How Do Security Intelligence Solutions Differ from First-Gen SIEM Products?

This is part 2 of an ongoing series of posts that answer “Six Things You Always Wanted to Know About Security Intelligence but Were Afraid to Ask.”

Now that we have a good understanding of Security Intelligence, let’s draw a clear picture of how modern Security Intelligence solutions evolved – and differ – from first-generation SIEM products.  SIEM has become a widely deployed technology over the last 5+ years, and for good reason.  But due to scale limitations and lack of visibility, legacy SIEM products can no longer go toe-to-toe with the advanced targeted threats (AKA, advanced persistent threats) making headlines today.

Log Management and Security Information and Event Management (SIEM) products are a standard element of the IT security landscape today.  Large and small organizations in private and public sectors have widely adopted the solutions, and Gartner has published its SIEM Magic Quadrant report for a number of years.  (Reportedly it’s one of Gartner’s most popular MQ reports across all IT disciplines.)  The popularity of SIEM owes to its value:  sophisticated monitoring and reporting on diverse network activity, enabling the identification of potential security risks and ensuring compliance with regulatory and policy requirements.

But first-generation SIEM products are now obsolete. Yes, obsolete. Here’s where they lag Security Intelligence solutions:

  • No network activity monitoring. In the past, event logs from devices, applications and servers gave you a rough idea of what was happening on your network.  Today, that’s just a starting point.  Security Intelligence now requires real-time visibility into the flows, user activity, social media usage, mobile access and application content traversing your network – something first-gen SIEM can’t offer.  Is that conversation using port 80 really web traffic, or is it a hidden botnet IRC communication?  Have intruders compromised a user account and used it to post sensitive information to social media sites?  Are your employees committing fraud or transmitting sensitive intellectual property inappropriately?  Without integrating network behavior analysis / anomaly detection into SIEM, you won’t know until it’s too late.
  • Not architected to scale. First-gen SIEM products did a passable job of collecting and correlating event logs for moderate size organizations.  But add in flow data, perform a few simultaneous searches, or deploy in a very large enterprise, and first-gen SIEM’s choke.  The reason is simple: they’re not architected to scale.  They depend on external relational databases, which struggle to support the volume of I/O operations involved in demanding scenarios.  Security Intelligence solutions are built from the ground up with purpose-built databases, so they can collect and correlate massive volumes of data in real time, and still respond nimbly to ad hoc searches.
  • No pre-exploit security awareness. The Security Intelligence timeline doesn’t begin at the point of exploit or breach.  That’s just when the clock starts ticking on your detection and remediation activities.  Modern Security Intelligence solutions inherently differ from first-generation SIEM products by integrating pre-exploit risk and vulnerability management capabilities, as one example.  This allows you to identify, prioritize and reduce risks associated with misconfigured devices and unpatched vulnerabilities.  In this way you actually reduce the number of breaches, as well as detect and remediate the ones that occur.
  • Reliance on signature-based detection. The game has changed.  You can’t sit back, update your malware signatures, and expect to protect your network.  First-gen SIEM offerings relied too much on the assumption of a finite and familiar set of threats.  This approach fails when the threat vectors grow exponentially more diverse by the day.
  • Too slow to deploy, too expensive to staff. When first-gen SIEMs hit the market, early adopters were willing to spend plenty of time and money to get them up and running.  Connectors and rules needed to be written, users needed to be trained and so on.  Once in production, their staffing requirements could also be significant.  They spit out too many false positives, thus requiring the addition of staff to investigate volumes of incidents.  Modern Security Intelligence solutions use a broader set of data (event, flow, asset, topology, vulnerability, configuration, etc.) and advanced automation to cut through the noise and reduce – not expand – security staffing requirements.  One organization, for example, reduced ongoing security staff time requirements by 88% with Security Intelligence:

In sum, Security Intelligence solutions have made first-generation SIEM point products obsolete, and now help organizations protect against more challenging and diverse threats, with far less effort.  They expand the scope of analysis to identify and prioritize risks before the point of exploit, and detect and resolve breaches faster through user activity and content visibility.  They also scale to far greater volumes of data at radically reduced storage costs.  And they are deployable and manageable with less manual work, satisfying stringent budget and ROI parameters.

Or in the words of one of our other customers, a leading provider of photonics-based solutions:

“We recently had an incident where someone was trying to port scan one of our email servers. Our previous system would not have seen this intrusion. Because of QRadar, we quickly – in a matter of minutes – located the individual computer and shut down the activity before any further damage could be done. The ability to locate and analyze information quickly – almost instantaneously – and in a fashion we could not do before has saved us incredible amounts of time.”

Stay tuned for the next post in this series, where we’ll look in depth at the question of how much staffing and expertise is needed to use Security Intelligence solutions

More from Risk Management

Did Brazil DSL Modem Attacks Change Device Security?

From 2011 to 2012, millions of Internet users in Brazil fell victim to a massive attack against vulnerable DSL modems. By configuring the modems remotely, attackers could redirect users to malicious domain name system (DNS) servers. Victims trying to visit popular websites (Google, Facebook) were instead directed to imposter sites. These rogue sites then installed malware on victims' computers. According to a report from Kaspersky Lab Expert Fabio Assolini citing statistics from Brazil's Computer Emergency Response Team, the attack ultimately…

How Do You Plan to Celebrate National Computer Security Day?

In October 2022, the world marked the 19th Cybersecurity Awareness Month. October might be over, but employers can still talk about awareness of digital threats. We all have another chance before then: National Computer Security Day. The History of National Computer Security Day The origins of National Computer Security Day trace back to 1988 and the Washington, D.C. chapter of the Association for Computing Machinery’s Special Interest Group on Security, Audit and Control. As noted by National Today, those in…

Worms of Wisdom: How WannaCry Shapes Cybersecurity Today

WannaCry wasn't a particularly complex or innovative ransomware attack. What made it unique, however, was its rapid spread. Using the EternalBlue exploit, malware could quickly move from device to device, leveraging a flaw in the Microsoft Windows Server Message Block (SMB) protocol. As a result, when the WannaCry "ransomworm" hit networks in 2017, it expanded to wreak havoc on high-profile systems worldwide. While the discovery of a "kill switch" in the code blunted the spread of the attack and newly…

Why Operational Technology Security Cannot Be Avoided

Operational technology (OT) includes any hardware and software that directly monitors and controls industrial equipment and all its assets, processes and events to detect or initiate a change. Yet despite occupying a critical role in a large number of essential industries, OT security is also uniquely vulnerable to attack. From power grids to nuclear plants, attacks on OT systems have caused devastating work interruptions and physical damage in industries across the globe. In fact, cyberattacks with OT targets have substantially…