Security information and event management (SIEM) solutions continue to evolve, as shown in the 2021 Gartner Magic Quadrant for SIEM, which is a great representation of the changing security landscape and the evolution of key capabilities and experiences that are required to deliver top notch security outcomes.
Security teams are busier than ever, as their IT infrastructure is modernizing at an ever-increasing pace with the move to the cloud, application modernization and disappearance of the perimeter. SIEMs are playing an increasingly crucial role in this process by providing end-to-end visibility across endpoint, network and cloud; creating a centralized view of threats; and providing analysts with the ability to respond, all while the IT infrastructure they are monitoring is changing.
However, just being able to do this is not good enough anymore; most SIEMs on the market are able to do this in some shape or form. To enable security teams to succeed today, SIEMs need to enable their users to quickly and easily triage security findings and take action — without requiring significant security knowledge, setup time, configuration work or extensive maintenance. Organizations need SIEMs that provide fast time-to-value and enable users to focus on security outcomes. Here are a few steps you can take to achieve this.
Simplify SIEM Cost and Make the Solution Consumable
SIEMs are solving an incredibly complex task of collecting and analyzing a huge amount of data in real-time from a heterogeneous IT infrastructure consisting of dozens of technologies and vendors and from a massive volume of data, providing accurate threat detection and response. However, two areas have traditionally been challenging: how SIEMs are priced and the size and complexity of the infrastructure required to run them.
Historically, SIEMs have been priced based on data volumes and/or events per second. While this approach is still useful for a subset of customers, today’s successful SIEMs offer much simpler pricing metrics based on the size of the infrastructure or the organization being secured. This leads to more predictable costs, easier adoption and use, and increased value of SIEM technology to the organization.
SIEM infrastructure lagged behind other security solutions for a while (e.g., identity), but software-as-a-service (SaaS) has become an increasingly popular consumption method for SIEMs. SaaS frees security teams from having to think about and manage a large system of servers, patches, availability, disaster recovery, etc., and empowers teams to focus on what security outcomes are needed and the best ways to deliver them.
Download the report
Make Security Actionable
Over the years, there has been a lot of debate about log management vs. SIEMs, and the reality is that a good SIEM must have very strong log management capabilities. However, in today’s fast-moving environment, SIEMs must produce actionable insights from data almost immediately. It is no longer sufficient to simply collect, store and make this raw data available for analysis.
Security teams need to be able to easily connect security telemetry from on-premises, cloud, network and endpoint systems, as well as have that data automatically interpreted and analyzed by a comprehensive set of out-of-the box security analytics — including the application of threat intelligence, rules and behavioral analytics to identify known and unknown threats. The MITRE ATT&CK framework is also becoming a critical tool that organizations can use to optimize their threat detection. Furthermore, the data across all or part of the IT infrastructure must be automatically correlated and visualized in an easily consumable attack chain to help analysts more easily understand threats.
SIEMs need to enable threat hunting and investigation processes more easily. Again, trawling through log files for evidence is no longer adequate. Users need the ability to examine user activity holistically to more easily identify abnormal behavior potentially indicating an insider threat. Users also need to be able to quickly identify and investigate anomalous behavior at the network level, as well as be able to quickly act on new threat intelligence.
Of course, threat identification is only one part of the problem set. Security teams need SIEMs to have embedded security orchestration, automation and response (SOAR) functionality so that they can collaborate as a team, enrich incidents with additional context, and automate and coordinate response plans so that manual tasks are reduced and nothing “falls between the cracks.”
Ensure Simplicity and Consumability of Workflows
There is a saying: “Complexity is the root of all evil.” Complexity is definitely at the root of a lot of security failures — and a lot of wasted time. The security solutions market has been pivoting in recent times to focus on simple, consumable solutions that deliver specific outcomes for teams. This covers many aspects of a product offering, from purchasing, installation and deployment, to ongoing use. Some of these are addressed above; of equal importance are the consumability and visual presentation of information to users so that they can make the right decisions quickly. Context is absolutely critical for decision making in security. Successful SIEMs focus not only on bringing context to users, but also on doing it in a way that is completely integrated into their workflow and decision-making processes to minimize the need for context and screen switching.
Of course, even users of the most mature and expansive SIEM solutions need simple and quick access to data that resides outside of the SIEM, perhaps in an endpoint detection and response (EDR) tool, operational technology (OT) system, logging platform or cloud bucket. SIEMs that are designed for the future provide the ability for security users to seamlessly access and analyze data-at-rest in other solutions to enrich their investigations and threat hunting.
What Will Happen With SIEM in the Future?
It is always a challenge to predict what the next evolution of SIEM will be, especially given how much change has happened and how much hype there is in the security market. However, three things are likely:
- SIEMs will become increasingly hybrid, multicloud based and will leverage cloud-native architectures to enable both more choice and more seamless scaling, robustness and availability.
- SIEMs will increasingly become more open. They’ll adopt more open security standards and technologies, and they’ll increasingly support data federation, as the perimeter disappears and security controls become more dispersed across on-premises, endpoint, cloud, container, OT and Internet of Things security platforms.
- SIEMs will continue to be a critical component of security, and an increasing focus on streamlined workflows will make automation and artificial intelligence easier to consume and use.
As the industry moves forward, the need for open security that enables security teams to quickly and easily support the entire security operations center (SOC) workflow — including visibility, detection, investigation and response — across multiple tools and data sets will be paramount. IBM is investing heavily in these areas, which is one reason IBM has been named a Leader for the 12th consecutive year in the 2021 Gartner Magic Quadrant for SIEM report. Attend the webinar to learn more about how IBM Security QRadar is helping security teams be more efficient and more effective.
Get the 2021 Gartner Magic Quadrant for SIEM report
VP, Product Management, IBM Security