Security information and event management (SIEM) solutions continue to evolve, as shown in the 2021 Gartner Magic Quadrant for SIEM, which is a great representation of the changing security landscape and the evolution of key capabilities and experiences that are required to deliver top notch security outcomes.

Security teams are busier than ever, as their IT infrastructure is modernizing at an ever-increasing pace with the move to the cloud, application modernization and disappearance of the perimeter. SIEMs are playing an increasingly crucial role in this process by providing end-to-end visibility across endpoint, network and cloud; creating a centralized view of threats; and providing analysts with the ability to respond, all while the IT infrastructure they are monitoring is changing.

However, just being able to do this is not good enough anymore; most SIEMs on the market are able to do this in some shape or form. To enable security teams to succeed today, SIEMs need to enable their users to quickly and easily triage security findings and take action — without requiring significant security knowledge, setup time, configuration work or extensive maintenance. Organizations need SIEMs that provide fast time-to-value and enable users to focus on security outcomes. Here are a few steps you can take to achieve this.

Simplify SIEM Cost and Make the Solution Consumable

SIEMs are solving an incredibly complex task of collecting and analyzing a huge amount of data in real-time from a heterogeneous IT infrastructure consisting of dozens of technologies and vendors and from a massive volume of data, providing accurate threat detection and response. However, two areas have traditionally been challenging: how SIEMs are priced and the size and complexity of the infrastructure required to run them.

Historically, SIEMs have been priced based on data volumes and/or events per second. While this approach is still useful for a subset of customers, today’s successful SIEMs offer much simpler pricing metrics based on the size of the infrastructure or the organization being secured. This leads to more predictable costs, easier adoption and use, and increased value of SIEM technology to the organization.

SIEM infrastructure lagged behind other security solutions for a while (e.g., identity), but software-as-a-service (SaaS) has become an increasingly popular consumption method for SIEMs. SaaS frees security teams from having to think about and manage a large system of servers, patches, availability, disaster recovery, etc., and empowers teams to focus on what security outcomes are needed and the best ways to deliver them.

Download the report

Make Security Actionable

Over the years, there has been a lot of debate about log management vs. SIEMs, and the reality is that a good SIEM must have very strong log management capabilities. However, in today’s fast-moving environment, SIEMs must produce actionable insights from data almost immediately. It is no longer sufficient to simply collect, store and make this raw data available for analysis.

Security teams need to be able to easily connect security telemetry from on-premises, cloud, network and endpoint systems, as well as have that data automatically interpreted and analyzed by a comprehensive set of out-of-the box security analytics — including the application of threat intelligence, rules and behavioral analytics to identify known and unknown threats. The MITRE ATT&CK framework is also becoming a critical tool that organizations can use to optimize their threat detection. Furthermore, the data across all or part of the IT infrastructure must be automatically correlated and visualized in an easily consumable attack chain to help analysts more easily understand threats.

SIEMs need to enable threat hunting and investigation processes more easily. Again, trawling through log files for evidence is no longer adequate. Users need the ability to examine user activity holistically to more easily identify abnormal behavior potentially indicating an insider threat. Users also need to be able to quickly identify and investigate anomalous behavior at the network level, as well as be able to quickly act on new threat intelligence.

Of course, threat identification is only one part of the problem set. Security teams need SIEMs to have embedded security orchestration, automation and response (SOAR) functionality so that they can collaborate as a team, enrich incidents with additional context, and automate and coordinate response plans so that manual tasks are reduced and nothing “falls between the cracks.”

Ensure Simplicity and Consumability of Workflows

There is a saying: “Complexity is the root of all evil.” Complexity is definitely at the root of a lot of security failures — and a lot of wasted time. The security solutions market has been pivoting in recent times to focus on simple, consumable solutions that deliver specific outcomes for teams. This covers many aspects of a product offering, from purchasing, installation and deployment, to ongoing use. Some of these are addressed above; of equal importance are the consumability and visual presentation of information to users so that they can make the right decisions quickly. Context is absolutely critical for decision making in security. Successful SIEMs focus not only on bringing context to users, but also on doing it in a way that is completely integrated into their workflow and decision-making processes to minimize the need for context and screen switching.

Of course, even users of the most mature and expansive SIEM solutions need simple and quick access to data that resides outside of the SIEM, perhaps in an endpoint detection and response (EDR) tool, operational technology (OT) system, logging platform or cloud bucket. SIEMs that are designed for the future provide the ability for security users to seamlessly access and analyze data-at-rest in other solutions to enrich their investigations and threat hunting.

What Will Happen With SIEM in the Future?

It is always a challenge to predict what the next evolution of SIEM will be, especially given how much change has happened and how much hype there is in the security market. However, three things are likely:

  • SIEMs will become increasingly hybrid, multicloud based and will leverage cloud-native architectures to enable both more choice and more seamless scaling, robustness and availability.
  • SIEMs will increasingly become more open. They’ll adopt more open security standards and technologies, and they’ll increasingly support data federation, as the perimeter disappears and security controls become more dispersed across on-premises, endpoint, cloud, container, OT and Internet of Things security platforms.
  • SIEMs will continue to be a critical component of security, and an increasing focus on streamlined workflows will make automation and artificial intelligence easier to consume and use.

As the industry moves forward, the need for open security that enables security teams to quickly and easily support the entire security operations center (SOC) workflow — including visibility, detection, investigation and response — across multiple tools and data sets will be paramount. IBM is investing heavily in these areas, which is one reason IBM has been named a Leader for the 12th consecutive year in the 2021 Gartner Magic Quadrant for SIEM report. Attend the webinar to learn more about how IBM Security QRadar is helping security teams be more efficient and more effective.

Get the 2021 Gartner Magic Quadrant for SIEM report

More from Intelligence & Analytics

RansomExx Upgrades to Rust

IBM Security X-Force Threat Researchers have discovered a new variant of the RansomExx ransomware that has been rewritten in the Rust programming language, joining a growing trend of ransomware developers switching to the language. Malware written in Rust often benefits from lower AV detection rates (compared to those written in more common languages) and this may have been the primary reason to use the language. For example, the sample analyzed in this report was not detected as malicious in the…

Moving at the Speed of Business — Challenging Our Assumptions About Cybersecurity

The traditional narrative for cybersecurity has been about limited visibility and operational constraints — not business opportunities. These conversations are grounded in various assumptions, such as limited budgets, scarce resources, skills being at a premium, the attack surface growing, and increased complexity. For years, conventional thinking has been that cybersecurity costs a lot, takes a long time, and is more of a cost center than an enabler of growth. In our upcoming paper, Prosper in the Cyber Economy, published by…

Overcoming Distrust in Information Sharing: What More is There to Do?

As cyber threats increase in frequency and intensity worldwide, it has never been more crucial for governments and private organizations to work together to identify, analyze and combat attacks. Yet while the federal government has strongly supported this model of private-public information sharing, the reality is less than impressive. Many companies feel that intel sharing is too one-sided, as businesses share as much threat intel as governments want but receive very little in return. The question is, have government entities…

Tackling Today’s Attacks and Preparing for Tomorrow’s Threats: A Leader in 2022 Gartner® Magic Quadrant™ for SIEM

Get the latest on IBM Security QRadar SIEM, recognized as a Leader in the 2022 Gartner Magic Quadrant. As I talk to security leaders across the globe, four main themes teams constantly struggle to keep up with are: The ever-evolving and increasing threat landscape Access to and retaining skilled security analysts Learning and managing increasingly complex IT environments and subsequent security tooling The ability to act on the insights from their security tools including security information and event management software…