September 26, 2016 By Denis Kennelly 3 min read

I haven’t seen much love lately for security information and event management (SIEM). To steal a phrase from Gartner, the security analytics platform seems to have entered the “trough of disillusionment.” But in deploying alternatives, some enterprises may be trading one problem for another.

SIEM is great in concept. These tools were introduced about a decade ago to cope with a flood of logs and alerts that were beginning to flow in from intrusion detection (IDS) and intrusion protection systems (IPS). But as with any nascent market, SIEM lacked standards. Each vendor implemented SIEM differently, using different data stores, query languages and analytics engines. Some solutions were implemented in software and some in hardware. Each was a little different from the others.

Today, there are dozens of alternatives on the market. Meanwhile, the volume and types of alerts have continued to grow, adding to the complexity of SIEM. Security professionals have to monitor dashboards pretty much all the time, and they need to know exactly what they’re looking for. This is ironic because attackers are always looking to hit us precisely where we aren’t looking. In short, the first generation of security analytics platforms have become top heavy and complex.

**Updated** Download the 2017 Gartner Magic Quadrant for SIEM

The Need to Simplify SIEM

With the arrival of open-source frameworks such as Hadoop, which stores vast amounts of information cheaply, some IT organizations saw the opportunity to simplify SIEM by replacing dedicated software with their own data lakes. This made it simpler to load data, but it didn’t solve the problem of what to do with it. Extracting the necessary data from the various systems and interfaces is hard work, and that doesn’t go away with a data lake. Also, migrating from a purpose-built solution like SIEM to a general-purpose data platform requires a lot of customization and programming.

With a data lake, organizations still have to answer questions about what kind of data to collect, how frequently to update it, how long to keep it and which use cases to examine. Over time, the scope of the problem grows and the same complexity problems resurface. Query tools may be standardized, but queries aren’t. IT organizations still have to know what to look for and invent their own approaches to finding it. That’s what I mean by trading one problem for a slightly different one.

Solving a Complexity Problem

SIEM was never a bad idea, but the growing volumes of information that organizations layered into their SIEM systems created a complexity problem. The solution isn’t to throw out the security analytics platform, but to modify it with concepts borrowed from cloud, big data, predictive analytics and machine learning.

In the early days of SIEM, the platform had to be developed from scratch. Today, we can leverage open-source building blocks where it makes sense, then extend through crowdsourcing. The result is the IBM QRadar Security Intelligence Platform, a unified architecture for SIEM that uses an advanced analytics engines to capture data from a wide variety of sources, correlate patterns with high-risk threats and elevate high-priority incidents from the mass of data. You can use it on-premises or in the cloud.

QRadar collects information from edge protection devices, switches, routers, servers, operating systems and even applications. It applies correlation analysis and security analytics in real time to distinguish real threats from false positives. Out-of-the-box templates and filters, combined with a user interface that humans can actually understand, dramatically reduce training times.

Revamping Your Security Analytics Platform

Thanks to machine intelligence, QRadar literally learns from usage patterns. It can detect, for example, excessive usage of an application or unusual off-hours activity based on historical data. Dashboards show spikes in alert activity, enabling administrators to drill down for more information.

That machine learning is also extended to use cognitive technologies to mine the mountains of unstructured data in blogs and web posts we all see in the security world. These unstructured data sources often point to those needles of value in the haystacks of security-related information. The idea is to let the security analytics platform do the hard work and to leverage human experience via a set of standardized queries and use cases that are updated constantly.

Another great resource is the Security App Exchange, a groundbreaking collection of extensions written by IBM and its partners. These provide additional layers of analysis and reports that are validated by the QRadar team. Need a way to detect anomalous user behavior on your network? There’s an app for that.

These kinds of features are one reason IBM has again been ranked as a leader in the Gartner Magic Quadrant for SIEM. We want to help move SIEM out of the “trough of disillusionment” and back on its rightful path toward the “slope of enlightenment.”

**Updated** Download the 2017 Gartner Magic Quadrant for SIEM

More from Intelligence & Analytics

New report shows ongoing gender pay gap in cybersecurity

3 min read - The gender gap in cybersecurity isn’t a new issue. The lack of women in cybersecurity and IT has been making headlines for years — even decades. While progress has been made, there is still significant work to do, especially regarding salary.The recent  ISC2 Cybersecurity Workforce Study highlighted numerous cybersecurity issues regarding women in the field. In fact, only 17% of the 14,865 respondents to the survey were women.Pay gap between men and womenOne of the most concerning disparities revealed by…

Protecting your data and environment from unknown external risks

3 min read - Cybersecurity professionals always keep their eye out for trends and patterns to stay one step ahead of cyber criminals. The IBM X-Force does the same when working with customers. Over the past few years, clients have often asked the team about threats outside their internal environment, such as data leakage, brand impersonation, stolen credentials and phishing sites. To help customers overcome these often unknown and unexpected risks that are often outside of their control, the team created Cyber Exposure Insights…

X-Force Threat Intelligence Index 2024 reveals stolen credentials as top risk, with AI attacks on the horizon

4 min read - Every year, IBM X-Force analysts assess the data collected across all our security disciplines to create the IBM X-Force Threat Intelligence Index, our annual report that plots changes in the cyber threat landscape to reveal trends and help clients proactively put security measures in place. Among the many noteworthy findings in the 2024 edition of the X-Force report, three major trends stand out that we’re advising security professionals and CISOs to observe: A sharp increase in abuse of valid accounts…

Topic updates

Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today