The Past, Present and Future of SIEM

By Lee Gitzes ·

SIEM technology is something that is critical to providing security teams with the visibility they require to deal with today’s ever expanding threat landscape. However, all SIEMs are not created equal and as many high profile breaches have shown, the wrong solution can be a detriment rather than a useful tool.

Last year’s Target breach is a prime example. In their case, they had a SIEM in place and it was properly configured to aggregate all of the log data from network resources. The issue was that they were overwhelmed with data. All of the information about the hack was there. As a matter of fact, it was there for months. Unfortunately, there was so much data to work through and correlate manually, that it became white noise. Although they had the information coming in, they did not have the time or manpower to correlate all of the needles in the haystack.

This is a common issue with SIEM technology. While many of the tools available provide a comprehensive ability to pull and aggregate syslog files, the capabilities they provide fall short when it comes to making sense of the data. Much of the work and the correlation that is required to find valuable information is a time consuming process that demands a high level of skill across various disciplines. The expectation that information security teams have the time or possess the necessary skills and understanding is unreasonable. As a result, most SIEM implementation projects go on perpetually and never live up to their promise.

Much of this issue stems from where SIEM technology came from. Initially, syslog servers were deployed for the purpose of giving better insight into network operations’ teams. The purpose of syslog servers was to troubleshoot issues and bottlenecks on the network. Over time, it was realized that the aggregation of logs could also provide insight for identifying complex security events. As a result, tools were baked in to syslog platforms for the purpose of correlating logs to security incidents. These “enhanced” syslog server technologies were rebranded as SIEM.

The end result of that evolution is what we have today, operational tools jammed into performing a security function. In other words, we’re trying to fit a square peg into a round hole, which is not very efficient or effective, especially when it comes to something as critical as securing our environments.

In recent years, it has been realized that better tools were needed to provide actionable intelligence. It is also now understood that there are far more data points that need to be considered outside of syslog files that help move an investigation forward. Most importantly, when it comes to mitigating security incidents, time is precious. Security teams are limited in scale, and automation is a requirement to effectively discover issues in a timely manner.

The next generation SIEM is the answer to these challenges. The leading vendors in this space have been built from the ground up for security, and not from network operations. They understand security and the workflow of security analysts. Next gen platforms provide automation, baselining capabilities and intelligence. These capabilities filter out the noise for the security team, ensuring that they are working with relevant data. Other capabilities are also integrated with these powerful solutions. Technologies such as file integrity monitoring, time normalization and metadata analysis deliver insight that syslog alone cannot provide.

A SIEM does not have to be a massive project that is never complete or effective. Next generation SIEMs have been, and are continuing to address many of the shortcomings that we have traditionally associated with SIEM technology. If your security team does not have SIEM technology today or has a solution that is not effective, I strongly encourage you to take a look at the new next generation platforms that are available.