I’ve worked in cybersecurity for the last 12 years, of which the last 8 years have been with SOCs at MSSPs, so I can understand that the SIEM is a charged topic. There are many misconceptions. Contrary to what some people will tell you, SIEMs are not universally hated by security practitioners. Some are very loyal to their SIEM. It’s also a tool that varies greatly between vendors and how MSSPs provide it as a service. It forms a core part of most security operations, and so, begs the question: What is the best way to use Lumu with your SIEM?
Lumu and SIEM: The Key Question
When customers ask me about integrating Lumu with their SIEM, my first reaction is to ask them what exactly they are trying to achieve. The best course of action depends on their answer:
Answer 1: That’s Just How Things Are Done
Sometimes this answer surprises me. This kind of answer normally comes from SOC teams that are accustomed to adding everything to the SIEM as a knee-jerk reaction: That’s simply the way things are done and have always been done.
SIEMs take a lot of work to get right. Deployment typically takes 90 days or longer. Further work is required to maintain use cases and interconnections with various tools and systems across hybrid environments while fulfilling compliance-related due diligence. It’s understandable that some teams are loyal to their SIEM—some blindly so.
Cybersecurity and the threat landscape it addresses are continuously evolving and these organizations have to ask themselves if their procedures have evolved accordingly. They will find that their day-to-day work can be much more efficient.
Answer 2: They’re Automating Their Threat Response.
Organizations with mature SIEM-based operations can use Lumu’s confirmed compromise incidents to trigger automated responses. For these teams, it makes absolute sense to ingest Lumu’s alerts into their systems.
Some SOC teams have told us that they consider an incident to be a false positive if it is already being blocked, which is a dangerous policy. For example, adding an incident to a block list does not eradicate the compromise from a laptop. If a user takes that laptop home, it won’t have the protections of the network and the threat actor will advance their attack. Teams must always ensure that they mitigate as well as remediate threats.
Answer 3: They want to trigger Forensic Analysis Based on Confirmed Compromises Provided by Lumu
Mature SIEM users could reasonably inject Lumu’s data for forensic purposes. Lumu’s incident telemetry can help with post-mortem efforts or root-cause analysis, especially as Lumu detects incidents that aren’t identified by other tools. Furthermore, forensic activities are more efficient when all relevant information is already gathered in a single place. Additional time savings come with having full traceability across the entire kill chain. Forensic investigations are typically carried out by 3rd parties that charge by the hour, so improving the efficiency of these processes can result in significant savings.
Lumu’s differentiation is that it detects new confirmed compromise incidents, not just regular threats. These incidents demand that prompt action be taken. To this end, in cases where incidents are pushed from Lumu to a SIEM, you will still need a SOC team or a SOC-as-a-service to investigate that incident and take action against the ongoing attack. We’ve seen that incidents from Lumu can sometimes be drowned among anomalies reported by a SIEM.
Answer 4: They want a ‘Single Pane’
If your answer to my earlier question is that you are just interested in seeing active threats in a ‘single pane’, then you might be wasting your time. Using Lumu to monitor those threats will help you to focus on incidents that truly matter, and also make you deal with them more efficiently.
We understand that portal fatigue is real but it’s unrealistic to expect that all the various tasks that make up a cybersecurity operation can be managed from one place. In trying to be a jack of all trades, the SIEM can feel like it has become the master of none. With so much going on, it’s easy to get overwhelmed.
Because Lumu only looks at high-efficacy network metadata, it can function faster than a platform that tries to collect everything. For example, Lumu does not need to collect application logs. By being more focused, we can provide a better, faster user experience and the highest efficacy telemetry for detection and response.
SIEMs come with storage, licensing, and processing limitations. To take advantage of the information being injected, you generally need to buy additional storage and licenses. If you wanted to achieve some of the same functionality as Lumu with a SIEM, you would have to acquire multiple licenses and ensure that your SIEM was capable of understanding all those signals, while injecting a lot of external threat intelligence. Additionally, Lumu doesn’t limit incident processing to any number of events or events per second.
The Lumu Portal is designed to help teams take action against detected threats. You can see the threat’s behavior over time at an endpoint and organizational level. The automated MITRE ATT&CK Matrix will let you understand the TTPs used by the attacker and the current stage of the attack. You can find playbooks and third-party resources on dealing with the attack in question. In conjunction with other attacks, SOC teams can form a picture of what attackers are trying to achieve inside their networks. All this detail is lost when only the basic facts about an attack are passed to a SIEM.
Conclusion
SIEMs are generally not built with first response in mind and teams that aren’t using their SIEM as it was intended can feel like they are getting stuck. SOC teams that proactively use the Lumu Portal to both mitigate and remediate ongoing attacks will find themselves in a better position to operate cybersecurity proficiently