Skip to main content

The Past, Present and Future of SIEM

November 01, 2015

SIEM technology is something that is critical to providing security teams with the visibility they require to deal with today’s ever expanding threat landscape. However, all SIEMs are not created equal and as many high profile breaches have shown, the wrong solution can be a detriment rather than a useful tool.

Last year’s Target breach is a prime example. In their case, they had a SIEM in place and it was properly configured to aggregate all of the log data from network resources. The issue was that they were overwhelmed with data. All of the information about the hack was there. As a matter of fact, it was there for months. Unfortunately, there was so much data to work through and correlate manually, that it became white noise. Although they had the information coming in, they did not have the time or manpower to correlate all of the needles in the haystack.

This is a common issue with SIEM technology. While many of the tools available provide a comprehensive ability to pull and aggregate syslog files, the capabilities they provide fall short when it comes to making sense of the data. Much of the work and the correlation that is required to find valuable information is a time consuming process that demands a high level of skill across various disciplines. The expectation that information security teams have the time or possess the necessary skills and understanding is unreasonable. As a result, most SIEM implementation projects go on perpetually and never live up to their promise.

Much of this issue stems from where SIEM technology came from. Initially, syslog servers were deployed for the purpose of giving better insight into network operations’ teams. The purpose of syslog servers was to troubleshoot issues and bottlenecks on the network. Over time, it was realized that the aggregation of logs could also provide insight for identifying complex security events. As a result, tools were baked in to syslog platforms for the purpose of correlating logs to security incidents. These “enhanced” syslog server technologies were rebranded as SIEM.

The end result of that evolution is what we have today, operational tools jammed into performing a security function. In other words, we’re trying to fit a square peg into a round hole, which is not very efficient or effective, especially when it comes to something as critical as securing our environments.

In recent years, it has been realized that better tools were needed to provide actionable intelligence. It is also now understood that there are far more data points that need to be considered outside of syslog files that help move an investigation forward. Most importantly, when it comes to mitigating security incidents, time is precious. Security teams are limited in scale, and automation is a requirement to effectively discover issues in a timely manner.

The next generation SIEM is the answer to these challenges. The leading vendors in this space have been built from the ground up for security, and not from network operations. They understand security and the workflow of security analysts. Next gen platforms provide automation, baselining capabilities and intelligence. These capabilities filter out the noise for the security team, ensuring that they are working with relevant data. Other capabilities are also integrated with these powerful solutions. Technologies such as file integrity monitoring, time normalization and metadata analysis deliver insight that syslog alone cannot provide.

A SIEM does not have to be a massive project that is never complete or effective. Next generation SIEMs have been, and are continuing to address many of the shortcomings that we have traditionally associated with SIEM technology. If your security team does not have SIEM technology today or has a solution that is not effective, I strongly encourage you to take a look at the new next generation platforms that are available.

 

Related Blogs

August 20, 2015

Four Thoughts for SIEM Success

Security information and event management (SIEM) is a unique security tool in its ability to rapidly identify threats to an organization. Automaticall...

See Details

May 02, 2014

Navigating a Successful SIEM Strategy

It’s been my experience that deploying a successful SIEM strategy is like the “jump program” from The Matrix. Left on one’s own, without the help of t...

See Details

April 17, 2012

SIEM Selection Guidance

Whether the need for a Security Information and Event Management (SIEM) is based on requirements for centralized repository and reporting or complianc...

See Details

How Can We Help?

Let us know what you need, and we will have an Optiv professional contact you shortly.


Privacy Policy

Related Insights

April 22, 2016

Co-Managed SIEM

Move beyond alerts to improve risk awareness with co-managed SIEM.

See Details

July 14, 2016

S.O.S - Save Our SIEM

Neglect and lack of resources has led many companies to abandon the in-house SOC and migrate to MSSP solutions, but can your existing SIEM come back t...

See Details

January 27, 2012

Identity and Access Management - Goal-driven Business Cases You Can't Ignore

From a 30,000-foot-view perspective, the idea of risk being a driver and a business proposition for the implementation of Identity and Access Manageme...

See Details

Stay in the Know

For all the latest cybersecurity and Optiv news, subscribe to our blog and connect with us on Social.

Subscribe

Join our Email List

We take your privacy seriously and promise never to share your email with anyone.

Stay Connected

Find cyber security Events in your area.