The evolution of SIEM – what you need to know
Thursday 3rd December 2020 | 2-3 minute read
As soon as businesses moved beyond a handful of servers, it quickly became apparent that managing ‘events’ was going to be a serious issue. Some unlucky helpdesk analyst would have to comb through logs once a week, trying to identify potential issues from the many thousands generated every day.
In 2005, industry analyst Gartner first coined the phrase Security Information and Event Management (SIEM) in their report ‘Improve IT Security with Vulnerability Management’. SIEM was built on top of two existing concepts; Security Information Management (SIM), which is concerned with collection, storage and analysis of log data, and Security Event Management (SEM), which is concerned with real-time monitoring, correlation of events and notifications about security events.
Once endorsed by Gartner, SIEM uptake was rapid. The potential benefits of centralised log management and threat intelligence are fairly obvious – and it is little surprise that businesses wanted a piece of the action. Despite the obvious potential, these early deployments were quite disappointing, generating very little actionable intelligence – or value.
Challenges of traditional SIEM platforms
Although traditional SIEM platforms work on one level (centralising event log files), they also have some serious problems. Building custom interconnects to collect logs from disparate systems and platforms is complex, slowing deployment and limiting future flexibility.
Because of these overheads, traditional on-premise SIEM platforms are slow and costly to operate – particularly given the ever-increasing storage and processing requirements. The “fire hose” of incoming alerts places security teams under constant pressure to close issues as quickly as possible.
With tens of thousands of events being generated every day, there simply isn’t enough time for the security team to sift through them all looking for genuine problems. Signature-based rules help to manage some of the more obvious cybersecurity scenarios, or “known threats”, but even they are unable to keep up with the pace of change in attack techniques.
Despite best efforts, traditional SIEM tools have fallen far short of the potential predicted by Gartner.
Adding cloud and artificial intelligence (AI) to SIEM tools
With the enormous scalability and processing capacity provided by cloud systems, SIEM platforms can employ machine learning algorithms and AI to make them smarter. These inclusions have made it possible to detect new or polymorphic threats that signature-based platforms struggle to identify.
Consider User Entity Behaviour Analytics (UEBA), which can monitor user activity across all of your assets to create a baseline of ‘normality’. This immediately helps to cut through a lot of the ‘white noise’, surfacing issues that do require further investigation by the security team, such as compromised user credentials.
Next generation SIEMs, such as Microsoft Azure Sentinel, take SIEM capabilities to the next level. As well as offering log management for all your assets in the cloud and on-premise, Azure Sentinel integrates machine learning and AI to build a fuller picture of the actions taking place. These observations are then incorporated into a timeline.
Azure Sentinel also supports threat hunting, allowing you to change your security processes from reactive to proactive. With the issue of white noise reduced, the security team can begin identifying issues and developing fixes earlier, reducing time to resolution and minimising potential cybersecurity risk.
The cloud offers a previously unobtainable level of flexibility – and the perfect platform on which to build a future ready SIEM / Security Operations Centre (SOC) capability.
Transitioning to managed SIEM services
Choosing a managed SIEM service dramatically reduces operating overheads because they are absorbed by the service provider. But you can drive even more value if you work with a partner who has the right skills and experience.
Many IT vendors haven’t kept pace with SIEM developments, leaving their solutions clunky and unsatisfactory. Your ideal vendor will have a comprehensive technology roadmap that ensures they stay ahead of the market and their customers can access new technologies as soon as they are wanted.
This type of vendor can also extend the capabilities of your SIEM service beyond just network and infrastructure monitoring. By integrating application logs you can monitor and secure key business applications for total control of your information assets. Your security team could be empowered to protect assets across the hybrid estate, further enhancing your security posture and de-risking operations.
To learn more about the Azure Sentinel-based hybrid SIEM service from Maple Networks, and how it could transform your security efforts, please get in touch to book a demo.
To learn more about next generation SIEM platforms and services and how they benefit your organisation, please get in touch.