Learn

October 26, 2022

4 Minute Read

Top SIEM Features & Capabilities for Modern SOCs

By John Dominguez

A few weeks ago, Gartner named Splunk Enterprise Security a Leader in the 2022 Gartner^® Magic Quadrant™ for SIEM. This is the ninth consecutive year that Splunk has been placed in the Leader’s quadrant. We’re honored to be recognized and we believe our placement is a testament to our commitment to delivering a data-centric security analytics solution that accelerates threat detection and investigations.

But all this recent hubbub about security analytics and SIEM has us security folks here at Splunk waxing philosophical about the technology and its applications. What does a SIEM do? How is it used? What problems does it solve? Let’s take a look.

SIEM overview

Short for security incident and event management, a SIEM is an essential security tool that any modern security operations center (SOC) needs to efficiently and effectively protect their organization. Exactly what does a SIEM do? Let's look at this.

(Read our in-depth introduction to SIEM.)

SIEM capabilities & features

Here’s a quick list of six must-have SIEM capabilities.

#1. Data-centric

A modern SIEM can collect, analyze and monitor any data from any source, in any structure, at any time scale from across an ecosystem of teams, tools, peers and partners. This can give any SOC a unified view into what’s going on across the security stack in real time. It also provides the ability to:

Manage event logs from one central location.
Correlate different events over multiple machines or multiple days.
Tie in other data sources like registry changes and ISA Proxy logs for the complete picture.

#2. Real-time security monitoring and analysis

Organizations need to be able to detect and respond to threats in record time. Security monitoring from a modern SIEM helps you accomplish this. To pinpoint and identify different types of malicious and/ or anomalous behavior, a SIEM retrieves and maintains contextual data around users, devices and applications (e.g., asset and identity data) from across on-premises, cloud, multi-cloud and hybrid environments.

By monitoring and ingesting data from a diverse set of sources across different types of deployments, security teams can get a comprehensive view of potential security events. A leading SIEM should provide:

A library of customizable, predefined correlation rules
Out-of-the-box correlation searches
A security event console for real time presentation of security incidents
Dashboards to provide real-time visualizations of ongoing threat activity

(Understand incident severity levels.)

#3. Incident investigation and forensics

Chances are your security team spends too much time investigating low-value alerts with too little context. Improperly defined detections can lead to a high volume of false positives and a lot of extra noise, quickly overwhelming and overburdening anyone on the front lines. A modern SIEM is able to:

Visualize and correlate data.
Map categorized events against a kill chain.
Provide insight into which tactics have been used by an adversary that map to a particular known vector.

Risk attribution can also help optimize threat hunting and reduce the volume of alerts — thereby increasing true positives — while surfacing more sophisticated threats, like low and slow attacks

#4. Threat intelligence

Threat intelligence is often too noisy, with your security analysts having to manually curate data to make use of it. With manual input, context gets lost during the investigation process. Making it even harder for your analysts, the most valuable security data is often locked inside silos in and across companies.

Fortunately, thanks to the rapidly growing intelligence marketplace, modern SIEM solutions can integrate threat intelligence into every stage of the incident response flow, as well as across an ecosystem of teams, tools, peers and partners. Threat intelligence comes integrated into most modern SIEM solutions or as cloud native SaaS that integrates seamlessly with a modern SIEM platform. The intelligence provided usually includes information that that you can leverage for faster detection and response to attacks, including:

Indicators of compromise (IOCs)
Adversary tactics, techniques and procedures

#5. Risk-based alerting

In traditional cybersecurity alerting, there are one or more tools that forward data into a SIEM to detect potential issues and create alerts. The security team writes the detection logic or leverages prepackaged vendor content, alerting on suspicious activity that may be indicative of attacker behavior.

Unfortunately, this creates a massive volume of alerts that are overwhelming SOCs. Analysts can’t process every alert, every day. This leads to:

Abandoned or suppressed alerts
Slower detection and response for true issues
Analyst burnout

However, risk-based alerting enhancements can effectively transform large volumes of noisy alerts into fewer high-fidelity incidents, prioritized by risk attribution. By correlating related events into a single incident, you can drive faster investigation and resolution, giving you time back in your day and more control over your security operations. Risk-based alerting can:

Use detection logic to provide an observation.
Tag that observation with security metadata like alert source, ATT&CK technique and score.
Dynamically modify the risk score based on interesting attributes of the observed object, such as whether it involves a privileged user or an externally facing server.

Alerting happens only when there are enough interesting observations correlated to the same object.

#6. Automation

Security operations is tedious and time-consuming. Analysts spend hours manually performing investigative and response tasks. To expedite investigations and response actions, automation has become an essential function for SOCs.

Many SIEM platforms are integrating automation functionality into security analytics. Or, at the very least, vendors are offering compatible SOAR (security orchestration automation & response) solutions that automate investigations and response actions against detected events identified by the SIEM.

Security automation lets your team work smarter, respond faster and strengthen your organization’s security defenses. By automating repetitive tasks, security analysts can reduce dwell times and focus their time and attention on the incidents and actions that matter most.

State of SIEM today

Some security product vendors out there have declared, “SIEM is dead!” Hyperbolic statements like that feel more like clickbait than anything to hang your hat on. Sure, legacy SIEM solutions that haven’t innovated for five years should be left by the wayside.

Data-centric SIEMs, however, have continued to innovate and today they:

Allow for ingest and monitoring of tens of terabytes of data per day from any source, structured or unstructured.
Provide full visibility across your environment.
Break down data silos across your organization.
Quickly detect and investigate threats.
Provide an open and scalable data platform to help you stay agile in the face of evolving threats.

SIEMs that do these things are not dead — they’re thriving. To see how Splunk Enterprise Security fared in the 2022 Gartner Magic Quadrant for SIEM, read the report. To dig deeper into product capabilities, check out our guided product tour.

See an error or have a suggestion? Please let us know by emailing ssg-blogs@splunk.com.

This posting does not necessarily represent Splunk's position, strategies or opinion.

John Dominguez

John Dominguez is a Director of Product Marketing for Security at Splunk. With over 12 years experience in cybersecurity product marketing, John is responsible for messaging and positioning, go-to-market strategy, content creation, sales enablement, analyst engagement, and product evangelism for Splunk security products, with experience across the SIEM, SOAR, UEBA, and threat intelligence product categories. In his previous role in Cisco’s Security Business Group, he marketed network security, endpoint security, intrusion prevention, malware sandboxes, and firewall products. John has an MBA in Marketing and Strategy from the Ross School of Business at the University of Michigan, and a BA in Economics and International Relations from Dartmouth College.

Learn 6 Min Read

Log Management: Introduction & Best Practices

Log management, a building block for observability, is a crucial IT practice. Understand the concepts, goals and best practices — including a simple tutorial.

Learn 3 Min Read

Cost Management for IT Leaders

Managing cost isn’t easy. It’s even more complicated when that cost is tied to IT and technology. Get the full story on how you can best manage IT costs.

Learn 5 Min Read

What Is Data Architecture?

Data architecture determines how you can use your data. Read on to learn how to choose data storage, data pipeline and data management strategies.

About Splunk

The Splunk platform removes the barriers between data and action, empowering observability, IT and security teams to ensure their organizations are secure, resilient and innovative.

Founded in 2003, Splunk is a global company — with over 7,500 employees, Splunkers have received over 1,020 patents to date and availability in 21 regions around the world — and offers an open, extensible data platform that supports shared data across any environment so that all teams in an organization can get end-to-end visibility, with context, for every interaction and business process. Build a strong data foundation with Splunk.

Learn more about Splunk