As our threat landscape continues to evolve, businesses are looking for solutions to help mitigate cyber threats. The Security Information and Event Management (SIEM) market is a $4.2B market and is expected to grow to over $5 billion by 2025. SIEM platforms collect and analyze data from networks, applications, servers, and/or devices and alert users of a potential cyberattack. When the system detects an event that deviates from pre-built or custom-built rules, an alert will trigger via a personalized user interface for quick resolution.
Compliance obligations—such as PCI DSS, HIPAA, GDPR and others—often require organizations to aggregate, store, and log large amounts of data to generate insight into network security threats. Earlier versions of SIEMs were not able to keep pace with the volume of data they were ingesting, and therefore, not able to alert in real-time or even near real-time. Not to mention, the skills required to operate and tune the SIEM was a constant drain on IT and security resources. SIEM architecture, performance, and training were also big factors for businesses deciding to bring a SIEM solution inhouse or not.
New SIEM technology
Newer SIEM technology consumes data from multiple sources—not just anti-virus events and firewall logs—and can do all the normalization and correlation. Many of the performance issues of earlier SIEMs have since been addressed by cloud-based resources supported by a scalable architecture, and in some cases, replacing the legacy database or data warehouse with a data lake. The data lake accommodates for data growth and allows pointing almost any device at the SIEM for data collection and correlation, while keeping pace with data ingestion rates.
SIEM vendors have also added machine learning capabilities to address user and entity behavior (UBA/UEBA). By modeling behavior, SIEM solutions can develop a baseline of “normal” behavior and expose any suspicious activities when a specified threshold is exceeded. Behavior analytics can be correlated with other activities to help detect lateral movement of an attacker and attack surface trajectory.
Other challenges with legacy SIEM technologies involved understanding query language, building complex queries and rules to detect specific events, and managing large numbers of false positives. Today’s SIEM technology still requires some level of aptitude, but many solutions are now equipped with an easy-to-understand user interface (UI) and pre-defined workflows based on use cases.
Security Remediation Workflows
Today’s SIEMs are often paired with security orchestration, automation, and response (SOAR). One of the benefits of SOAR is orchestration. Businesses have a number of resources and tools used to understand threats that exist or are evolving on the network. Orchestration centralizes data collected from vulnerability scanners, threat intelligence subscriptions, and other data sources that a SIEM does not collect. This orchestration feature enhances the understanding of compromising indicators and delivers visibility across multiple tools and threat sources.
SOAR can also automate the repetitive tasks a security analyst performs as part of incident response. Older SIEM technology only provided the alert data. The analyst would then need to perform the tasks necessary to determine root cause. Many of these tasks can now be automated using SOAR.
Lastly, SOAR can respond to detected threats by removing the threat itself from the network. This streamlines the amount of time it takes to respond to a threat and drastically reduces the overall operating cost.
Benefits of a SIEM / SOAR Solution
Sophisticated attacks require complex threat detection and protection. Newer SIEMs can take in any data, and once tuned properly, provide the alerting needed for investigation. SIEMs are also used for threat-hunting: delivering the data required to detect threats that exist within the network and improving security operation efficiency. Adding SOAR increases the power to identify threats using other security tools and automates the workflow and response process.
Purchasing and deploying a SIEM on-premises can be an expensive endeavor. It means you need the infrastructure to support it, the additional cost of servers and storage, and the expertise to manage it.
A managed SIEM allows an organization to partner with a third party service provider who can monitor the company’s network for potential indicators of compromise (IoC). This often includes endpoint detection and response (EDR) as part of that managed service. Given the skills gap in security expertise, many companies look at outsourcing SIEM technology to leverage the expertise of the partner to help manage security alerts and protect the business from cyber threats. This takes some of the burden off your company’s security team, but will require you to work with the partner to ensure the setup, monitoring, alerting, and reporting complement the capabilities of your security analysts and meet your business’s SLA requirements. For resources to assist with SIEM selection or a managed SIEM solution, contact the experts at Connection today.