While many organizations now rely on Security Information and Event Management (SIEM) solutions to help monitor and manage cybersecurity incidents, many are asking more of the technologies. Today, they expect SIEM capabilities to expand beyond incident monitoring to include more threat detection and response.
In response, data analytics company Devo Technology has introduced a SIEM that it says reinvents the category by including advanced data analytics and automating incident workflow, combined in a central hub. Devo Security Operations has automated the detection, triage and investigations associated with threat hunting, threat detection, triage and investigation, and digital forensics. It is built on top of the Devo Data Analytics Platform.
A built-in workflow that guides analysts from detection all the way through response instead of the traditionally manual way analysts must piece together the data and workflow required to triage, investigate and respond to threats and incidents.
With this combination of technologies, the company says it can more reliably identify and investigate high-impact threats by classifying, modeling and associating entities. With that foundation, analysts can gain a deeper understanding of the organization's environment and behaviors, accelerate investigations and simplify workflow. It also helps reduce false positives.
"Historically, security teams have had to use several different security tools, combined with manual work," said Jason Mical, Devo's cyber security evangelist. "Devo Security Operations combines the capabilities typically found in a SIEM, threat intelligence platforms, case management solutions and UEBA (User and Entity Behavior Analytics) products in one solution, with an integrated and auto-enriched analyst workflow."
Combining these capabilities into one platform has merit, said Gorka Sadowski, a research director for security and risk management at Gartner.
"When you're talking about tackling threat detection and response, you need to have better and faster detection, but you also need better and faster response," he said. "When your information and point products are ringing alerts left and right, it's not conducive to having fast response. It's much easier to have fast response when everything is centralized and you have a unified view of everything happening in your organization."
Devo's approach also reduces the time between detection and response from hours to minutes, according to the company. The workflow built into Devo Security Operations provides analysts with a path from detection to investigation and response, as well as making alerts, context, threat intelligence and forensics artifacts readily accessible. The integration and automation are what significantly reduces the time between detection and response, Mical said.
More comprehensive and faster response is critical, Sadowski said.
"Companies are asking the SIEM to do more than telling them they are under attack; they want help in responding. You get that with more automation, more orchestration and baking some analytics into the process.
Sadowski said that traditional SIEM vendors are pursuing similar paths to what Devo is doing.
"Little by little, either organically or through acquisition, they are working toward better analytics detection and better orchestration and automation for response," he said.