CDS VS SIEM
How is StreamScan's CDS technology different from an SIEM?
First of all, let's start with SIEM technology.
How does SIEM work?
SIEM is basically a tool for aggregating security data and information. SIEM collects and stores logs from various network sources, such as servers, databases, telecommunications equipment, firewalls and other security systems. Each action that an organization wishes to track must be identified, configured and activated in the computer system by a technician. From SIEM, it will then be possible to consult the aggregated data or correlate them to detect cases of computer attacks for example.
Most SIEMs offer a dashboard in which the collected data is organized and presented to the user for analysis, correlation and decision-making. SIEMs also store data for a period of time defined by the organization (e.g., 1 year), allowing security teams to dive into the data collected for investigation purposes, if necessary.
What is the CDS?
CDS is the abbreviation for Cyberthreats Detection System.
The CDS is a software specially developed to detect several types of computer attacks (intrusion attempts, ransomwares and viruses, etc.). From a single point in the network, it can monitor the security of the organization's entire computer park.
The CDS is composed of two modules that can detect a variety of cyber threats without additional configuration.
Module 1 - Artificial Intelligence Detection
- Detection of abnormal or suspicious behaviour in the network
- Detection of unknown malicious tools (grudges, viruses, etc.)
- Data exfiltration detection (based on new methods)
- Detection of security breaches
- Detection of lateral movements (north-south, east-west movement) in the network
- Continuous and permanent adaptation to the network through periodic training of the artificial intelligence engine
Module 2 - Signatures
- Detection of known intrusions
- Detection of known malicious tools
- Detection of known ransoms
- Detection of security policy violations
- Detection of attacks from millions of sources
- Data exfiltration detection (based on known methods)
Together, the two modules provide comprehensive and centralized protection against cyber threats that affect organizations.
The CDS also has a complete 360-degree view of network traffic, which gives it two advantages:
- For each security alert or event, the CDS is able to provide all the network communications involved (communication history) in a usable format (PCAP file). This file greatly speeds up investigations.
- No blind spots for cyber threats in the network.
CDS VS SIEM
As you will have noticed, setting up and daily management of an SIEM requires a lot of effort. A particular configuration must be set up on each system that you wish to monitor. If you forget to activate logging on a system, its security will not be monitored by the SIEM. In addition, the organization must constantly define new scenarios that it wants to monitor (also called "use cases"), which can be very time consuming. With the explosion in the number of cyber threats, it is unrealistic today to define all the attack scenarios that an organization may face. Finally, SIEM is also a passive tool insofar as it does not have the functionality to block cyberthreats.
As for the CDS, it only takes an hour to set up. No use cases or attack scenarios need to be created to manage the tool. The CDS is ready to detect cyber threats as soon as it is activated in the network. The CDS is constantly trained via its artificial intelligence engine, which allows it to detect new suspicious or abnormal cases on a continuous basis. At the same time, its signature analysis engine detects known cyber threats.
The CDS has a 360-degree view of network security and can be used in active mode, enabling it to block cyber threats.
Can the CDS replace an SIEM?
Very often the implementation of an SIEM is required by a legal, regulatory or contractual obligation (e.g. the payment card industry standard PCI DSS). Apart from these considerations, and if one thinks solely in terms of cyber security, an organization that implements the CDS does not need to deploy an SIEM. Indeed, the CDS can detect all the attack scenarios that the SIEM can detect. It goes even further by being able to detect unknown or new cases, unlike the EMIS.
However, if you have already implemented an SIEM and wish to close the gap by implementing the functionalities offered by the CDS, you should know that the CDS is interoperable with all SIEMs on the market (Arcsight, Splunk, AlienVault, QRadar, etc.). Indeed, security events and alerts generated by the CDS can be sent to an SIEM natively (via SYSLOG).