Back in 2005, when SIEM was first popularised as a way of helping organisations to more effectively monitor their networks, the digital landscape was markedly different. Cloud adoption was minimal, workforces were less distributed and far fewer endpoints were in use.
How times change. The attack surface has transformed over the last decade and continues to evolve at a rapid rate. At the same time, threats have become ever more sophisticated and challenging to detect.
To avoid being dismissed as a legacy solution, SIEM technologies are having to up their game.
The evolution of SIEM
The changing digital landscape is creating a whole host of new challenges for developers of SIEM technologies. Whereas SIEM once relied upon just a handful of data sources, such as firewalls and intrusion detection systems, the ‘next generation’ of SIEM systems are having to evolve to process a greater volume and variety of data, as well as improve their capability to correlate it in a timely fashion.
Advanced threats are now polymorphic rather than static – capable of constantly changing their behaviour to evade detection. As such, SIEM systems need to not only process more data but also become much better at recognising new patterns within it.
Best practices for optimising SIEM environments
By following best practices, organisations can save up to 40% on their SIEM licensing costs per year, while significantly increase the performance of their SIEM for faster detection, response and investigation of potential threats and security risks
Enhancing interoperability with new security technologies such as EDR (Endpoint detection & Response) and UEBA (User & Entity Behaviour Analytics) tools as well as threat intelligence platforms has been a focus for many SIEM vendors in recent years. To enable security teams to maximise the benefits of an ever-expanding selection of security tools, SIEM solutions are also having to evolve to make managing all these technologies easier.
Despite their ability to increase threat visibility, supplementary technologies have the potential to increase alert fatigue and dead time when context switching between applications. Improving workflow, reducing the burden of security monitoring and speeding up incident response are areas that must be improved for security teams to realise the benefits of more intelligent SIEM systems. This is particularly important given the many challenges organisations face in attracting and retaining the security talent they need to run operations – the goal is to work smarter, not harder.
Security Orchestration, Automation and Response (SOAR) is a growing area of security that SIEM providers are leveraging.
It is made up of three distinct technology markets: security orchestration and automation, security incident response platforms (SIRP), and threat intelligence platforms (TIP). Its overall purpose is to help organisations enhance threat detection and response through the aggregation and correlation of richer, quality data and the automation of routine security tasks.
Whereas traditional SIEM solutions were once heavily reliant on a small number of threat intelligence feeds, SOAR is driving organisations to collect greater volumes of internal and external data and process it more swiftly and accurately than ever before. It is a trend that is helping security operations to become more intelligence and Big Data-driven, thereby enabling teams to make swifter, better-informed decisions. Broader intelligence also means more reliable threat identification and fewer false positives.
Why big data and SIEM don’t always equal big answers for security
Another key way that SOAR is influencing SIEM product roadmaps is by helping to standardise incident analysis and response procedures. The aim here is to partially or fully automate a range of activities so that security personnel have more time to hunt for threats rather than respond to them.
Through the automation of response actions such as blocking an IP address on a firewall or intrusion detection system, suspending user accounts or quarantining infected endpoints from a network, SOAR can help to facilitate swifter incident response and therefore reduce the potential damage and disruption that breaches can cause.
The future of SIEM
Research firm Gartner predicts that by year-end 2020, 15% of organisations with a security team larger than five people will leverage SOAR. Its huge potential for improving the efficiency and efficacy of security operations means that it is likely to play a crucial role in helping to shape the future development of SIEM.
Key to SOAR’s adoption by SIEM providers will be demonstrating that AI and machine learning can be trusted to enforce disruptive changes to systems. While this is the case, human decision-makers will remain vital to threat detection and response.
Getting the most out of SIEM, to help address mounting security challenges, will not just depend on more intelligent algorithms, but better-trained staff who can use systems more effectively and, validate alerts.
The attack surface, which has already transformed drastically since the introduction of SIEM, will continue to change at speed in the years ahead. Only with better tools and a more skilled, efficient workforce, will organisations be able to respond to these changes.
The critical difference between SIEM and UBA – and why you need both to combat insider threats
Written by Andy Kays, CTO of Redscan.