Born next to firewalls, network access controls and vulnerability assessment tools, security information and event management (SIEM) systems have been around for over 15 years and have now reached a high level of maturity and productivity. As a result, today’s SIEMs are not the same as they were in 2004.
So what of the claim that SIEM is dead? The answer may be simple: SIEM has gone through a tremendous change pattern, so it’s not the same tool set we once knew. Here are five signs your current SIEM deployment may be outdated, and what to look for going forward.
1. Dependence on Static Collectors and Span Ports
Gone are the days when SIEMs only consumed firewall and access data. Today’s SIEM needs to accept a higher volume and variety than ever before. Highly specialized data sources from the network and/or endpoint are also dictating new collection capabilities, such as extra-long log entries with rich context, log buffering and throttling optimized for cloud storage. One especially critical need is the ability to quickly adapt to new log sources to maintain maximum visibility. If you feel weak on visibility, you may lack the right data sources and look for deeper endpoint, network, user or application data.
Visibility may also be restricted to dependency on a switch port analyzer (SPAN). Remember that when your network is suffocated, perhaps by an attack, your SPAN-connected sensors could be missing a lot of data, so have your SIEM collect from more lightweight, ubiquitous sensors.
2. Blocked in the Funnel
SIEMs with only relational databases are disappearing. The need to analyze more data within broad time windows has generated interest in alternative data management concepts such as data streaming, distributed data processing and hybrid on-premises/cloud data storage. These advancements in data management have expanded data searching, grouping and transformation capabilities needed for threat hunting, a process that has been slowly but steadily adopted over the last few years. The bottom line here is that the log funnel from 2004 is likely being replaced with a new “event horizon” approach where the user can select from a variety of data lakes to start the analytic processes and increase detection.
3. Manual SIEM Analytics and Custom Content
Recently, advances in security analytics have been a core issue. SIEMs originally consisted of watchlists, baselining and simple if-then rules, but have now expanded into high-volume data streaming, machine learning and, especially, automation.
In the past, many SIEMs failed because they were labor-intensive and expensive to maintain. The concept of purpose-built security workflows and content to prime the analytic engine started to alleviate this. Modern SIEMs provide both a broad spectrum of analytic processes and content to detect more high-quality threat insight that is prioritized, enriched and aggregated. Advanced SIEM will even help automate and guide through the investigation. The core improvements to look for are speed and quality of detection. If your analysts are acting mostly on threat eradication (i.e., looking at signs that an endpoint is compromised) instead of more proactive attack or risk indicators, it’s time to rethink the analytic content and processes.
4. Inefficient Usage
SIEM typically has two type of users: creators of analytics and consumers of analytics. Creators configure and load the system with analytic content. These are the advanced users who help drive the SIEM forward. Consumers of analytics are your tier-1 and tier-2 hunters and risk officers who log on to review dashboards, alerts and reports and engage in searches enabled by the creators.
The challenge comes when there are very few users of both combined with inefficient usage. It indicates that your SIEM may be stuck in log management mode, constrained to static detection and threat management evolution because your environment has halted. Modern SIEMs help here by providing a library of analytical content — easily accessible and optimized for specific use cases without need to restructure or implement complex upgrades.
5. Cost to Scale
Cloud adoption, new threats and a need for more thorough investigations often drive SIEM costs substantially. An interesting side note here is that SIEM practitioners don’t own the moment when your organization is hit with an advanced threat or new cloud monitoring needs, letting costs sneak in through an open door. What security teams do own, though, is how to prepare for data consumption strategies that won’t break the bank, prebuilt analytic processes and rich ecosystems of tools pre-integrated with the SIEM to support your monitoring and investigation needs into the next decade.
In the past, SIEMs definitely had their challenges, but more than 15 years of dynamic fluctuations between attackers and defenders has hardened and pushed security analytics methods forward through evolution. If you feel your SIEM hasn’t evolved with shifting threat environments, perhaps it’s time to rethink it.