August 26, 2019 By Diana Kightlinger 3 min read

Although security information and event management (SIEM) has been around for more than a decade, the solution continues to evolve. But too many enterprises still don’t know which security use cases SIEM can take on, how it can capture and leverage data — structured and unstructured, internal and external — or how to effectively implement a SIEM solution.

That’s unfortunate, because the threat environment isn’t standing still, both in terms of attack types and volume. Security talent remains in short supply, while point solutions have become all too common. Defenders need a SIEM solution to detect threats in the extended environment, artificial intelligence (AI) to identify connections behind suspicious activity, and automated processes to rapidly shut down attacks.

What Is SIEM?

Taking a step back to define the phrase, what is SIEM? SIEM is a combination of security information management (SIM) and security event management (SEM) that helps organizations detect threats via fine-grained, real-time visibility into on-premises and cloud-based activity.

At one time, audit and compliance needs — from the Payment Card Industry Data Security Standard (PCI DSS) to Sarbanes-Oxley (SOX) to the Health Insurance Portability and Accountability Act (HIPAA) — drove the SIEM market. But the evolving threat landscape and sophistication of cyberattackers forced the answer to the question, “What is SIEM?” to change. From compliance, SIEM expanded into threat detection and remains at the core of the security operations center (SOC).

A Single Pane Captures a 360-Degree View

Complex SIEM systems empower SOCs to detect both known and unknown threats and respond to incidents quickly and effectively. But as enterprises adopt new types of technology, such as the internet of things (IoT), the attack surface keeps growing, creating new blind spots.

To detect and investigate threats, enterprises need a comprehensive view into on-premises and cloud — including hybrid cloud and multicloud — assets and network and user behaviors, helping analysts spot anomalies that could signal a breach or cyberattack. Through it all, enterprises must still prove the efficiency and accuracy of their SIEM systems to compliance and regulatory auditors.

Due to the cybersecurity skills shortage, organizations also need SIEM solutions that are simpler to deploy, manage and maintain. The escalating number of data sources requires considerable effort to integrate and tune. Deploying a solution to improve detection, investigation and resolution requires vendors willing to share their expertise on an ongoing basis, so security teams aren’t forced to become experts themselves.

AI Accelerates Investigations

SIEM solutions today tackle many security use cases, from detecting endpoint threats, to insider threats, to phishing attacks. But defenders need to identify symptoms of threat behavior as well as the threats themselves. As this need has grown, so have technologies such as machine learning and advanced historical analysis, which can surface anomalous behaviors and help defenders respond earlier to stop attackers and mitigate damages.

What analysts don’t need are solutions that generate even more alerts and lack integration with other security tools. Instead, AI-powered analytics can be used to investigate and seek the root cause and chain of events that led to existing anomalies.

AI won’t replace rules-based or machine-learning algorithms to detect potential threat signals. Nor will it replace humans. But when SOCs lack the workforce to investigate these signals, AI can accelerate analysis and insight speed, identifying threats faster and more consistently than attackers can react. Despite incomplete data and knowledge, cognitive capabilities can serve to automate and improve decision-making.

In addition, AI can help analysts implement, configure and support use cases within a SIEM system. Keeping up with changes and closing gaps remains critical, but AI can assess priorities and automate a large chunk of the workload.

Automation Enables Value-Added Activities

Most cyberattacks focus on critical enterprise data — and once attackers gain access, your organization needs a rapid and efficient incident response process to empower analysts to stop them. But SIEM is about detection, with tools that typically process between 10,000 and 500,000 events per second. SIEM should provide the data and evidence needed to remediate threats to an incident response system.

However, it’s also critical to recognize that SIEM isn’t a response tool. That’s where security orchestration, automation and response (SOAR) solutions excel. SOAR helps security teams increase productivity by automating the dull and repetitive tasks that don’t require human intervention, and forces teams to focus on people, processes and technology. Top solutions add context to threats and prioritize them according to the risk to customer data and business function and reputation.

Adding automation and intelligence to SIEM is a force multiplier on your team’s efforts and lets them focus on value-added activities, such as proactively hunting and preventing threats. That’s critical, because the less time cyberattackers can spend operating within your infrastructure, the less damage they can do. Human discernment and judgement can also best inform policy changes to limit risky use of applications or databases and block malicious players without disrupting customer access to your business.

Putting it all together, the right security information and event management solution can help you gain comprehensive visibility into all types of enterprise data and threats, move past individual alerts to identify and prioritize potential incidents, and accelerate investigation processes with AI — all while shifting your security strategy toward more proactive efforts.

More from Incident Response

How Paris Olympic authorities battled cyberattacks, and won gold

3 min read - The Olympic Games Paris 2024 was by most accounts a highly successful Olympics. Some 10,000 athletes from 204 nations competed in 329 events over 16 days. But before and during the event, authorities battled Olympic-size cybersecurity threats coming from multiple directions.In preparation for expected attacks, authorities took several proactive measures to ensure the security of the event.Cyber vigilance programThe Paris 2024 Olympics implemented advanced threat intelligence, real-time threat monitoring and incident response expertise. This program aimed to prepare Olympic-facing organizations…

How CIRCIA is changing crisis communication

3 min read - Read the previous article in this series, PR vs cybersecurity teams: Handling disagreements in a crisis. When the Colonial Pipeline attack happened a few years ago, widespread panic and long lines at the gas pump were the result — partly due to a lack of reliable information. The attack raised the alarm about serious threats to critical infrastructure and what could happen in the aftermath. In response to this and other high-profile cyberattacks, Congress passed the Cyber Incident Reporting for Critical…

PR vs cybersecurity teams: Handling disagreements in a crisis

4 min read - Check out our first two articles in this series, Cybersecurity crisis communication: What to do and Crisis communication: What NOT to do. When a cyber incident happens inside an organization, everyone in the company has a stake in how to approach remediation. The problem is that not everyone agrees on how to handle the public response to cyber crisis communication. Typically, in any organization, the public relations team handles the relationship between the company and the media, who then decide…

Topic updates

Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today