to the discrete acquisition of these cybersecurity technologies. Rather, the way the technologies are coordinated to gain visibility and create a multilayered threat detection platform is a major part of the mix.


20


The Last Word—Predictions

While SIEM has historically been associated with big data rate consumption; intuitive user interfaces (UI), strong contextual analysis tools, and multiple platform integrations (and other features supporting extensibility) are increasingly becoming a part of the buying decision.

1

The looming General Data Protection Regulation (GDPR) is a short-term driver of new SIEM deployments in Europe as regulators and IT/SecOps teams know that at the very least properly implemented SIEM tools prove compliant data handling practices.

2

Mid market and cloud-based SIEM tools outpace other SIEM product deployments. 3

21


The Last Word—Recommendations

SIEM vendors are correct in identifying their platforms as threat-sensing tools. However, SIEM vendors need to provide visibility over multiple environments (public/private cloud, mobile, virtual, and on-premises).

1

Beyond the level of open API, SIEM vendors will need to have real-time visibility over applications such as Salesforce, and integrations with IT ticketing systems such as ServiceNow.

2

Any investment in cloud in terms of data centers, faster collectors/parsers, greater central management capacity is a competitive advantage. 3

22


AlienVault®—Final Thoughts

AlienVault SIEM Value PropositionFrost & Sullivan identifies four value propositions offered by AlienVault:

1. Specifically made for midsized enterprises and businesses with limited resources—people, skills, budget. In SIEM, many vendors are attempting to retrofit products into an all-in-one platform. However, AlienVault USM Anywhere™ is made for mid-sized enterprises and businesses with limited resources—people, skills, budget. In SIEM, many vendors are attempting to retrofit products into an all-in-one platform, but AlienVault initially designed its solution for this very need.

2. Integrated security. Out-of-the-box security capabilities in AlienVault Unified Security Management®

(USM) platforms include SIEM and log management, asset management, behavioral monitoring, vulnerability assessment, file integrity management, and intrusion prevention/detection. In combination, the end user achieves meaningful context for threat detection and incident response.

3. Integrated threat intelligence. Customers need information about threat actors, their methods, infrastructure, and tools that are used to leverage vulnerabilities in their efforts to compromise and control—again, all capabilities on AlienVault’s USM platform.

4. Life cycle management. The long card in SIEM is search and storage efficiency. The AlienVault SIEM manages the full discovery and re-discovery life cycle critical assets within their infrastructure. By having SIEM and threat detection capabilities, the AlienVault USM platform has historical visibility in the event that an asset or threat vector is rediscovered.

Documents

Security Information and Event Management (SIEM) Mid ...• However, IBM, HPE ArcSight, and McAfee have closed the gap in all-in-one platforms and cloud- based SIEM tools often integrate