Earlier this month, secure access service edge (SASE) vendor Cato announced a way for mid-size companies to deploy SIEM at a fraction of the cost of traditional vendors. Cato has added SIEM capabilities to its SASE platform, which converges wide-area network edge and network security into a cloud-based service. With this option, companies can move away from expensive on-premise software toward analytics in the cloud supplied by a vendor.
SIEMs are well established but often fail to live up to expectations. Security information and event management (SIEM) systems have been around for years, but customers have had mixed success as the effectiveness of them is only as good as the data fed into them. Retrieving the necessary data from networking and security appliances can be a challenge as data formats can be inconsistent. Also, creating a single view of the network is an expensive process, which typically requires running on-premise software and hiring experts with the skills to manage it..
Go here to see a listing of eWEEK's Top SIEM Companies.
Different vendors have attempted to address this challenge with SIEM tools and services to give enterprises a holistic view of what’s happening within their IT environment. Although I have mixed opinions on the value of SIEMs, most companies see them as an important component of cybersecurity, since it can detect threats that an existing security platform might not. SIEMs work by collecting data from multiple sources within a network, scanning it for threats, and then cataloging it as part of compliance reporting.
SIEM effectiveness depends on data quality
Like all tools, SIEMs do have some weaknesses, and choosing the right solution is not straightforward. Larger enterprises tend to generate a high volume of logs and need to invest in such software. SIEM collects logs into a common repository, enabling automated reporting for compliance. But most smaller companies cannot justify the cost. Also, the volume of data can often bring poor performing systems to their knees, forcing security pros to pick and choose the data imported.
SIEMs rely on correlating rules written by expensive experts. Those rules may not always change with the demands of the network. SIEMs require constant monitoring. They must be updated and customized regularly to detect actual breaches instead of false positives. Managing SIEM is complicated.
Cato Instant*Insight brings SIEM capabilities to the network
Using Cato’s new Instant*Insight tool, IT teams can filter a massive amount of networking and security events tracked by Cato to identify threats and resolve network problems. Cato maintains a data warehouse of all networking and security events, so companies don’t have to.
A big plus for smaller IT teams searching for that “needle in a haystack” data is having a single view of all the events that occur and being able to filter through them. For example, IT teams can set parameters and select data to create queries with a few clicks on the computer screen. Instant*Insight has a built-in interface for data mining that correlates all events into a single timeline. Cato claims that IT managers can analyze a million events in one second with the new tool.
Companies are being flooded with various devices on their networks, creating new threats, which traditional SIEM isn’t designed to manage at scale. The benefits of combining SIEM with branch location connectivity technology like SASE is the ability to reach every edge of a distributed enterprise. So, even the most vulnerable endpoint devices are protected.
Instant*Insight finds problems faster
Instant*Insight can diagnose the root cause of network problems, such as intermittent loss of connectivity using the SASE single-pass, cloud-based architecture. Existing edge routers don’t have the ability to resolve issues through extensive event logging. SASE, on the other hand, supports all types of edges—such as WAN, mobile, cloud and edge computing. It connects and secures any enterprise resource regardless of their location.
All this is good news for companies that cannot invest in integration and forensic tools but need the functionalities of a Security Operations Center (SOC).
SASE options are expanding, because vendors add event management and other advanced capabilities to their platforms. These new capabilities—which can mine enormous repositories of security and networking data—support the notion that the WAN edge and network security markets will converge into a single market over the next several years.
Zeus Kerravala is an eWEEK regular contributor and the founder and principal analyst with ZK Research. He spent 10 years at Yankee Group and prior to that held a number of corporate IT positions.