The Modern SIEM has come a long way from your Grandmother’s SIEM

As security information and event management (SIEM) approaches the 20-year mark (depending on the date you use for its formation), we are looking back at how far SIEM has come since its inception. The modern SIEM is certainly not your grandmother’s SIEM.

While SIEM started as a platform to capture event logs from the IT environment, the parsing and standardization of the telemetry allowed analysis of all the logs in the same way, no matter the source. Compliance teams were able to use the SIEM to demonstrate IT environment monitoring with audit reports. Analysis of the data ingested also allowed the SIEM to surface alerts related to the monitored IT environment based on detection rules.

However, scalability became an issue early on. Although the SIEM was designed as a data platform, its job got more complicated as querying historical data became easier and the amount of data being ingested ballooned.

Additionally, as the IT environment expanded and more tools were put into use, the number of alerts grew to unmanageable levels, no matter how large a team of security analysts grew. Today, organizations often have more than 100 sources of data connected to their SIEM. Security Operation Center (SOC) teams clear only 65% of their alerts each day, which means more than one-third of alerts go uninvestigated. In many cases of threat actor intrusion, an organization had the necessary tools to detect the threat actor activity. However, the activity went unnoticed either because the tool was not set up properly or the humans monitoring the tools failed to note the activity’s importance.

The SIEM also required care and feeding as security teams needed to dedicate staff to keep it running and to engineer and tune detections to find the known issues. Allocating staff to the SIEM is the greatest challenge in many organizations.

Modern SIEM solutions have added features to help with the challenges. Integrated user and entity behavior analytics (UEBA) uses machine learning to look at patterns in the ingested data to find unknown threats in addition to the detection rules that surface alerts on known threats. To cut down on the need for analysts to pivot into multiple tools, threat intelligence feeds bring updated information on indicators of compromise (IOCs) into the SIEM, so alerts are enriched with additional data and context.

Lack of automation has been another challenge with the SIEM. Today’s security practitioners want to unify detection and investigation, which is done through correlation and enrichment of alerts with threat intelligence. Risk-based alerting considers the severity of the alert to prioritize its triage by the security team. The enrichment, correlation, and prioritization of alerts are done through automated processes integrated into the SIEM, which the SOC team can tune to the needs of their environment.

Besides desiring a real-time detection engine, SOC teams still need out-of-the-box connectors to all the data sources they want to ingest. That telemetry goes beyond the usual security tools to potentially encompass application and networking performance data and human resources data. For example, a notification from the HR system that an employee has given notice can be used to place that person on a watch list to monitor for insider threat actions.

SOC teams want automated response capabilities within the SIEM through integration with ticketing systems as well as playbooks that can be designed and run in the SIEM. Organizations without security engineering resources look to the SIEM solution provider to offer detection and threat hunt content. Additionally, GenAI assistants have made querying the SIEM easier so analysts can use natural language instead of the query language of the SIEM.

The modern SIEM of today is not the traditional SIEM of yesteryear. If you find that your current SIEM does not meet your needs for data ingestion, alerting, detection, investigation, and response workflows, consider taking a look at a modern SIEM to find your SIEM of tomorrow.

For more on the capabilities of the modern SIEM, download the IDC InfoBrief, The SIEM of Tomorrow, sponsored by Splunk.