Despite what you may have heard, security information and event management (SIEM) is not dead. Rather, it’s become an integral part of the latest advancement in security operations: the fusion center.

We are seeing a paradigm shift in the space, and SIEM is no longer enough on its own to conduct the level of protective monitoring organizations need to stay abreast of rapidly evolving threats. Instead, companies are looking to more comprehensive solutions that, when integrated with state-of-the-art SIEM tools, can help organizations go beyond simply detecting and reporting security incidents.

Why SIEM Only Addresses Part of the Problem

Protective monitoring is a maturing discipline within the cybersecurity portfolio. I still remember the early days when it involved little more than storing logs, usually for years. If you were lucky, you had some analytics tools to help you stitch together what went wrong, but only after the event had already occurred. Granted, this was a useful exercise to close awareness gaps and learn lessons, but it wasn’t really monitoring — and I’m not sure who ever took the time to sift through all that data.

So the security community endeavored to come up with a way to stop the horse from bolting in the first place, and SIEM was born. Along with the security operations center (SOC), this solution enabled organizations to monitor what was going on across their systems in real or near real time. As SIEM has evolved, we have developed the ability to correlate different logs, look at network flows, consider user access patterns and use powerful artificial intelligence (AI) to spot anomalies, the needles in all those haystacks of data.

However, standing up your own SOC is an expensive undertaking. That’s why, along with the technology itself, we have also developed new consumption models — in-house, outsourced, shared and cloud-based platforms — that are all aimed at reducing the costs of trying to spot what is happening on your infrastructure.

There are two problems with the current SIEM paradigm, however. First, it can take months to set up a SIEM solution properly, and it requires constant tuning to reduce false positives and allow your SOC team to adjust to changing business patterns. Second, too many SOC delivery models involve little more than spotting a problem and then simply telling someone about it. Of course you would want someone to wake you up and alert you at 4 a.m. if you’re under attack, but it doesn’t solve the underlying problem. How can organizations update the way they use SIEM and security analytics tools to match the speed and complexity of today’s threat landscape?

Introducing the SOC’s Big Brother: The Fusion Center

If we look at the five functions of the National Institute of Standards and Technology (NIST) Cybersecurity Framework — Identify, Protect, Detect, Respond and Recover — so far, we are only covering the detection part of the equation. To fill in the gaps, we’re now witnessing the emergence of the SOC’s big brother: the fusion center. The fusion center’s job is to cover the entire spectrum of the NIST model.

What makes the fusion center different? Whereas a SOC only pulls in data from your infrastructure and then stops at an analyst, the fusion center uses a wider set of data sources, collects data from both inside and outside your organization, correlates and enriches that data (often using advanced AI and machine learning to draw conclusions), and pushes this enriched information out to the relevant parts of your organization to respond and recover.

There are multiple advantages to the fusion center approach. Due to advanced automation and the use of machine learning, between 30 and 70 percent of level 1 analyst tasks can be automated, which helps improve response times, reduce the number of analysts needed and free up your security teams to focus on more important tasks.

Another advantage is that, due to the multiple sources of information being ingested by the system (including from native cloud monitoring tools), you can conduct more thorough and in-depth analyses of what is happening on your infrastructure and cloud systems, draw better conclusions and identify wider implications from initially simple-looking issues.

Finally, you can mount a more consistent and thorough response by using integrated runbooks and regularly drilling incident response plans. You can also implement systems that automatically notify relevant parties of key developments and collect and analyze threat data in a single portal. This results in faster containment and eradication with a complete record of what has occurred so you can review lessons learned and continuously improve your processes.

So is SIEM dead? Not remotely — but it’s no longer the only tool in your arsenal, either. With fusion center capabilities, you can harness the power of AI and machine learning to deliver better protection and speed up recovery times.

More from Intelligence & Analytics

X-Force Threat Intelligence Index 2024 reveals stolen credentials as top risk, with AI attacks on the horizon

4 min read - Every year, IBM X-Force analysts assess the data collected across all our security disciplines to create the IBM X-Force Threat Intelligence Index, our annual report that plots changes in the cyber threat landscape to reveal trends and help clients proactively put security measures in place. Among the many noteworthy findings in the 2024 edition of the X-Force report, three major trends stand out that we’re advising security professionals and CISOs to observe: A sharp increase in abuse of valid accounts…

Web injections are back on the rise: 40+ banks affected by new malware campaign

8 min read - Web injections, a favored technique employed by various banking trojans, have been a persistent threat in the realm of cyberattacks. These malicious injections enable cyber criminals to manipulate data exchanges between users and web browsers, potentially compromising sensitive information. In March 2023, security researchers at IBM Security Trusteer uncovered a new malware campaign using JavaScript web injections. This new campaign is widespread and particularly evasive, with historical indicators of compromise (IOCs) suggesting a possible connection to DanaBot — although we…

Accelerating security outcomes with a cloud-native SIEM

5 min read - As organizations modernize their IT infrastructure and increase adoption of cloud services, security teams face new challenges in terms of staffing, budgets and technologies. To keep pace, security programs must evolve to secure modern IT environments against fast-evolving threats with constrained resources. This will require rethinking traditional security strategies and focusing investments on capabilities like cloud security, AI-powered defense and skills development. The path forward calls on security teams to be agile, innovative and strategic amidst the changes in technology…

Topic updates

Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today