September 26, 2016 By Denis Kennelly 3 min read

I haven’t seen much love lately for security information and event management (SIEM). To steal a phrase from Gartner, the security analytics platform seems to have entered the “trough of disillusionment.” But in deploying alternatives, some enterprises may be trading one problem for another.

SIEM is great in concept. These tools were introduced about a decade ago to cope with a flood of logs and alerts that were beginning to flow in from intrusion detection (IDS) and intrusion protection systems (IPS). But as with any nascent market, SIEM lacked standards. Each vendor implemented SIEM differently, using different data stores, query languages and analytics engines. Some solutions were implemented in software and some in hardware. Each was a little different from the others.

Today, there are dozens of alternatives on the market. Meanwhile, the volume and types of alerts have continued to grow, adding to the complexity of SIEM. Security professionals have to monitor dashboards pretty much all the time, and they need to know exactly what they’re looking for. This is ironic because attackers are always looking to hit us precisely where we aren’t looking. In short, the first generation of security analytics platforms have become top heavy and complex.

**Updated** Download the 2017 Gartner Magic Quadrant for SIEM

The Need to Simplify SIEM

With the arrival of open-source frameworks such as Hadoop, which stores vast amounts of information cheaply, some IT organizations saw the opportunity to simplify SIEM by replacing dedicated software with their own data lakes. This made it simpler to load data, but it didn’t solve the problem of what to do with it. Extracting the necessary data from the various systems and interfaces is hard work, and that doesn’t go away with a data lake. Also, migrating from a purpose-built solution like SIEM to a general-purpose data platform requires a lot of customization and programming.

With a data lake, organizations still have to answer questions about what kind of data to collect, how frequently to update it, how long to keep it and which use cases to examine. Over time, the scope of the problem grows and the same complexity problems resurface. Query tools may be standardized, but queries aren’t. IT organizations still have to know what to look for and invent their own approaches to finding it. That’s what I mean by trading one problem for a slightly different one.

Solving a Complexity Problem

SIEM was never a bad idea, but the growing volumes of information that organizations layered into their SIEM systems created a complexity problem. The solution isn’t to throw out the security analytics platform, but to modify it with concepts borrowed from cloud, big data, predictive analytics and machine learning.

In the early days of SIEM, the platform had to be developed from scratch. Today, we can leverage open-source building blocks where it makes sense, then extend through crowdsourcing. The result is the IBM QRadar Security Intelligence Platform, a unified architecture for SIEM that uses an advanced analytics engines to capture data from a wide variety of sources, correlate patterns with high-risk threats and elevate high-priority incidents from the mass of data. You can use it on-premises or in the cloud.

QRadar collects information from edge protection devices, switches, routers, servers, operating systems and even applications. It applies correlation analysis and security analytics in real time to distinguish real threats from false positives. Out-of-the-box templates and filters, combined with a user interface that humans can actually understand, dramatically reduce training times.

Revamping Your Security Analytics Platform

Thanks to machine intelligence, QRadar literally learns from usage patterns. It can detect, for example, excessive usage of an application or unusual off-hours activity based on historical data. Dashboards show spikes in alert activity, enabling administrators to drill down for more information.

That machine learning is also extended to use cognitive technologies to mine the mountains of unstructured data in blogs and web posts we all see in the security world. These unstructured data sources often point to those needles of value in the haystacks of security-related information. The idea is to let the security analytics platform do the hard work and to leverage human experience via a set of standardized queries and use cases that are updated constantly.

Another great resource is the Security App Exchange, a groundbreaking collection of extensions written by IBM and its partners. These provide additional layers of analysis and reports that are validated by the QRadar team. Need a way to detect anomalous user behavior on your network? There’s an app for that.

These kinds of features are one reason IBM has again been ranked as a leader in the Gartner Magic Quadrant for SIEM. We want to help move SIEM out of the “trough of disillusionment” and back on its rightful path toward the “slope of enlightenment.”

**Updated** Download the 2017 Gartner Magic Quadrant for SIEM

More from Intelligence & Analytics

X-Force Threat Intelligence Index 2024 reveals stolen credentials as top risk, with AI attacks on the horizon

4 min read - Every year, IBM X-Force analysts assess the data collected across all our security disciplines to create the IBM X-Force Threat Intelligence Index, our annual report that plots changes in the cyber threat landscape to reveal trends and help clients proactively put security measures in place. Among the many noteworthy findings in the 2024 edition of the X-Force report, three major trends stand out that we’re advising security professionals and CISOs to observe: A sharp increase in abuse of valid accounts…

Web injections are back on the rise: 40+ banks affected by new malware campaign

8 min read - Web injections, a favored technique employed by various banking trojans, have been a persistent threat in the realm of cyberattacks. These malicious injections enable cyber criminals to manipulate data exchanges between users and web browsers, potentially compromising sensitive information. In March 2023, security researchers at IBM Security Trusteer uncovered a new malware campaign using JavaScript web injections. This new campaign is widespread and particularly evasive, with historical indicators of compromise (IOCs) suggesting a possible connection to DanaBot — although we…

Accelerating security outcomes with a cloud-native SIEM

5 min read - As organizations modernize their IT infrastructure and increase adoption of cloud services, security teams face new challenges in terms of staffing, budgets and technologies. To keep pace, security programs must evolve to secure modern IT environments against fast-evolving threats with constrained resources. This will require rethinking traditional security strategies and focusing investments on capabilities like cloud security, AI-powered defense and skills development. The path forward calls on security teams to be agile, innovative and strategic amidst the changes in technology…

Topic updates

Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today