At their most basic, SIEM tools collect, store, analyze and report on data produced by a wide variety of applications, devices and systems from across an organization’s IT infrastructure. The data comes in the form of log files (more commonly known as logs) that capture authentication, event, performance and/or usage data from security devices, such as intrusion detection systems, firewalls and VPNs; network infrastructure including routers and switches; on-premises applications; cloud applications; and endpoint devices such as PCs, laptops and servers. Security teams can use log data to identify signs of a data breach or cyber attack. Because an organization’s IT infrastructure generates far too much log data for a team to manually sift through, some SIEM tools can help by flagging and prioritizing potential threats.
Historically, though, SIEMs were primarily used to manage security logs and help demonstrate compliance, but they gradually became an aggregation point for threat detection and investigation. Now, many organizations want to use their SIEM to detect and respond to cyberattacks. Indeed, Gartner writes in its 2020 Magic Quadrant for Security Information and Event Management that SIEM technology is typically deployed to support advanced threat detection, perform basic security monitoring (including log management and compliance reporting), and support threat investigation and incident response. With all that said, it’s important to know that not all SIEM tools are created equal. The capabilities of one SIEM can vary greatly from another.
What’s the difference between a traditional SIEM and a modern or evolved SIEM?
Traditional SIEMs focus on log collection and storage and only report on events that preventive technologies like anti-virus software, intrusion detection systems, and firewalls have identified. As a result, they don’t provide security analysts with the visibility they need across all logs, the corporate network and endpoint devices to detect and investigate the signs of sophisticated cyber attacks. These signs may include unusual activity on a PC, network protocol anomalies (here’s an example), and unauthorized connections to devices and applications.
In contrast, modern and evolved SIEM tools are designed to provide pervasive visibility across an organization’s entire IT infrastructure, so that security analysts can see threats anywhere they hide, whether in the cloud, on devices, or anywhere across the network. To that end, newer SIEM tools ingest logs from multiple sources (not just from security systems), capture what are known as full network packets (units of data sent over computer networks), and perform continuous endpoint monitoring and analysis. They also tend to use a type of advanced analytics known as user and entity behavior analytics (UEBA) that applies machine learning algorithms and statistical analysis to create baselines of “normal” user or device behavior; it then uses those baselines to identify any derivations, thereby helping to accelerate and automate threat detection. Evolved SIEMs also incorporate threat intelligence (information about known attacks and attackers) from external sources like the FBI and information sharing organizations like IT-ISAC. And they can be configured to take into account which applications, devices and systems are most important to protect, which helps prioritize alerts for security teams.
In short, evolved SIEM tools highlight threats across your network, indicate what resources are at risk, and provide analysts with capabilities to manage and respond to incidents.
Why do security teams need evolved SIEM tools?
For one thing, attackers are more sophisticated, targeted and better-resourced than ever. Bad actors also have more targets than ever: as organizations’ IT infrastructures expand via cloud computing, the internet of things and digital transformation, attackers have more vulnerabilities to exploit. Even as organizations’ IT infrastructures are growing, their security teams lack the resources and personnel they need to investigate and respond to the flood of alerts coming from disparate security tools. These factors may explain why demand for SIEM tools remains strong: According to Gartner, the SIEM market grew from $2.319 billion in 2017 to $2.597 billion in 2018, and is forecast to reach $4.4 billion in 2020.
SIEM and the Cybersecurity Talent Shortage
Is an evolved SIEM right for my organization?
If cyber attacks pose a high risk to your business, and your security operations team is overwhelmed with alerts, an evolved SIEM could make a material difference in your organization’s ability to detect and respond to threats in their earliest stages. Here’s how:
An evolved SIEM gives you complete visibility across your entire IT infrastructure through logs, packets, and endpoints. Logs identify when something has gone wrong. Full packets tell you what actually happened and what the attacker was doing. And endpoint data identifying every device and its activity gives you deep insight into every machine on and off your network so you can identify where an attack began.
An evolved SIEM provides a single, integrated and unified platform for all your security data. It ingests, indexes, normalizes, correlates, analyzes and enriches data from multiple systems with threat intelligence and business context to prioritize alerts and produce actionable threat insights. These activities vastly reduce the time it takes to detect known and unknown threats and to expose the full scope of attacks. SIEM tools also eliminate the need for analysts to manually switch back and forth between tools and correlate their data.
An evolved SIEM leverages sophisticated analytics to speed threat detection. It performs malware analytics, network traffic analytics, endpoint analytics, log analytics, and UEBA to detect insider threats, data exfiltration, lateral movement, command and control communications, advanced malware and other signs of sophisticated cyber attacks.
An evolved SIEM incorporates security orchestration and automation to accelerate incident response. Security orchestration, automation and response (SOAR) solutions provide guided workflows to help security teams investigate, manage and respond to cyber incidents.
What benefits can I expect from an evolved SIEM?
An evolved SIEM should:
- Accelerate your security team’s ability to detect and respond to threats
- Help your security team assess and eradicate threats before they impact your business
- Reduce the number of alerts your security team receives
- Improve the quality of alerts that your security team needs to respond to
- Improve workflow and automation
The faster your security team can detect and neutralize threats, the better your organization’s chancesare of lowering the cost and impact of a cyber attack.
What kind of ROI can I expect from an evolved SIEM?
A third-party research firm conducted an ROI study of the RSA NetWitness® Platform evolved SIEM. The study found that RSA NetWitness Platform could save companies an average of $3.4 million on risk mitigation activities and yield an average of $1.2 million in productivity improvements, in addition to conferring other cost savings and financial benefits.
SIEM Benefits and ROI
What capabilities should I seek in a SIEM?
Frost & Sullivan recommends looking for the following features and capabilities:
Analytics - Seek a SIEM capable of detecting suspicious user and entity behavior across a large number of events and that:
- uses “unsupervised” machine learning and statistical anomaly detection to identify unknown threats(that is, the machine learning algorithms don’t need to be tuned or adjusted by a person – they work on their own);
- applies advanced correlation rules across all data to identify known threats;
- keeps a library of known threat indicators; and
- interacts with third-party and community threat intelligence.
Automation – You want a SIEM that automates mundane security tasks and workflows, including data ingestion, correlation, and analysis. The SIEM should also provide automated workflows for threat hunting, investigation, and incident response and remediation.
Monitoring – An advanced SIEM should monitor and detect anomalies in endpoint behavior andnetwork performance. For example, if the SIEM detects an increase in the number of capture packets dropped, that may indicate a compromise.
Refined capture – The SIEM should be able to capture and index full network packets (or partial packets with their metadata) so that security teams can reconstruct attacks in their entirety. This allows security teams to understand exactly how an attack happened so they can then begin remediation—and take steps to prevent against future attacks. Regulated industries including financial services often require full packet capture.
Scalability – Enterprise networks are anything but static, and the amount of data they generate increases every year, so depending on the size of your network, you may want to look for pricing plans based on the number of events per second (EPS) processed so that you’re not paying for overhead you don’t need.
This benchmarking tool from Frost & Sullivan can help you find the best SIEM for your organization.