Can You Derive Good Cyber Threat Intelligence from Logs?

Just about every enterprise security team has some sort of data collection facility for detecting security events. This can range from a modest log management function in smaller companies to more extensive SIEM deployments in larger companies. But in all cases, optimizing the data management and analysis task to detect cyber attacks quickly and respond to them before they can produce consequences is a difficult defensive task for an enterprise. It becomes even more difficult when the desire emerges to use real-time threat intelligence as a basis for making security decisions. As part of the research for my 2017 TAG Cyber Security Annual (you can download the three PDF volumes at, I had the opportunity to speak with an expert in this field, Mike Reagan from LogRhythm. He shared some useful insights.

EA: Mike, do you think that many of the prominent cyber attacks over the past few years might have been prevented through more proactive log management and analysis methods?

MR: It’s easy to play Monday morning quarterback and claim that “if they had only been using our technology, they never would have been breached.” But the reality is that preventing major breaches requires a combination of people, process, and technology. Given what we all have now learned about these prominent breaches, there’s no doubt that effective use of security intelligence and machine analytics could have provided earlier visibility to the indicators that threat actors were afoot in the enterprise, and this probably would helped to avoid a material breach or service disruption.

EA: What are the ways in which intelligence, analytics, and SIEM functions can come together in a common platform and solution?

MR: We continuously hear from our customers that they place a high value on having a truly integrated platform. It starts with having all the data, so comprehensive log management is important, as well as adding endpoint, network and user activity data to the mix. But collecting it isn’t enough. The data needs to be normalized and processed so that advanced machine analytics can be applied to it, and so analysts and investigators can perform highly efficient searches and investigations against the data. Once that’s in place, an intuitive and optimized user interface is required to surface the intelligence to the right people at the right time so they can respond quickly enough to neutralize threats before they can have a material impact. The latter requires integrated incident response orchestration. Essentially, a full end-to-end threat lifecycle management solution comprises all of these components, and that’s precisely what LogRhythm is delivering to our customers through our Security Intelligence and Analytics Platform.

EA: Much has been made of threat intelligence as a major component in cyber defense recently. Is there sufficient access to good intelligence for enterprise security teams?

MR: There are hundreds of threat intelligence feeds that are available, ranging from general commercial and open source feeds, to industry-specific data sources. In fact, there’s an overwhelming amount of threat information being disseminated, and much of it becomes outdated very quickly. To make the most of the myriad threat intelligence sources, organizations require a central security intelligence platform that can automate the consumption, corroboration and evaluation of this information with internally generated threat intelligence.

EA: Many enterprise teams have their SIEM in place and have built processes around that tool. Is this sufficient in many contexts, or do CISOs really have to augment the SIEM with more advanced capabilities?

MR: There are thousands of SIEM deployments in place around the globe, but most are first generation SIEMs that were originally designed to collect and store log data or to cull actionable events from basic security devices such as IDS systems and firewalls. Most users of these legacy platforms are overwhelmed by the sheer volume of events they need to evaluate, and are burdened by the complexity and cost of managing the underlying platform. They are also acknowledging that they are blind to many of today’s threats because they lack the automated, machine analytics to evaluate the millions or even billions of logs being generated every day. They also realize that simply relying on manual hunting for threats to keep their enterprises secure is not the answer. To achieve comprehensive threat lifecycle management, CISOs are deploying unified platforms that combine SIEM with log management, network and endpoint forensics, and advanced security analytics.

EA: What sort of trends do you see in the cyber security industry today? Are the hackers just growing at a faster rate than the defenders?

MR: We’re seeing a rapidly expanding cyber-crime supply chain that’s acting as a force multiplier for online crime and cyber terrorism. This supply chain is fueling innovation at a pace well ahead of the development of technologies designed to keep the bad guys out. In light of this reality, organizations are accepting the fact that cyber adversaries will breach their defenses, if they haven’t already. However, forward-leaning CISOs realize that a breach of perimeter defenses doesn’t have to result in a material data breach or service disruption. They are evaluating their own organization’s security intelligence maturity and focusing on continuous reduction of their mean-time-to-detect (MTTD) and mean-time-to-respond (MTTR) to cyber threats by employing and honing comprehensive end-to-end threat lifecycle management.