Optimizing Security Monitoring and Response Solutions using PacketRanger

Introduction

Cyber threats lurk around every corner of the IT infrastructure.  Consequently, organizations face a formidable challenge in effectively managing their security risk. The complexity and diversity of modern cybersecurity require robust solutions that can provide context to security data, provide real-time visibility, automate threat detection, and prioritize incident response. 

Traditional SIEM, SOAR and EDR solutions are commonly used as part of an organization’s security strategy to provide greater visibility across the security landscape.  These tools help mitigate threats through correlation of security data to provide better detection and incident response capabilities.  While SIEM, SOAR and EDR are critical components to any security strategy, they aren’t without their shortcomings.  With today’s evolving threats these solutions can become inefficient, outdated, and complex. Alert fatigue, chasing false positives, slow response times, siloed processes, complexity in adapting to new threats are common issues facing many organizations.

More organizations are looking to solutions, such as Extended Detection and Response (XDR) and Managed Detection and Response (MDR), to deploy alongside traditional security solutions to help organizations further reduce the risk of cyberattacks.  XDR, as the name would imply, extends the capability of SIEM/SOAR/EDR by streamlining data analysis and workflows across an organization’s security infrastructure.  This provides better visibility into hidden and advanced threats that traditional SIEM/SOAR/EDR solutions struggle to identify.

As good as XDR and other similar solutions can be, there comes a time when using security services to augment an organization’s capabilities is beneficial.  Highly skilled security professionals can be difficult for any organization to find and keep.  As-a-service solutions like MDR help organizations with complex tasks such as threat intelligence, threat hunting, threat/alert prioritization, mitigation, and remediation.  These services can dramatically improve an organization’s security posture, freeing up resources to focus on security management, compliance, audit, and other high value information security campaigns.

Regardless of which solutions an organization implements, whether on-prem, cloud, or as-a-service, it is imperative to move only the necessary data to the appropriate applications.  As more bolt-on solutions become prevalent the ability to direct data to specific applications is necessitated. For SIEM, SOAR, XDR, MDR solutions to be effective the ability to filter and forward log and telemetry data to these applications will reduce license costs and the compute resources that are required to process the volumes of data generated from disparate sources.  

The Problem

It sounds simple.  Move log and telemetry data from event sources to the appropriate management and monitoring application, while simultaneously optimizing the data pipeline and removing extraneous data. However, in practice, moving and optimizing security event data can be a frustrating, complicated, and an expensive process.  

A screenshot of a phone Description automatically generated

Rather than deal with the complexity of optimizing data pipelines, many organizations simply forward all event data to their management and monitoring applications, regardless of the usability of the data.  While this may sound like a simple alternative to optimizing the data pipeline, it can have a similar impact to an organization’s resources and utilization.  Let’s explore the issues for each method, as well as the common issues they share. 

When an organization chooses to simply send every bit of data (pun intended):

  • Increasing cost of licenses.  It’s a simple equation.  License costs rise as more data is pushed into an organization’s monitoring and management applications environment.  SIEM, SOAR, XDR, EDR are commonly licensed using volume-based (GB of data per day or events per second) or infrastructure-based (vCPU).  License spend can become problematic if an organization chooses to send all log and telemetry data to these applications.
  • Increase in compute resources.  The more data that is pushed into these applications the more compute resources are necessary to move, process and store the data.  Whether the workload is hosted on bare-metal, virtual machines, or in the cloud, an organization’s IT infrastructure will be excessively large to accommodate unfiltered data pipelines.  This is not limited to the compute resources dedicated to processing and storing the data, but includes the overhead on the network to move the data from the event sources to its intended destinations.
  • Increase in human resources (cost of administration).  More infrastructure requires more people to manage and monitor it.  This can mean using high value labor to focus on low value tasks.
  • Reduced application performance.  Regardless of how well an organization can scale to manage their data pipelines, application performance will suffer.  Search query times will become slower as data volumes increase.
  • Impact on performance metrics: Slower query times will result in delayed event notifications.  This will have an impact on an organization performance metrics, such as an increase Mean-Time-To-Respond/Repair/Resolve (MTTR)

When an organization takes on the daunting task of optimizing their security related data pipelines:

  • Determining what security data is unneeded.  This is where many organizations get tripped up from the start.  There is a legitimate concern that filtering data will result in lost or missed events. While filtering informational log events might seem innocuous, the correlation of these events with other events throughout the environment might detect a real issue or threat.  Knowing which data to filter is a principal function that many organizations get wrong.
  • Complexity of filtering from disparate data sources.  Should an organization filter at the source or destination?  Filtering at the data source would seem logical, as this would reduce the overhead of sending unwanted data across the network.  This is problematic for several reasons.  For environments that have thousands of event sources, defining and implementing filters on the event source is administratively challenging.  Likewise, implementing filters at the management application layer (SEIM, SOAR, XDR, MDR) is equally problematic.  This does nothing to alleviate the network overhead caused by the excessive log and telemetry data. Managing filters across distinct and unrelated applications is equally problematic to managing filters on discrete event sources.  And, moreover, the application’s data pipeline can still become saturated.  Almost all organizations use a combination of source and destination filters, which has its own set of challenges.
  • Impediments to implementing changes.  Change management is already a complicated process.  When filters are implemented across disparate sources and destinations, the number of individuals involved in the change management process is numerous, spreading across multiple siloed organizations.  The propensity for human error and misconfiguration is exasperated.
  • Troubleshooting the security data pipeline.  When events are missed where does one begin to troubleshoot.  Implementing filters across disparate sources and destinations is a maddening practice when an organization is troubleshooting issues with their data pipelines. 

Common issues across both methods:

    1. Simplify network and device configurations.  Source devices have a single configuration to send their log and telemetry data to PacketRanger, regardless of the number of applications ingesting the data.  This also streamlines the network configuration to move the data from source to destination.
    2. Centralized and robust filtering capabilities. Advanced filtering and forwarding capabilities provide the necessary flexibility to eliminate unneeded events, reducing data pipeline congestion.  Filters can be configured to exclude or include events that match filter conditions. PacketRanger makes it easy to validate data passing through a filter.  This greatly simplifies troubleshooting, audit, and compliance initiatives.
    3. Flexible data forwarding.  Using advanced filters and routing criteria allows organizations the flexibility to send data to any destination, whether that be to a workload in the cloud, on premise or to a managed service provider.  If an organization chooses to migrate to a new application or MSP, flexible data forwarding means the process is immensely easier.  Flexible data forwarding is also used for better event distribution across your security application environment.  
    4. Better visibility into data pipelinesPacketRanger’s statistical analysis and reporting provides visibility into the data pipeline.  It presents critical analytics to help drive better decisions.  Greater visibility helps security operations teams manage the data pipeline, and simplify efforts related to filtering, troubleshooting and performance tuning.
    5. Benchmarks and thresholds. Thresholds can be defined in PacketRanger to alert on conditions that could saturate the data pipeline in your security monitoring and response tools.  Thresholds can be set on specific data types and pipelines to alert when an individual device or a specific data pipeline is sending unusual amounts of data.
    6. Reduction in resource utilization.  Optimizing security data pipelines will reduce the compute resources and infrastructure footprint across an organization’s various security workloads, which frees up resources to be dedicated to other high value security campaigns.
    7. Improve application performance.  Using PacketRanger to filter out the noise will improve the performance of security monitoring and management applications.  Removing the noise from security data pipelines will reduce long-running queries, which will improve response times to critical security events.  
    8. Reduction in license and/or service costs.  Simply put, PacketRanger filters low value data from being consumed by costly security applications and services.

Conclusion

Security information and event management has come a long way since its introduction in the early 2000’s. Simple data aggregation, correlation and alerting is undoubtedly ordinary by today’s standards.   While still beneficial, using SOAR with playbooks for automation and orchestration seems outdated when compared to present solutions that provide more data context and analysis using machine learning and artificial intelligence.  

The persistent problem with SIEM, SOAR, EDR and newer solutions, dating back to the first SIEM, is reducing noisy, meaningless data.  Today’s solutions are indisputably more capable at processing, analyzing, and alerting against larger volumes of data.  Even so, ingesting every bit of data without concern for its relevance imposes a tremendous cost.  Likewise, organizations spend countless resources attempting to optimize their data pipelines with disparate source and destination filters.

Tavve’s PacketRanger is a robust log and telemetry data aggregation solution that helps reduce the size of the security data pipeline before ingesting into security monitoring and response solutions.  

This reduces an organization’s total cost of ownership, improves application performance, and optimizes event distribution.  Infosec teams increase the visibility into their data pipelines that empowers better decision making and improves response/remediation times. With improved operations workloads, Infosec teams have more resources to focus on higher value security functions that improve an organization’s security posture.To learn more about Tavve’s PacketRanger, contact us either via www.tavve.com or email at sales@tavve.com.

    1. Increase in netops and secops workloads.  Whether one chooses to filter security event data or not, the result in either case is an increase in network and security operations workloads due to a poorly optimized data pipeline.
    2. Managing growth and poor event distribution.  All organizations go through expansion and contraction, which has a direct impact on the size of their data pipelines.  This creates an imbalance to the distribution of events across the security application environment.  It’s critical for the functioning of security monitoring and response applications that event distribution be managed properly so that data indexing and searches are performing optimally.
    3. Lack of visibility.  Organizations lack visibility into their security data pipelines.  Each data pipeline destined to discrete application, whether SIEM, SOAR, XDR, MDR, is observed and managed independently. It becomes difficult to benchmark and build baselines for various data pipelines, which can become an obstruction when critical decisions are being evaluated and made.
    4.  Vendor lock-in.  The effort to move to another security vendor’s application or an alternative managed service provider is tremendous.  This typically involves reconfiguring source devices to send data to a new destination(s), as well as the associated changes to firewalls and other network devices.  Many secops teams are performing sub-optimally, using outdated monitoring and response tools, or struggling with a poorly performing MSP, due to the overwhelming effort that would be needed to reconfigure their environment to implement such a change.

Tavve’s Solutions 

Tavve’s PacketRanger is a simple, affordable, and high availability solution to aggregate telemetry and log data allowing security organizations to control the security data that is ingested by each of their security monitoring and response applications.  Advanced filtering and forwarding capabilities provide the necessary flexibility to eliminate unneeded events, reducing data pipeline congestion.  PacketRanger’s statistical analysis offers visibility into data pipelines which drives better decision making on managing the data pipeline, and simplify efforts related to troubleshooting and performance tuning.  

 

image1

The benefits of using PacketRanger to aggregate and filter security data are numerous.

    1. Simplify network and device configurations.  Source devices have a single configuration to send their log and telemetry data to PacketRanger, regardless of the number of applications ingesting the data.  This also streamlines the network configuration to move the data from source to destination.
    2. Centralized and robust filtering capabilities. Advanced filtering and forwarding capabilities provide the necessary flexibility to eliminate unneeded events, reducing data pipeline congestion.  Filters can be configured to exclude or include events that match filter conditions. PacketRanger makes it easy to validate data passing through a filter.  This greatly simplifies troubleshooting, audit, and compliance initiatives.
    3. Flexible data forwarding.  Using advanced filters and routing criteria allows organizations the flexibility to send data to any destination, whether that be to a workload in the cloud, on premise or to a managed service provider.  If an organization chooses to migrate to a new application or MSP, flexible data forwarding means the process is immensely easier.  Flexible data forwarding is also used for better event distribution across your security application environment.  
    4. Better visibility into data pipelines.  PacketRanger’s statistical analysis and reporting provides visibility into the data pipeline.  It presents critical analytics to help drive better decisions.  Greater visibility helps security operations teams manage the data pipeline, and simplify efforts related to filtering, troubleshooting and performance tuning.
    5. Benchmarks and thresholds. Thresholds can be defined in PacketRanger to alert on conditions that could saturate the data pipeline in your security monitoring and response tools.  Thresholds can be set on specific data types and pipelines to alert when an individual device or a specific data pipeline is sending unusual amounts of data.
    6. Reduction in resource utilization.  Optimizing security data pipelines will reduce the compute resources and infrastructure footprint across an organization’s various security workloads, which frees up resources to be dedicated to other high value security campaigns.
    7. Improve application performance.  Using PacketRanger to filter out the noise will improve the performance of security monitoring and management applications.  Removing the noise from security data pipelines will reduce long-running queries, which will improve response times to critical security events.  
    8. Reduction in license and/or service costs.  Simply put, PacketRanger filters low value data from being consumed by costly security applications and services.

Conclusion

Security information and event management has come a long way since its introduction in the early 2000’s. Simple data aggregation, correlation and alerting is undoubtedly ordinary by today’s standards.   While still beneficial, using SOAR with playbooks for automation and orchestration seems outdated when compared to present solutions that provide more data context and analysis using machine learning and artificial intelligence.  

The persistent problem with SIEM, SOAR, EDR and newer solutions, dating back to the first SIEM, is reducing noisy, meaningless data.  Today’s solutions are indisputably more capable at processing, analyzing, and alerting against larger volumes of data.  Even so, ingesting every bit of data without concern for its relevance imposes a tremendous cost.  Likewise, organizations spend countless resources attempting to optimize their data pipelines with disparate source and destination filters.

Tavve’s PacketRanger is a robust log and telemetry data aggregation solution that helps reduce the size of the security data pipeline before ingesting into security monitoring and response solutions.  

This reduces an organization’s total cost of ownership, improves application performance, and optimizes event distribution.  Infosec teams increase the visibility into their data pipelines that empowers better decision making and improves response/remediation times. With improved operations workloads, Infosec teams have more resources to focus on higher value security functions that improve an organization’s security posture.To learn more about Tavve’s PacketRanger, contact us either via www.tavve.com or email at sales@tavve.com.

Tweet
Share
Share
Pin
0 Shares