One per cent. That whopping statistic represents the number of times a victim has learned about a breach from their logs. Definitely not a statistic a SIEM vendor wants you to hear.
The reality is that a log centric approach to detection just isn’t working. Obviously something has to change. Here’s the problem. Perimeter controls - regardless of the size of investment - create far too much noise. This problem is compounded by the fact that most organizations haven't invested in advanced detection. Alarmingly, those who have invested in solutions like an IPS have them so horribly configured that their SIEM or MSSP is drowning in false alerts."
The news from the MSSP front isn’t that great either with more organizations reporting alert fatigue due to receiving too many alerts from their MSSP. Larger organizations reported receiving 200-300 alerts per month from their MSSP with no way to confirm if alerts are incidents, reporting that it is time consuming and costly to investigate incidents while their security teams lack skills to respond to advanced threats. The result is that high-risk events go unnoticed while attackers roam freely on the network
At LMNTRIX, we don’t rely on logs and nor do we rely on the customer owned security controls to detect threats. We do however expect the customers’ existing perimeter security controls to keep most of the threats (bad guys) out while we focus on the more advanced adversaries that get through. Our platform integrates and automates a combination of commercial, proprietary and open source tools that are deployed at customer premises and consumed from the cloud. We also don’t send customers alerts – but when we do communicate it is to only report validated breaches. Our analysts leverage system and network forensics on live systems to investigate, classify, and analyze the risk in real time. Detailed reports on exactly what happened and recommendations on how to contain the threat are immediately provided. When data theft or lateral movement is imminent, containment feature makes it possible to react immediately by blocking or quarantining affected hosts, whether they are on or off your corporate network, significantly reducing or eliminating the consequences of a breach.