Most companies don’t lack for security products—and that’s become a problem. Firewalls, IDS/IPSs, AV, and a host of other systems generate tons of logs and alerts, forcing security operators and admins to sift through piles of notifications to find relevant information during investigations.
Security Information and Event Management (SIEM) products came to market around 15 years ago to help with information overload by correlating events among disparate security devices, but they haven’t always delivered on their promise of greater visibility.
The startup Siemplify aims to pick up where correlation products leave off with threat analysis software that adds more context and visualization to speed response. In fact, the startup’s initial target market is companies that already have SIEM or log analysis tools in place.
“We are trying to make sense of security information and provide security ops with a platform to analyze data from all the sensors and systems, pinpoint threats, and quickly understand and respond to threats,” said founder and CEO Amos Stern in an interview.
Stern says that while a SIEM aggregates alerts, his software provides context to help operations and analyst teams decide which alerts to respond to.
Siemplify is deployed as a virtual appliance and can run on premises or in the cloud. It combines big data analysis and machine learning to help sort through alerts and improve its ability to prioritize, and is built around the Couchbase’s NoSQL database.
It uses APIs to integrate with other security products, including SIEMs, vulnerability management tools, and threat intelligence feeds. It also integrates with Active Directory.
As disparate alerts are fed into Siemplify, it groups related alerts into what the company calls cases. It uses graphical analysis to visually link alerts in a case into an attack chain, or what the company calls a “storyline.” The goal of a storyline is to make it easier for analysts to understand how a security event progresses through the organization.
Siemplify put me in touch with Partner Telecom, a large ISP in Israel that’s using the software. Arieh Shalem, CISO at Partner Telecom, said the storyline lets security analysts see event relationships quickly, particularly compared with a SIEM.
“SIEMs represent alerts as rows and rows of data not that different from what you might see in an Excel sheet,” he wrote in an email interview.
“The security analyst has to decipher those rows, identify the significant alerts, and then spot the relationship between them. By contrast, the analyst sees their relationship immediately [in Siemplify].”
The software also assigns a threat-level score to cases to help analysts and administrators decide where to focus their efforts around investigations and response. Cases with a higher threat level are prioritized.
Shalem said the analytics engine has reduced the security team’s workload by up to 90 percent by reducing the volume of security alerts, eliminating irrelevant alerts, and grouping relevant ones into cases.
He noted the organization went “from 300 alerts in one day to just 25 cases.”
This threat-level score incorporates severity ratings from other security tools. Siemplify uses machine learning to normalize these ratings. Based on past data, Siemplify may downgrade a “high severity” rating from system X to “medium severity”, but accept a “high severity” rating from system Y.
Partner Telecom’s Shalem also noted that the platform helps with operations tasks, including case management, escalation, and best practices documentation.
“I needed a view into the KPIs of the security operation — the number of cases closed, case load per analyst, improvement in threat remediation times, etc. Siemplify provided us with all of that.”
I’m all for more clarity in security operations, but I also worry that terms like ‘big data’ and ‘machine learning’ are invoked like magic words. Siemplify is tackling a hard problem, so I’m curious to know how much this product can do out of the box, and whether a considerable amount of tuning and ongoing effort is required to squeeze value out of it.
If this software sounds like it could help, you’ll want to get a test version in your environment to prove out the startup’s claims.