Researchers Add Profile-Based Anomaly Detection to SIEM

To help manage the vast amounts of data typically generated by security information and event management (SIEM) systems, researchers at Germany’s Fraunhofer Institute for Communication, Information Processing and Ergonomics (FKIE) are exploring the potential of profile-based anomaly detection software for SIEM systems (PA-SIEM).

“Instead of relying only on predefined rules to detect cyber attacks, PA-SIEM calculates typical attack patterns from incomplete or weak indicators,” FKIE scientist Rafael Uetz said in a statement. “This enables us to detect cyber attacks considerably more quickly and effectively.”

The point is that while many organizations currently leverage SIEM systems, the amount of data they generate is overwhelming. “It is simply not feasible for computer experts to fish out the alerts indicating a potential attack from this endless sea of data,” the institute said in a statement. “In reality, SIEM systems often resemble data graveyards.”

In the process being developed at FKIE, the SIEM software collects logs from PCs and servers, then algorithms scan the logs for for anomalies or known threat indicators. “But it’s essentially the third stage that makes the difference: we combine the indicators, which allows us to greatly reduce the error rate,” Uetz said.

For example, if two indicators that indicate an attack 90 percent of the time (a 10 percent false positive rate) occur soon after each other, combining them can reduce the false positive rate to one percent. Add a third incident to the mix, and the false positive rate is reduced to 0.1 percent.

Overwhelmed by Data

In the meantime, a recent Osterman Research survey of SIEM users in 130 U.S. enterprises, sponsored by Cyphort, found that less than 40 percent of respondents are satisfied with the volume of data and the level of endpoint visibility in their SIEM systems.

More than half of respondents experience at least five security events a day, and 56 percent of those experience more than 10 events per day. As a result, in 65 percent of organizations, at least five people are needed to resolve security incidents. In 17 percent of organizations, are least 15 people are needed.

Almost of third of respondents using traditional SIEMs take at least two hours to gather and correlate the data needed for the next level of incident response. For 70 percent of respondents, collecting, analyzing and communicating the appropriate information to stakeholders is the most time-consuming part of the escalation process.

“I think it’s generally accepted that many SIEMs have not performed well in terms of proactive threat detection and analytics capabilities, and the new data confirms that,” Osterman Research principal analyst Michael Osterman said in a statement.

“Unfortunately, these shortcomings, along with the inherent complexities involved in using a SIEM effectively, have also put a significant burden on security analysts and incident response teams in terms of their productivity,” Osterman added.

Jeff Goldman
Jeff Goldman
Jeff Goldman has been a technology journalist for more than 20 years and an eSecurity Planet contributor since 2009.

Top Products

Related articles