Blumira Detection & Response FAQ

What is a Blumira finding?

A finding is an actionable security event that requires investigation and response. It goes beyond a typical security alert by consolidating related pieces of evidence (single occurrences) into a single finding, providing context, analysis, and guidance on how to proceed.

Each finding includes the Detection Rule Name, Detection Type, Severity, Analysis summary, Incident Response Workflow recommendations, and other relevant details. Findings are designed to reduce alert fatigue by grouping related evidence until the detection’s cooldown period expires or the finding is manually closed by a responder.

Unlike notifications that can sometimes be ignored or dismissed, findings in Blumira represent significant security events that warrant further examination. The platform provides a detailed findings page with collaboration features like commenting, assigning to responders, tuning detection filters, and requesting assistance from Blumira’s Security Operations team.

In essence, a Blumira finding is a comprehensive security case file, equipped with expert analysis and an integrated response workflow to guide users through effectively remediating potential threats to their environment.

How does Blumira alert on only real indicators of threats?

One of the things that Blumira inherently does is focus more on potentially threatening behaviors rather than pure signature-based detection – both are of course important. By targeting your methodology for what you want to see around the negative behavior, it makes it easier to generally maintain a high true positive rate.

Attackers have to perform a number of actions to land in an environment and while those methods are not unlimited, monitoring those behaviors are always useful – for example, IEX (Invoke-Expression) in PowerShell or patterns associated with Microsoft Word running unexpected processes.

Focusing on attacker behavior, what created them, if it will happen again is more useful to pay attention to, as it is a stronger indicator of a potential threat or serious ransomware attack about to happen. We proactively identify and reach out to our customers when our platform identifies a malicious finding that is critical to respond to and stop an attack early. We have done this in the past for customers and will continue to support and help guide them toward improving their security maturity in the future.

Blumira enforces this framework through how we structured our threat response playbooks. In this workflow structure, we provide people with a path to lead them to the root cause of what happened, and why it triggered a finding for the organization. This helps accelerate their understanding and response to key security findings.

How do you reduce alert fatigue?

Our incident detection engineers take an intentional approach to rule design to reduce alert fatigue:

• First, they create rules based on threat-based research
  • They review how current threat actors operate and their favored attack paths
  • Pull data from threat intel reports, emulate attacks in their lab and investigate live threat actor activity
  • Then they work to identify and craft detections based on threat actor behavior
• Once the detection is tested in this scenario, it’s tested across customer datasets to help them remove false positives
• By doing this before deploying the rule in customer environments, they can cut down on noise
• Within the product design, Blumira’s stacking system compiles similar alert data to already-triggered findings, until the case is closed
• This helps prevent customers from getting a ton of alerts within a short timeframe

How do you differentiate yourself from other top cloud SIEM and SOAR tools?

Blumira originated when CTO Matt Warner was attempting to scale out his own defensive security program and found commercial, off-the-shelf and open-source SIEMs difficult to deal with.

What makes us different from other SIEM and SOAR vendors is our dedication to making small and medium-sized organizations successful by helping them proactively resolve security threats with actionable data, while also helping them grow their security maturity over time as they continue to use Blumira’s platform.

Blumira’s belief is that SIEM products should be servicing the user and their stakeholders, not creating friction or being a pain point in their day. More specifically, on the development side, we differentiate our platform in a few ways:

• Ease of SIEM setup: Customers should not have to take on the bulk of the work required to ingest logs to their SIEM (data parsing, normalization, etc.). Complexity should be minimized, with total time to set up taking hours, at the longest — not weeks or months.
• Scalable by design: Blumira takes care of all scalability issues to make sure it’s as efficient and hands off as possible for our customers. We believe SIEMs should provide relevant data for security and operational purposes — not require big data management.
• Accessible to all: The complexity and price of other SIEMs has kept it out of reach for smaller organizations with limited IT resources, which is why Blumira chose to make its pricing predictable, based on users, not data. Now customers don’t have to choose between data volume and security coverage for the sake of budget.
• Simplified detections & reporting: Blumira’s engineers research, build and manage detection rules at scale, so our customers don’t have to. They also don’t need to learn a new query language in order to search, find and report on data in their own environment.
• Maintained by Blumira: Behind the scenes, Blumira automatically handles any geolocation, threat feed aggregation, and dynamic blocklist updating within the product. We continue to add more detections on a rolling basis, as we believe it’s the responsibility of the product to support the user.

Aside from these differentiators, we also believe detections should be built a certain way to enable the user — we tell people what to do when they need to do something. We build detections that include an actionable means to resolution:

• Detections should be curated by the provider, tracked by case management and not require additional effort to deploy by the end user
• Detections should be understandable, useful and actionable; providing contextual information relevant to the environment
• In addition to a detection analysis, they should provide a closing action through a playbook for response (rather than open investigation without an ending)

This user-centric, usability-focused approach is unique in the security industry, especially in the legacy SIEM space. Our philosophy is to take the burden off of small IT teams and organizations as much as possible, make effective detection and response accessible to them, and to keep moving them forward in developing their security maturity.

How does your product cut down the time to tune?

Tuning SIEMs can become a major tax for organizations, requiring them to learn the tool inside and out. Some causes of longer time to tune include devices within an organization creating potential threat behavior or noisy internal tools that were previously missed (like potentially unwanted applications browser extensions).

Blumira’s approach is to greatly reduce time spent tuning by designing our detection methodologies differently than most other vendors. We focus on relevant and actionable findings based on behavioral actions to help reduce noisy alerts.

If customers need to tune a detection to cut down on noise further, our security operations team can help make sure the change is made carefully – to ensure they’re not tuning out something that could increase risk for their organization. This reduces the tuning effort down to the identification of behaviors within the environment, validating those behaviors and resolving them by supporting tuning requests.

Does your team typically create parsers for new data sources or is it up to the customer if a parser does not exist?

Parsing is one of the hardest parts of modern SIEM and other logging solutions. Data formats range widely from application to application, and most customers don’t have time to write parsers as they need them. But parsing is very important when it comes to developing actionable and contextual information from your logs to help improve your time to security.

As such, Blumira considers parsing the responsibility of our internal data ingestion (DI) backend engineering team to ensure that the data is parsed, efficiently ingested and maintained over time to offset this issue for our customers. If we don’t currently support new data sources, our security operations team works with our customers to help them structure and ingest it as needed, without any effort on their side. There are also many solutions we can provide to make it easier for our customers for any not-yet-parsed types of data (such as setting up rsyslog profiles that use existing Linux parsers).

Meanwhile, we’re always working on the next new parser and integrations to make sure we’re aligned with and can provide security coverage for growing roadmaps.

Does your product play well with customers in multi-cloud and hybrid on-prem environments?

Blumira was built to support a variety of organizations, of all types and sizes. That includes both on-premises, hybrid and multi-cloud. To support this design, we do not limit the number of sensors (required to integrate with your services to send logs to Blumira’s platform) an organization can use to gain visibility into the security of their hybrid, on-premises or multi-cloud environments, as needed for their infrastructure.

This allows for broad visibility into different segments, centralized in Blumira’s dashboards that administrators can easily access to get an overview of their environment. It also ensures you don’t have to deal with the additional effort of passing data over VPNs from cloud environments. If you set up our honeypots with each sensor, you can also gain broader visibility into the environment of threat activity.

We’ll be releasing Cloud Connectors soon to enable Blumira customers to directly ingest cloud data, without the need for a sensor, to further expedite and simplify cloud security setup. Aside from supporting different environments with our setup and integrations, we also have hundreds of pre-built detections specific to cloud and on-premises services, with playbooks for every finding to help teams walk through next steps for response.

For certain environments that sensors may not work well in (such as ICS/OT that limit the exposure of ingestion, including cloud ingestion), we have developed a unique solution that can ingest data through internal VPN that works successfully within midstream oil and gas environments.

How does one typically deliver their logs to your product?

Blumira ingests customer data directly into the cloud via Cloud Connectors (APIs), allowing them to easily set up cloud applications and verify successful log integrations in a matter of minutes (coming soon!).

Another option for log delivery is through a Blumira sensor. A sensor is used to connect Blumira to your existing services to collect your logs. Sensors are usually deployed using a lightweight Ubuntu virtual machine, located on-prem, in the cloud (Azure, AWS), a data center, or wherever it makes sense for the customer’s environment. A sensor is used to host Blumira honeypots and connect Blumira to your existing services to collect, securely encrypt and ship logs to the Blumira cloud. Setup usually takes less than 20 minutes.

With a sensor, we can provide predictable scale and delivery. Our parsers also automatically handle all type identification and data mapping, making customer onboarding of data and devices a much easier process.

Can customers develop their own customer rules or detection content in your tool?

We typically encounter a few different scenarios when dealing with custom detection requests from customers that have specific use cases not covered by out-of-the-box detections.

1. Rules that are specific to their organization and won’t be overly noisy
2. Rules that are also great for the larger Blumira community; not overly noisy and provides visibility
3. Rules that make sense but may generate a lot of unnecessary noise for customers’ teams, and can be better handled through Blumira’s reporting features

For 1 and 2, our security operations team works with our incident detection engineering team to help scope out, build the detection and deploy it for the customer, once they request what they’re looking for.

For 3, we recommend our customers use Blumira’s Report Builder to easily identify the data they’re searching for by building and saving a report for their organization. They can schedule automated daily delivery of this report to gain regular insight into behaviors (such as account lockouts or failed user logins, or anything more custom) over a set period of time. Our customers can work with their dedicated Solutions Architect to help them create custom and recurring reports using Blumira’s Report Builder.

As Blumira continues to grow, we acknowledge we will need to expose custom detection more easily, although we’re careful to design these features to be as simple as possible to use in order to minimize friction for the user. In the future, our product will allow for additional detection capabilities for our customers – stay tuned!