All solutions evolve over time as new technologies are introduced and market shifts occur — and security information and event management (SIEM) is no exception. The most recent changes in SIEM technology are driven by increased cloud adoption, the limited availability of IT talent and mounting regulatory pressure, as well as the growing variety and sophistication of cyberthreats.
What do these changes mean for the future of SIEM technology? Let’s take a step back and consider five significant shifts we expect to see over the next few years.
1. SIEM Will Shift From On-Premises to the Cloud
SIEM will be as relevant to software-as-a-service (SaaS) and cloud systems as it is to on-premises environments. SIEM’s original purpose was to help organizations correlate multiple security telemetry sources to generate a prioritized risk and threat view and provide a single pane of glass for investigations.
The same will be true in the future, except those on-premises sources will eventually be replaced by multiple cloud and SaaS sources.
2. SIEM Technology Will Become the Foundation of Security Analytics
Machine learning and behavioral analytics will become increasingly important, but they won’t replace rules. A security operations center (SOC) must detect both known and unknown threats.
Using rules and signatures is the fastest and most accurate way to detect known threats, but this strategy is not always effective for identifying unknown threats. It also requires many core data pre-processing steps, such as management, interpretation, curation and enrichment. As a result, SIEM technology will become the foundational layer of all security-analytics solutions.
3. AI Will Relieve Overworked Analysts
Artificial intelligence (AI)-powered analytics that investigate and determine the root cause of existing anomalies — as opposed to solutions that generate new alerts and anomalies — will emerge in the marketplace and become essential tools for both full-scale and ad-hoc investigations. AI analytics will not replace existing rules or machine learning anomaly detection algorithms — since these are essential to help analysts detect potential threat signals.
But these signals must be investigated, and many SOCs lack the workforce to do so. AI tools can conduct automated investigations, drive intelligence orchestration and remediation, and act as a force multiplier to make the security team more productive.
4. Cloud Will Make Security Analytics More Consumable
The majority of SIEM — and, therefore, security analytics — will be consumed from the cloud. It will become increasingly challenging for organizations to juggle the breadth of required data sources, operationalize uses cases and analytics and manage the big data infrastructure of a SIEM on-premises. Cloud services deliver much of these resources on demand and in a fully automated manner — dramatically increasing the consumability and utility of SIEM and security analytics tools within the enterprise.
5. AI Assistants Will Augment Human Analysts
AI assistants will be introduced into the market to help analysts set up, configure and continuously maintain use cases within the SIEM. As organizations and their IT infrastructures evolve, so must their security capabilities. Most companies will still struggle to keep abreast of these changes and close gaps that emerge as a result, but AI assistants will be able to perform assessments and automate much of this workload.
We are already seeing signs of this evolution today with AI-powered security analytics solutions, improved outcomes with the adoption of SIEM-as-a-service and newer analytics, such as user behavior analytics (UBA), domain name system (DNS) and cloud analytics, revolutionizing the way SOCs work. It’s an exciting time to be adopting a security analytics strategy — and both the security and cybercrime landscapes are sure to change drastically in the near future in response to these innovations in SIEM technology.
View the interactive infographic: Transforming Noise to Knowledge
VP, Product Management, IBM Security