New-Scale SIEM: Technical Overview of the Next-Generation Platform

Traditional SIEM system issues, such as difficulty in scaling and high costs, often hinder effective threat detection and response. New-Scale SIEM from Exabeam radically changes the approach, offering a scalable, high-performance, and flexible platform for modern security. Traditional SIEM systems face limitations related to data volumes and the need for complex configuration; you can read more about this in the article Exabeam – SIEM Limitations.

New-Scale SIEM Architecture: The Foundation of a New Approach to Security

The architecture of New-Scale SIEM fundamentally differs from traditional solutions. Instead of a monolithic architecture, where all components are tightly coupled and operate on a limited set of servers, Exabeam uses a distributed, horizontally scalable platform. This allows the system to handle huge volumes of data and complex analytical tasks while ensuring high availability and fault tolerance. You can learn more about the New-Scale SIEM architecture on the Exabeam website: Exabeam – New-Scale SIEM.

A key element of the architecture is the separation of functions for data collection, storage, processing, and analysis. Each of these components can be scaled independently, allowing you to optimize resources and adapt to the changing needs of the organization.

Key Differences from Traditional SIEM:

• Scalability: New-Scale SIEM easily scales horizontally, adding computing resources as needed. This allows you to process exponentially growing volumes of data without degrading performance, unlike traditional SIEMs, where scaling often requires a complete system rebuild.
• Performance: The use of a distributed architecture and optimized algorithms ensures high speed of data processing and analysis. This allows you to identify threats in real-time, rather than after the fact.
• Flexibility: The platform supports various data sources and types of analysis, allowing you to adapt the system to the specific needs of the organization.
• Cost-Effectiveness: Thanks to efficient resource utilization and a flexible licensing model, New-Scale SIEM reduces the total cost of ownership.

Architecture Components:

Although the specific implementation details may vary depending on the deployment (cloud, on-premises infrastructure, hybrid model), the main components remain the same:

• Data Ingestion Layer: Responsible for collecting data from various sources. Supports a wide range of sources, including logs, network traffic, endpoint data, cloud services, and applications. Uses various protocols and collection methods, such as Syslog, API, agents, and connectors.
• Data Lake: A centralized repository for all collected data in its original format. Provides long-term data storage for investigation and regulatory compliance purposes. Uses scalable and cost-effective storage technologies such as Hadoop or cloud storage. You can read more about Data Lake from Exabeam here.
• Processing Engine: Responsible for normalizing, enriching, and analyzing data. Performs complex analytical tasks such as UEBA (User and Entity Behavior Analytics), event correlation, and threat detection.
• Analytics and Detection Layer: Contains algorithms and models for detecting anomalies, suspicious activity, and known threats. Uses threat intelligence to identify and prevent attacks.
• SOAR (Security Orchestration, Automation and Response) Engine: Provides automation of incident response processes. Allows you to automate routine tasks such as blocking IP addresses, isolating hosts, and sending notifications. More information about SOAR can be found on the Exabeam website: Exabeam – SOAR.
• User Interface: Provides a centralized interface for monitoring, analyzing, and managing the system. Provides data visualization, report creation, and incident management.

Key Components and Functionality of New-Scale SIEM

New-Scale SIEM offers a wide range of functions and capabilities to ensure the security of the organization.

Data Collection (Log Management)

Data collection is the foundation of any SIEM system. New-Scale SIEM supports data collection from a wide range of sources, including:

• Operating system logs: Windows, Linux, macOS
• Network equipment logs: Routers, switches, firewalls
• Application logs: Web servers, databases, mail servers
• Endpoint data: Antivirus, intrusion detection systems
• Cloud services: AWS, Azure, Google Cloud
• Threat Intelligence: Feeds, IP address and domain reputations

Data Collection Mechanisms:

• Syslog: A standard protocol for transmitting logs.
• API: Application Programming Interfaces for integration with various systems.
• Agents: Software agents installed on endpoints for data collection.
• Connectors: Ready-made integrations with popular applications and services.

Data Normalization and Enrichment

Collected data typically has different formats and structures. Data Normalization is the process of transforming data into a single format, which facilitates its analysis and correlation. Data Enrichment is the addition of additional information to the data, such as the geographic location of the IP address, the reputation of the domain, or information about vulnerabilities.

The normalization and enrichment process includes:

• Parsing: Extracting information from logs.
• Standardization: Bringing data to a single format.
• Matching: Matching data with other sources of information.
• Geolocation: Determining the geographic location of IP addresses.
• Reputation Definition: Determining the reputation of IP addresses and domains based on threat data.
• Vulnerability Identification: Mapping events with information about known vulnerabilities.

Data Processing and Analysis

After normalization and enrichment, the data is ready for processing and analysis. Data Processing includes filtering, aggregation, and other operations necessary to prepare the data for analysis. Data Analysis includes identifying anomalies, suspicious activity, and known threats.

UEBA (User and Entity Behavior Analytics)

UEBA is a technology that allows you to analyze the behavior of users and entities (e.g., servers, applications) to detect anomalies and suspicious activity. New-Scale SIEM uses UEBA to detect insider threats, compromised accounts, and other types of attacks. You can read more about UEBA in Exabeam here.

UEBA analyzes many parameters, such as:

• Login time: What time does the user usually log in to the system?
• Location: Where does the user usually log in from?
• Applications used: What applications does the user usually use?
• Data access: What data does the user usually access?

If a user’s behavior deviates from their normal behavior, the system generates an alert. For example, if a user suddenly starts logging into the system at an unusual time or from an unusual location, this may be a sign that their account has been compromised.

Event Correlation

Event Correlation is the process of matching events from different sources to identify complex threats that may be imperceptible when analyzing individual events. New-Scale SIEM uses sophisticated correlation algorithms to detect such threats.

For example, if the system detects that a user is downloading a large amount of data from a server and then tries to access a suspicious website, the system may conclude that the user is trying to steal data and compromise the system.

Threat Intelligence

Threat Intelligence is information about known threats that is used to identify and prevent attacks. New-Scale SIEM uses threat intelligence from various sources, including:

• Commercial feeds: Subscriptions to threat information from specialized companies.
• Free feeds: Publicly available sources of threat information.
• Internal Data: Threat information collected within the organization.

Threat Intelligence is used to identify known threats such as malware, phishing sites, and botnets.

Incident Management and Automation (SOAR)

Incident Management is the process of identifying, analyzing, containing, eradicating, and recovering from security incidents. SOAR (Security Orchestration, Automation and Response) is a technology that allows you to automate incident response processes.

New-Scale SIEM provides a wide range of functions for incident management and automation, including:

• Automatic Incident Detection: The system automatically detects incidents based on data analysis.
• Automatic Incident Classification: The system automatically classifies incidents by severity.
• Automatic Incident Escalation: The system automatically escalates incidents to responsible persons.
• Automatic Incident Response: The system automatically takes actions to respond to incidents, such as blocking IP addresses, isolating hosts, and deleting files.

Examples of automated actions:

• Blocking IP Addresses: If the system detects that an IP address is trying to attack the system, the system can automatically block that IP address.
• Host Isolation: If the system detects that a host is compromised, the system can automatically isolate that host from the network.
• Deleting Files: If the system detects that a file is malicious, the system can automatically delete that file.
• Sending Notifications: The system can send notifications to responsible persons about the occurrence of an incident.

For example, company N reduced incident response time by 60% by automating response processes using SOAR. Implementation examples of Exabeam SOAR can be found on the page Exabeam – Customers.

Scalability and Performance

Scalability and performance are critical for SIEM systems, especially in the face of exponential growth in data volumes. New-Scale SIEM provides scalability and performance thanks to its distributed architecture and optimized algorithms.

The platform uses horizontal scaling, which allows you to add computing resources as needed. This allows the system to handle huge volumes of data without degrading performance.

Centralized Monitoring and Reporting

New-Scale SIEM provides a centralized interface for monitoring, analyzing, and managing the system. The interface provides data visualization, report creation, and incident management.

Users can create their own dashboards to display the most important information. The system also provides a wide range of ready-made security status reports.

Conclusion

New-Scale SIEM from Exabeam represents a next-generation SIEM that solves the main problems of traditional SIEM systems. Thanks to its scalable architecture, high performance, wide range of functions and capabilities, New-Scale SIEM allows organizations to effectively detect and respond to security threats. The platform provides centralized monitoring, analysis, and management of the security system, which allows organizations to improve the effectiveness of protecting their assets.