Oct 05, 2022

Armis + SIEM: Better Together

Since joining Armis nearly three years ago, I have had many conversations with prospects and customers. When discussing how Armis can solve their business problems, I get a response that typically begins with, “But I already have…”. In many cases, this is because adjacent cybersecurity technologies have similar messaging or claim to solve similar problems.

Naturally, a prospect that has already invested in a particular technology wants to ensure that they are not making a redundant purchase with a budget they could spend elsewhere. I get it. I could talk all day about how Armis is different from technology X, Y, and Z, but I’m going to start with SIEM because I literally had this conversation with someone the other day.

According to Gartner, Security information and event management (SIEM) is the technology that supports threat detection, compliance, and security incident management through the collection and analysis (both near real-time and historical) of security events, and a wide variety of other event and contextual data sources. The core capabilities are a broad scope of log event collection and management, the ability to analyze log events and other data across disparate sources, and operational capabilities (such as incident management, dashboards, and reporting).

SIEM is a great technology but cannot solve every facet of cybersecurity alone. In this case, Armis and SIEM solutions can work harmoniously to produce a “better together” story.

In short, SIEM alone:

  • Collects events from assets configured to send alerts for auditing, compliance, and incident investigation.
  • Can not tell you what assets are not sending event information (because it doesn’t know they exist).
  • Does not have the full context of the asset generating the alert (normally just MAC/IP and event information).
  • Will lack coverage of unmanaged OT, IoT, & IoMT assets.

The Armis Value

The Armis Platform is the industry’s most comprehensive asset intelligence platform providing unified asset visibility and superior security across all asset types, including IT, IoT, OT, IoMT, Cloud, and cellular-IoT, managed or unmanaged.

When delivered as an agentless SaaS platform, Armis seamlessly integrates with existing IT and security stacks (like SIEM)  to quickly deliver the contextual intelligence needed for improving your security posture without disrupting current operations or workflows.

Armis + SIEM will:

  • Discover & store an inventory of all organizational assets, providing a complete view of the asset data and its key security attributes, including contextual insights about each asset.
  • Proactively ensure that your SIEM is monitoring the correct and expected scope of IT assets.
  • Reduce incident investigation time by having asset & security information in a single location.
  • Extend SIEM scope by providing risk and threat insights of unmanaged assets like OT, IoT & IoMT

Combining Armis and SIEM will ultimately give you a better return on the investment in your SIEM solution and reduce the operational overhead of incident investigation.

A True Server Security Story

Background – A company has an IT Security policy that mandates all servers should have events monitored in the SIEM for auditing or incident investigation.

Without Armis

  • Your IT team configures servers to have the SIEM sensor to send events to a SIEM.
  • A new server is deployed in the organization, and someone forgets to deploy the sensor. Similarly, the sensor could be faulty, and the SIEM has no awareness of the new server or the missing events that should be logged.
  • If the server is utilized as an attack vector, the incident investigation would have gaps in its ability to trace the cause.
  • The investigating analyst will lack asset context to make informed decisions and revert to manual time-consuming data gathering and correlation while trying to locate what happened.

With Armis

  • Automatically detect if a new server has been deployed and add it to its inventory.
  • Compare asset data with the SIEM to detect when the server is not configured.
  • Use Policy to alert the IT Ops team to address the SIEM monitoring gap.
  • Automatically update with asset data when resolved.
  • Provide a single source of truth with full asset context for any incident investigation. For instance, you can seamlessly access information like the server type and Operating System, owner, location, last seen time with security attributes such as EDR, Patching, Vulnerability Management, and Encryption.

Enhancing SIEM is just a single use case of how Armis utilizes its authoritative asset data to reduce the attack surface and operational overheads.

You can find additional information on Armis at armis.com.


Get Updates

Sign up to receive the latest from Armis.