While this may not be the year that Security Information and Event Management (SIEM) solutions fall off of the cliff of relevancy into obsolete software land, they are slowly moving closer to the edge.
Initially, SIEM solutions sought to solve the collection, monitoring, analyzing, and identification of threats in the cybersecurity environment. Bogged by time intensive needs and requiring large data infrastructure to house massive amounts of information, the downward spiral of SIEM may be stayed with new security analytic enhancements boosting network visibilities and efficiencies—at least for the time being.
In the early 2000s, cybersecurity at most large enterprises consisted of network-based firewalls and antivirus software on local desktops and servers. Then came intrusion detection systems, driven in the large part by widespread industry adoption. While intrusion detection systems did help identify suspicious traffic, they also generated vast quantities of alerts, requiring countless hours of fine-tuning sensors to weed out the signals from the noise.
To address this issue, SIEM solutions were designed and deployed in large organizations with a simple goal: take the many security alerts, distill them into actionable events and add vulnerability management information to provide context. Through the use of aggregation (grouping similar alerts occurring simultaneously into a single event) and correlation (grouping events with similar characteristics into a single event) capabilities, SIEM initially reduced alert clutter and saved analysts’ precious time. The vulnerability information provided enough context to determine if the device in question was indeed susceptible to the potential attack.
Drowning in data
A SIEM solution ingests data from multiple sources, resulting in cumbersome contracts for vendors, users and enterprises with the need for a plethora of servers to store all the data and provide access and availability. Ideally, the more sources you can point at the SIEM, the more efficient and effective your security team could become. Unfortunately, as evidenced by Netwrix’s 2016 SIEM efficiency survey, 81 percent of respondents believe that SIEM reports contain too much data and too little actionable insight.
For large enterprises that generate terabytes of data every month, the applications of a typical SIEM solution can fracture analyst’s time as organizations find themselves deploying log management solutions to offload some of the data collection, processing and analysis from the SIEM for specific functions. This counter effective move only adds to an organization’s technology debt and solution fatigue instead of alleviating workload.
With existing massive investments in SIEM and the large amount of data already stored, it is difficult to just rid your enterprise of these types of solutions. But how do you continue to solicit value? The answer: next generation SIEM.
According to a recent Forrester report on security analytics platforms, the burgeoning security analytics market can provide a solution to bringing SIEMs back from the cliff while extracting value. This modern field provides the ability to keep up with compliance mandates around log management and reporting in addition to monitoring and alerting capabilities. While potentially compounding technology debt, next gen SIEM as evolving into security analytics are lending three added features including:
1. Network Analysis and Visibility – This comprehensive category boosts networks analysis and visibility function by using network discovery, flow data, metadata and packet capture analysis, as well as forensic tools.
2. Behavior Analytics – To suss out malicious users and to garner a better understanding of user behaviors, security user behavior analytics is a newer capability differentiating cutting edge solutions in the market.
3. Big Data Infrastructure – In order to handle the massive volume of events and process multiple data sources, security analytics are looking to platforms that can handle big data infrastructure at scale.
Security analytics enhancements don’t solve traditional SIEM issues but offer a great step forward. Until a single platform can perform all necessary functions beyond detection with speed, value adds will be incremental. While some enterprises have taken to creating their own cyber data lakes to address SIEM shortages and add needed analytics, managing and extracting value from this scenario requires an army.
Instead, when troubleshooting your SIEM, look for tighter network integrations between cloud and endpoint solutions with a mind for prevention and mitigation. While this might not be the year SIEM goes over the cliff, it’s getting close. Meanwhile, security analytics are offering a saving grace.