SIEM has been around for quite a while now, but it is still not well understood. This has been made harder by the fact that the technology has evolved significantly over the last few years.
In this blog we explain how the SIEM market has changed, chart the rise of Next Gen solutions and managed SIEM services, and examine what this all means for businesses.
A brief history of SIEM
Before we examine what a next generation SIEM is, it’s only right to cover a brief history of the technology and where it started.
The term Security Information and Event Management (SIEM) was coined in 2005 by Mark Nicolett and Amrit Williams of Gartner – a portmanteau of security event management (SEM) and security information management (SIM).
They defined SIEM as “a technology that supports threat detection and security incident response, through the real-time collection and historical analysis of security events from a wide variety of event and contextual data sources.”
SIEM developed out of a necessity to deal with the flood of alerts issued from intrusion prevention systems (IPS) and intrusion detection systems (IDS) that were overwhelming the IT department. By helping organisations to aggregate events and better analyse events inside the network, SIEM helped organisations improve threat detection. It also led organisations to adopt a more proactive approach to security – preventative security technologies no longer being enough on their own.
At that time, legacy SIEMs, as we will refer to them, were largely focused on the collection and correlation of security events from sources including firewalls and antivirus systems, endpoint security, IDS, as well as network infrastructure such as servers and wireless access points.
The difficulties with early SIEMs
Eager to improve their cyber security posture, many enterprise-level organisations were quick to adopt the technology. Over the years, however, issues with legacy SIEMs became apparent:
- Data sets were inflexible so some SIEMs couldn’t process the required data, meaning their effectiveness was limited;
- They were difficult to maintain and operate, which added complexity and drained staff resources;
- The SIEMs produced a high number of false positives, creating yet more work for the security teams;
- As technology advanced, SIEMs struggled to keep up with evolving threats and therefore the cyber risk to businesses grew.
Bring on the Next-Gen!
Many advanced threats are now polymorphic rather than static – capable of constantly changing their behaviour to evade detection. As such, SIEM systems need to not only process more data but also become much better at recognising new patterns within it.
Given the difficulties and limitations of legacy SIEM systems, many commentators began to predict their demise. But this hasn’t happened – SIEM still remains a key technology used by businesses. Instead the technology has just had to evolve.
Whereas SIEM once relied upon just a handful of data sources, the ‘next generation’ of SIEM systems have been developed to process a greater volume and variety of data (both security events and non-security events), as well as correlating it in a timely fashion.
Gartner reported that the SIEM market grew by 14.6% in 2018 and it is forecast to be worth a total of $3.6 billion in 2019. One reason for this growth is that Next Gen systems are now being used by mid-market organisations, not just large enterprises.
What are the capabilities of Next Gen SIEMs?
Next Gen SIEMs, sometimes referred to as analytics-driven SIEMs or SIEM 3.0, have brought new capabilities to organisations and their security teams. They now:
- Permit swifter integration into an enterprise infrastructure via open architecture to cover cloud, on-premise and BYOD assets;
- Include real-time visualisation tools to understand the most important, high-risk activities;
- Use scenario and behaviour analytics to capture well-understood scenarios and highlight significant changes in behaviour;
- Integrate with and use threat intelligence from custom, open source and commercial sources;
- Provide a flexible framework that allows bespoke workflow implementation for key organisational use cases;
- Measure status against regulatory frameworks (e.g. PCI DSS) for risk prioritisation and management.
Security Orchestration, Automation and Response
Security Orchestration, Automation and Response (SOAR) is a growing area of security that Next-Gen SIEM providers are leveraging to help enable the latest capabilities. In its essence, SOAR has two fundamental aspects:
1. It enables more data to be brought into a SIEM for analysis
SOAR is helping SIEM technology to become more intelligence and Big Data-driven, thereby enabling security teams to make swifter, better-informed decisions. Broader intelligence means more reliable threat identification and fewer false positives.
2. It helps automate response to incidents
Another important way that SOAR is influencing the evolution of Next Gen SIEMs is by helping to standardise incident analysis and response procedures. The aim here is to partially or fully automate response activities, in order to reduce the potential damage and disruption that breaches can cause. Such response activities could include locking down compromised user accounts and blocking IP addresses on a firewall.
By automating routine actions, SOAR helps security teams to become more efficient and frees up their time to focus on threat hunting and patch management.
User & Entity Behaviour Analytics
Another important feature of Next Gen SIEMs is the use of User and Entity Behaviour Analytics (UEBA). UEBA does not track security events or monitor devices, instead it focuses on monitoring and analysing the behaviour of an organisation’s users.
UEBA can be hugely valuable to help organisations identity compromised accounts, as well as insider threats. It works by using advanced machine learning and behavioural profiling techniques to identify anomalous activity such as account compromises and privilege abuse. As it is not using rules-based monitoring, UEBA is more effective at detecting anomalies over time.
Given that Next Gen SIEMs enable organisations to monitor cloud environments, it should perhaps come as no surprise that the technology itself is increasingly being deployed in the cloud.
For the same reasons that IaaS, PaaS and SaaS make sense for enterprise applications, these too make a great fit for hosting a Next Gen SIEM in the cloud.
Benefits of SaaS SIEM
- Fast, convenient deployment
- Low operational overheads
- Automatic updates
- Usage-based billing
- Scalable, hardened infrastructure
SaaS SIEM has opened up the market, making SIEM suitable for mid-size organisations, as well as appealing more to organisations that experience variations in network traffic due to seasonality.
Gartner has predicted that by 2023, 80% of SIEM solutions will have capabilities that are only delivered via the cloud (e.g. log storage, analytics and incident management), up from 20% currently.
What are the challenges of managing and monitoring a Next Gen SIEM?
Despite the unquestionable advances in detecting complex cyber threats, Next Gen SIEMs can still, if not deployed and maintained properly, generate a vast number of alarms. For organisations lacking IT resources and dedicated security personnel, trawling through these alerts to distinguish genuine network security issues from false positives can be hugely complex and time-consuming.
Even when genuine threats are identified, knowing how to respond to them can be similarly challenging. Many organisations looking to implement Next Gen SIEMs often do so with a degree of urgency but, due to a lack of in-house skills and understanding, struggle to fully realise the power of the technology.
Getting the most out of SIEM, to help address mounting security challenges, will not just depend on more intelligent algorithms, but better-trained staff who can use systems more effectively and validate alerts. For organisations without the in-house knowledge or capacity, it therefore makes sense to work with an external provider that is capable of either covering or augmenting security capabilities.
Why choose Redscan for a managed SIEM service?
ThreatDetect™, Redscan’s Managed Detection and Response service, combines Next Gen SIEM and endpoint technology with dedicated security experts to offer 24/7monitoring and investigation of your organisation’s network traffic.
Certified to deploy and manage a range of next generation, analytics-driven SIEM solutions, our experienced Cyber Security Operations Centre (CSOC) analysts and engineers are highly adept at helping organisations find the best solution for their security needs.
Our experts optimise solutions to best address each customer’s threat detection use cases and provide the necessary outputs needed to achieve swift and effective incident response.