What Is the Role of SIEM in the Fusion Center Era?

Despite what you may have heard, security information and event management (SIEM) is not dead. Rather, it’s become an integral part of the latest advancement in security operations: the fusion center.

We are seeing a paradigm shift in the space, and SIEM is no longer enough on its own to conduct the level of protective monitoring organizations need to stay abreast of rapidly evolving threats. Instead, companies are looking to more comprehensive solutions that, when integrated with state-of-the-art SIEM tools, can help organizations go beyond simply detecting and reporting security incidents.

Why SIEM Only Addresses Part of the Problem

Protective monitoring is a maturing discipline within the cybersecurity portfolio. I still remember the early days when it involved little more than storing logs, usually for years. If you were lucky, you had some analytics tools to help you stitch together what went wrong, but only after the event had already occurred. Granted, this was a useful exercise to close awareness gaps and learn lessons, but it wasn’t really monitoring — and I’m not sure who ever took the time to sift through all that data.

So the security community endeavored to come up with a way to stop the horse from bolting in the first place, and SIEM was born. Along with the security operations center (SOC), this solution enabled organizations to monitor what was going on across their systems in real or near real time. As SIEM has evolved, we have developed the ability to correlate different logs, look at network flows, consider user access patterns and use powerful artificial intelligence (AI) to spot anomalies, the needles in all those haystacks of data.

However, standing up your own SOC is an expensive undertaking. That’s why, along with the technology itself, we have also developed new consumption models — in-house, outsourced, shared and cloud-based platforms — that are all aimed at reducing the costs of trying to spot what is happening on your infrastructure.

There are two problems with the current SIEM paradigm, however. First, it can take months to set up a SIEM solution properly, and it requires constant tuning to reduce false positives and allow your SOC team to adjust to changing business patterns. Second, too many SOC delivery models involve little more than spotting a problem and then simply telling someone about it. Of course you would want someone to wake you up and alert you at 4 a.m. if you’re under attack, but it doesn’t solve the underlying problem. How can organizations update the way they use SIEM and security analytics tools to match the speed and complexity of today’s threat landscape?

Introducing the SOC’s Big Brother: The Fusion Center

If we look at the five functions of the National Institute of Standards and Technology (NIST) Cybersecurity Framework — Identify, Protect, Detect, Respond and Recover — so far, we are only covering the detection part of the equation. To fill in the gaps, we’re now witnessing the emergence of the SOC’s big brother: the fusion center. The fusion center’s job is to cover the entire spectrum of the NIST model.

What makes the fusion center different? Whereas a SOC only pulls in data from your infrastructure and then stops at an analyst, the fusion center uses a wider set of data sources, collects data from both inside and outside your organization, correlates and enriches that data (often using advanced AI and machine learning to draw conclusions), and pushes this enriched information out to the relevant parts of your organization to respond and recover.

There are multiple advantages to the fusion center approach. Due to advanced automation and the use of machine learning, between 30 and 70 percent of level 1 analyst tasks can be automated, which helps improve response times, reduce the number of analysts needed and free up your security teams to focus on more important tasks.

Another advantage is that, due to the multiple sources of information being ingested by the system (including from native cloud monitoring tools), you can conduct more thorough and in-depth analyses of what is happening on your infrastructure and cloud systems, draw better conclusions and identify wider implications from initially simple-looking issues.

Finally, you can mount a more consistent and thorough response by using integrated runbooks and regularly drilling incident response plans. You can also implement systems that automatically notify relevant parties of key developments and collect and analyze threat data in a single portal. This results in faster containment and eradication with a complete record of what has occurred so you can review lessons learned and continuously improve your processes.

So is SIEM dead? Not remotely — but it’s no longer the only tool in your arsenal, either. With fusion center capabilities, you can harness the power of AI and machine learning to deliver better protection and speed up recovery times.

Contributor'photo

Gavin Kenny

Associate Partner, IBM Security

Gavin has 20 years of experience dealing with Security and Information Assurance within both the Government &...