March 14th, 2023
LimaCharlie vs a traditional SIEM
Christopher Luft
LimaCharlie offers many of the capabilities of a security information and event management (SIEM) solution, although it is not a SIEM. In this article, we’ll talk about LimaCharlie vs traditional SIEMs—and explain how our platform can be used to reduce or replace SIEM usage and help cybersecurity teams save money.
What a SIEM does vs what a SIEM is
SIEMs handle many tasks in a modern security operations center (SOC): log management, event correlation, monitoring and alerting, data visualization, and telemetry storage. SIEMs are also useful in digital forensics work, since they retain historical log data in a unified, searchable format.
In SIEM product marketing, we often see these capabilities discussed as features of a SIEM. But we’d argue that there’s a different way of looking at SIEMs.
Features vs capabilities
It’s sometimes useful to ask basic questions. Here, that question would be: What is a feature, really?
For many years, there was only one answer to this question in cybersecurity: A feature is capability delivered by some vendor’s product.
But a feature and a capability aren’t the same thing, and never were. The “product feature model” has always been just one possible way of delivering capabilities to end users.
LimaCharlie began with an equally fundamental question: What if there’s a better way to give cybersecurity teams the capabilities they need?
Our answer is an approach that we call security infrastructure as a service (SIaaS). At a high level, SIaaS makes cybersecurity capabilities directly available to end users as interoperable, cloud-native primitives. These capabilities are offered self-service, on-demand, and pay-per-use, in much the same way that AWS delivers IT capabilities and infrastructure.
So to get back to what a SIEM is, we’d simply say that a SIEM is a tool that bundles together a number of useful cybersecurity capabilities. Among legacy vendors, these are presented as product features. But with an SIaaS model, security teams have access to these capabilities directly—without the downsides of traditional cybersecurity products such as unpredictable costs, multi-year contracts, and vendor lock-in.
And as we’ll see, the SIaaS model makes it possible for security teams to reduce or replace usage of their existing SIEM, offering significant cost savings without sacrificing essential capabilities.
Three ways to use LimaCharlie for SIEM functionality
LimaCharlie currently has a catalog of 100+ cybersecurity capabilities and integrations. This powerful ecosystem of cybersecurity technologies makes it possible for security professionals to do things that used to require the tooling or infrastructure of a large vendor. Here are three examples of how to use LimaCharlie to get some of the most attractive benefits of a SIEM:
1. Log management and data visualization
A big benefit of SIEMs is that they help security teams collect and collate security telemetry in one place and in one view.
LimaCharlie wasn’t designed to be a SIEM—but it was engineered for interoperability, automation, and customization. Because of this, the platform lets users collect telemetry from any source, normalizes everything to a unified data format, and displays it all in a single view. This includes endpoint, network, and browser telemetry data as well as log data from external sources.
As a data management tool for nontechnical users, SIEMs are admittedly excellent due to their reporting capabilities. But for many security teams, report generation features or templates will rarely be of use. And it’s worth noting here that LimaCharlie already offers one year of free telemetry storage in a fully searchable format. For many users, this may be enough, especially if they only need retention for basic compliance or for historical threat hunting.
Granted, in industries where there are heavy reporting requirements, it may be impossible for security groups to avoid using a SIEM altogether. But as we’ll discuss below, there is a way to leverage the capabilities of LimaCharlie in order to greatly reduce SIEM spending.
2. Understanding events in context
Another major benefit of SIEMs is that they make it easier to analyze security events in context—reducing the likelihood of false positives and improving the response to critical events.
LimaCharlie’s detection, automation, and response engine allows security teams to analyze endpoint events against thousands of rules and trigger automated response actions based on the results. The platform also lets users write customized detection and response rules, and integrates with third-party threat intelligence and threat hunting platforms like AlienVault OTX, VirusTotal, MISP, and SnapAttack. This makes it possible to build highly sophisticated detection rulesets—in particular, ones that interpret the meaning of events in a wider context and support sophisticated practices like behavioral detection.
To hear a conversation about how LimaCharlie can be used with third-party platforms to create complex detections, watch our webinar: Power your threat detections with SnapAttack and LimaCharlie.
3. Automating security workflows to reduce alert fatigue
LimaCharlie takes an engineering approach to cybersecurity. That means that automation capabilities are built into the platform whenever possible, providing many SIEM-like benefits natively. For example, YARA scans can be automated and run in the background across the entire fleet without impacting performance on the endpoint. The Schedule Events feature means that D&R rules (and just about anything else) can be set to run in an automated/scheduled way.
In addition, because LimaCharlie integrates with no-code security automation platforms like Tines and Torq, it’s possible to automate entire security workflows—bringing some sanity to the job of monitoring, alerting, and response in much the way that a SIEM does.
For example, LimaCharlie can be used to detect suspicious events that are automatically classified into different threat levels based on predefined rules. Using a platform like Tines or Torq, teams can then choose what automated action they want taken in response to different types of threats.
For more severe threats, a Slack message or PagerDuty alert might be warranted. For lower-level threats, a security team might decide to raise a ticket using an issue tracking system so that someone can follow up later.
The bottom line is that security professionals gain control over what alerts cross their desks on a day-to-day basis, surfacing high-risk events so they can respond in real time without getting bogged down by less urgent events.
For a full walkthrough of how this works in practice, see: Cybersecurity enhancement with Tines and LimaCharlie.
Intermediate use case: reduce SIEM storage costs
As mentioned above, some users will always need access to a SIEM—and others may not be ready to move to an SIaaS alternative right away. But one of the nice things about the security infrastructure of a service model is that it gives end users a great deal of flexibility and choice.
An interesting way to take advantage of this fact is to use LimaCharlie as an intermediate layer between endpoints and higher-cost tools like SIEMs, leveraging the LimaCharlie rules engine to classify, filter, and route telemetry data more intelligently.
If a security group needs to have certain types of data sent to the SIEM, they can use LimaCharlie to do this by writing a rule that sends that data to, e.g., Splunk as the output destination. Everything else can be sent to a lower-cost data lake or retained using LimaCharlie’s free year of telemetry storage.
In addition, we have recently rolled out LimaCharlie Query Language (LCQL) as a way to further operationalize that free year of storage. LCQL allows teams to query the entirety of the dataset already stored in the LimaCharlie cloud. It offers a cost-effective way to run ad hoc queries on all of your telemetry data in one place—and thus minimizes the number of times you’ll be forced to export data to a higher-cost tool like a SIEM in order to gain the insight you need.
For an in-depth demonstration of how to use LimaCharlie to cut unnecessary costs, see: Reduce spending on Splunk and other high-cost security data solutions through LimaCharlie.
For an hands-on introduction to LCQL, along with some possible use cases, see: Query data with greater flexibility using LimaCharlie Query Language (LCQL)
Exploring LimaCharlie for SIEM use cases
If you’d like to get started with using LimaCharlie for SIEM functionality, try LimaCharlie for free or book a demo today.
To discuss a different use case, or to talk about your needs in more detail, please drop by and chat on our community Slack channel or during our regular weekly office hours.