Despite what you may have heard, security information and event management (SIEM) is not dead. Rather, it’s become an integral part of the latest advancement in security operations: the fusion center.

We are seeing a paradigm shift in the space, and SIEM is no longer enough on its own to conduct the level of protective monitoring organizations need to stay abreast of rapidly evolving threats. Instead, companies are looking to more comprehensive solutions that, when integrated with state-of-the-art SIEM tools, can help organizations go beyond simply detecting and reporting security incidents.

Why SIEM Only Addresses Part of the Problem

Protective monitoring is a maturing discipline within the cybersecurity portfolio. I still remember the early days when it involved little more than storing logs, usually for years. If you were lucky, you had some analytics tools to help you stitch together what went wrong, but only after the event had already occurred. Granted, this was a useful exercise to close awareness gaps and learn lessons, but it wasn’t really monitoring — and I’m not sure who ever took the time to sift through all that data.

So the security community endeavored to come up with a way to stop the horse from bolting in the first place, and SIEM was born. Along with the security operations center (SOC), this solution enabled organizations to monitor what was going on across their systems in real or near real time. As SIEM has evolved, we have developed the ability to correlate different logs, look at network flows, consider user access patterns and use powerful artificial intelligence (AI) to spot anomalies, the needles in all those haystacks of data.

However, standing up your own SOC is an expensive undertaking. That’s why, along with the technology itself, we have also developed new consumption models — in-house, outsourced, shared and cloud-based platforms — that are all aimed at reducing the costs of trying to spot what is happening on your infrastructure.

There are two problems with the current SIEM paradigm, however. First, it can take months to set up a SIEM solution properly, and it requires constant tuning to reduce false positives and allow your SOC team to adjust to changing business patterns. Second, too many SOC delivery models involve little more than spotting a problem and then simply telling someone about it. Of course you would want someone to wake you up and alert you at 4 a.m. if you’re under attack, but it doesn’t solve the underlying problem. How can organizations update the way they use SIEM and security analytics tools to match the speed and complexity of today’s threat landscape?

Introducing the SOC’s Big Brother: The Fusion Center

If we look at the five functions of the National Institute of Standards and Technology (NIST) Cybersecurity Framework — Identify, Protect, Detect, Respond and Recover — so far, we are only covering the detection part of the equation. To fill in the gaps, we’re now witnessing the emergence of the SOC’s big brother: the fusion center. The fusion center’s job is to cover the entire spectrum of the NIST model.

What makes the fusion center different? Whereas a SOC only pulls in data from your infrastructure and then stops at an analyst, the fusion center uses a wider set of data sources, collects data from both inside and outside your organization, correlates and enriches that data (often using advanced AI and machine learning to draw conclusions), and pushes this enriched information out to the relevant parts of your organization to respond and recover.

There are multiple advantages to the fusion center approach. Due to advanced automation and the use of machine learning, between 30 and 70 percent of level 1 analyst tasks can be automated, which helps improve response times, reduce the number of analysts needed and free up your security teams to focus on more important tasks.

Another advantage is that, due to the multiple sources of information being ingested by the system (including from native cloud monitoring tools), you can conduct more thorough and in-depth analyses of what is happening on your infrastructure and cloud systems, draw better conclusions and identify wider implications from initially simple-looking issues.

Finally, you can mount a more consistent and thorough response by using integrated runbooks and regularly drilling incident response plans. You can also implement systems that automatically notify relevant parties of key developments and collect and analyze threat data in a single portal. This results in faster containment and eradication with a complete record of what has occurred so you can review lessons learned and continuously improve your processes.

So is SIEM dead? Not remotely — but it’s no longer the only tool in your arsenal, either. With fusion center capabilities, you can harness the power of AI and machine learning to deliver better protection and speed up recovery times.

More from Intelligence & Analytics

RansomExx Upgrades to Rust

IBM Security X-Force Threat Researchers have discovered a new variant of the RansomExx ransomware that has been rewritten in the Rust programming language, joining a growing trend of ransomware developers switching to the language. Malware written in Rust often benefits from lower AV detection rates (compared to those written in more common languages) and this may have been the primary reason to use the language. For example, the sample analyzed in this report was not detected as malicious in the…

Moving at the Speed of Business — Challenging Our Assumptions About Cybersecurity

The traditional narrative for cybersecurity has been about limited visibility and operational constraints — not business opportunities. These conversations are grounded in various assumptions, such as limited budgets, scarce resources, skills being at a premium, the attack surface growing, and increased complexity. For years, conventional thinking has been that cybersecurity costs a lot, takes a long time, and is more of a cost center than an enabler of growth. In our upcoming paper, Prosper in the Cyber Economy, published by…

Overcoming Distrust in Information Sharing: What More is There to Do?

As cyber threats increase in frequency and intensity worldwide, it has never been more crucial for governments and private organizations to work together to identify, analyze and combat attacks. Yet while the federal government has strongly supported this model of private-public information sharing, the reality is less than impressive. Many companies feel that intel sharing is too one-sided, as businesses share as much threat intel as governments want but receive very little in return. The question is, have government entities…

Tackling Today’s Attacks and Preparing for Tomorrow’s Threats: A Leader in 2022 Gartner® Magic Quadrant™ for SIEM

Get the latest on IBM Security QRadar SIEM, recognized as a Leader in the 2022 Gartner Magic Quadrant. As I talk to security leaders across the globe, four main themes teams constantly struggle to keep up with are: The ever-evolving and increasing threat landscape Access to and retaining skilled security analysts Learning and managing increasingly complex IT environments and subsequent security tooling The ability to act on the insights from their security tools including security information and event management software…