SIEM Time-to-Value from Copenhagen

First, an exercise: With paper and pencil, please draw a high-level sketch of the enterprise security architecture most applicable to your work. This assignment presumes, of course, that you are an information security professional protecting resources and data from cyber threats. If this is not true, then perhaps you might just sit briefly, while we wait to collect the sketches from other readers. (This is where we hum the theme from Jeopardy.)

Let’s collect the drawings and review. Hmmm – several of the drawings are organized around big circles, which I presume are perimeters. Several other drawings show cloudy-looking blobs connected together with lines – which look like hybrid set-ups. All of the drawings, however, depict a prominent box located in the middle of the paper, with tentacles reaching across the architecture. Inside these boxes is written a common label: SIEM.

The results of our drawing exercise should not surprise anyone tasked with the responsibility to reduce cyber risk in an enterprise. The security information and event management (SIEM) tool has now evolved into the beating heart of the modern organizational security scheme, and without effective log aggregation, correlation, and management, it seems inconceivable that today’s advanced threats can be detected – much less mitigated.

With this evolution in mind, Katie Teitler and I spent time this past week with Copenhagen-based SIEM solution provider LogPoint. Søren Laustrup, who serves as Founder and Managing Director of the LogPoint Americas-operation based in Boston, was our tour guide. He offered a succinct, but thorough overview of the LogPoint SIEM platform and its related user entity behavior analytics (UEBA) functionality. Here is what I learned:

“We focus on providing rapid time-to-value for our customers,” Laustrup explained. “Our SIEM is easy to install with many pre-configured capabilities, so installation of the LogPoint platform is a relatively simple exercise. But unlike many of the more basic SIEM solutions, we provide a feature rich platform at LogPoint that can compete with the most expensive platform available. UEBA, for example, is fully integrated into the processing environment.”

Like most SIEM platforms, LogPoint offers familiar features that any enterprise team would likely include as table-stakes: LogPoint Collectors ingest relevant telemetry from applicable log sources across the enterprise. The company offers hundreds of plug-ins that work out-of-the-box. The company also offers a LogPoint Agent that ensures secure, encrypted transmission of log data across the network.

The LogPoint Backend is flat file-based storage capability that serves as the repository for collected log information. A rich set of policies can be implemented for retention, automatic deletion, and other types of secure handling. Access controls are integrated into the repository architecture so that security analysts can gain proper access to what they need, without exposing sensitive data to the entire enterprise.

Finally, the Log Point Search head supports advanced analytics of the collected raw and normalized log data. LogPoint helps security teams with many pre-configured analytic support environments. Triggers can be set based on event or incidents, which can be assigned risk levels. A full collaboration system is in place to support work activities by multiple analysts working a case or responding to an incident.

“We understand that many SIEM solutions exist in the marketplace,” Laustrup said, “but we believe that we truly provide world-class customer support, which helps ensure this rapid time-to-value mission that we are so passionate about.” This emphasis on customer support makes perfect sense, especially for smaller and mid-sized companies. Laustrup related many cases of friendly and supportive interactions with customers.

With regards to licensing model, LogPoint has chosen a different path than the rest of the SIEM industry. Whereas most other vendors will be pricing their solutions based on data volume or Events per Second, LogPoint charges per node in the network sending data to the SIEM. This means that LogPoint SIEM cost is predictable and immune to the inevitable growth in data, that makes it difficult for SIEM customers to budget cost accurately.

From an analyst perspective, one must acknowledge the large field of SIEM – and now UEBA – solutions in the market. Each has strengths and weaknesses, so as LogPoint begins to grow in the Americas, it will need to differentiate. Great customer service from a friendly LogPoint team in Boston or in Copenhagen, Denmark sure seems like a good idea in this regard. (Denmark is the third happiest country on Earth. The US is eighteenth.)

Another challenge for LogPoint and other SIEM or UEBA providers is the emerging market saturation amongst enterprise teams, including mid-market. This non-greenfield situation implies that it will be no easy lay-up for LogPoint to capture share. But I would not bet against Laustrup and his fine team. After our time together, I felt like I’d been sipping coffee with a friend from Denmark. (OK, we were on a conference bridge, but you get the idea).

If you’re in the market to upgrade, change, or install a SIEM or UEBA solution, then you’d be doing yourself a favor to be in touch with Søren Laustrup and his team from LogPoint. Ask to see their demo, and watch for how the SIEM and UEBA components are integrated into the platform for ease of use – and rapid time-to-value. As always, after you meet, please share with all of us what you learn.