Despite what you may have heard, security information and event management (SIEM) is not dead. Rather, it’s become an integral part of the latest advancement in security operations: the fusion center.

We are seeing a paradigm shift in the space, and SIEM is no longer enough on its own to conduct the level of protective monitoring organizations need to stay abreast of rapidly evolving threats. Instead, companies are looking to more comprehensive solutions that, when integrated with state-of-the-art SIEM tools, can help organizations go beyond simply detecting and reporting security incidents.

Why SIEM Only Addresses Part of the Problem

Protective monitoring is a maturing discipline within the cybersecurity portfolio. I still remember the early days when it involved little more than storing logs, usually for years. If you were lucky, you had some analytics tools to help you stitch together what went wrong, but only after the event had already occurred. Granted, this was a useful exercise to close awareness gaps and learn lessons, but it wasn’t really monitoring — and I’m not sure who ever took the time to sift through all that data.

So the security community endeavored to come up with a way to stop the horse from bolting in the first place, and SIEM was born. Along with the security operations center (SOC), this solution enabled organizations to monitor what was going on across their systems in real or near real time. As SIEM has evolved, we have developed the ability to correlate different logs, look at network flows, consider user access patterns and use powerful artificial intelligence (AI) to spot anomalies, the needles in all those haystacks of data.

However, standing up your own SOC is an expensive undertaking. That’s why, along with the technology itself, we have also developed new consumption models — in-house, outsourced, shared and cloud-based platforms — that are all aimed at reducing the costs of trying to spot what is happening on your infrastructure.

There are two problems with the current SIEM paradigm, however. First, it can take months to set up a SIEM solution properly, and it requires constant tuning to reduce false positives and allow your SOC team to adjust to changing business patterns. Second, too many SOC delivery models involve little more than spotting a problem and then simply telling someone about it. Of course you would want someone to wake you up and alert you at 4 a.m. if you’re under attack, but it doesn’t solve the underlying problem. How can organizations update the way they use SIEM and security analytics tools to match the speed and complexity of today’s threat landscape?

Introducing the SOC’s Big Brother: The Fusion Center

If we look at the five functions of the National Institute of Standards and Technology (NIST) Cybersecurity Framework — Identify, Protect, Detect, Respond and Recover — so far, we are only covering the detection part of the equation. To fill in the gaps, we’re now witnessing the emergence of the SOC’s big brother: the fusion center. The fusion center’s job is to cover the entire spectrum of the NIST model.

What makes the fusion center different? Whereas a SOC only pulls in data from your infrastructure and then stops at an analyst, the fusion center uses a wider set of data sources, collects data from both inside and outside your organization, correlates and enriches that data (often using advanced AI and machine learning to draw conclusions), and pushes this enriched information out to the relevant parts of your organization to respond and recover.

There are multiple advantages to the fusion center approach. Due to advanced automation and the use of machine learning, between 30 and 70 percent of level 1 analyst tasks can be automated, which helps improve response times, reduce the number of analysts needed and free up your security teams to focus on more important tasks.

Another advantage is that, due to the multiple sources of information being ingested by the system (including from native cloud monitoring tools), you can conduct more thorough and in-depth analyses of what is happening on your infrastructure and cloud systems, draw better conclusions and identify wider implications from initially simple-looking issues.

Finally, you can mount a more consistent and thorough response by using integrated runbooks and regularly drilling incident response plans. You can also implement systems that automatically notify relevant parties of key developments and collect and analyze threat data in a single portal. This results in faster containment and eradication with a complete record of what has occurred so you can review lessons learned and continuously improve your processes.

So is SIEM dead? Not remotely — but it’s no longer the only tool in your arsenal, either. With fusion center capabilities, you can harness the power of AI and machine learning to deliver better protection and speed up recovery times.

More from Intelligence & Analytics

What makes a trailblazer? Inspired by John Mulaney’s Dreamforce roast

4 min read - When you bring a comedian to offer a keynote address, you need to expect the unexpected.But it is a good bet that no one in the crowd at Salesforce’s Dreamforce conference expected John Mulaney to tell a crowd of thousands of tech trailblazers that they were, in fact, not trailblazers at all.“The fact that there are 45,000 ‘trailblazers’ here couldn’t devalue the title anymore,” Mulaney told the audience.Maybe it was meant as nothing more than a punch line, but Mulaney’s…

New report shows ongoing gender pay gap in cybersecurity

3 min read - The gender gap in cybersecurity isn’t a new issue. The lack of women in cybersecurity and IT has been making headlines for years — even decades. While progress has been made, there is still significant work to do, especially regarding salary.The recent  ISC2 Cybersecurity Workforce Study highlighted numerous cybersecurity issues regarding women in the field. In fact, only 17% of the 14,865 respondents to the survey were women.Pay gap between men and womenOne of the most concerning disparities revealed by…

Protecting your data and environment from unknown external risks

3 min read - Cybersecurity professionals always keep their eye out for trends and patterns to stay one step ahead of cyber criminals. The IBM X-Force does the same when working with customers. Over the past few years, clients have often asked the team about threats outside their internal environment, such as data leakage, brand impersonation, stolen credentials and phishing sites. To help customers overcome these often unknown and unexpected risks that are often outside of their control, the team created Cyber Exposure Insights…

Topic updates

Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today