According to the InfoSec punditry, SIEM (Security Information and Event Management) solutions are dead, having long snuffed it as the result of up-and-coming technologies.
Some people believe the rigor mortis set in as early as 2011. In 2013, Eddie Schwartz —then-CSO of RSA—declared that SIEMs were “effectively dead,” largely due to the ascendant rise of big data analytics.
But this is akin to saying that a caterpillar is dead, just because it metamorphosed into a butterfly.
Allow me to explain.
The SIEM market today is nearly a $2 billion industry, with players that can only be described as thriving. Suffice to say, Blockbuster Video this ain’t.
It’s more accurate (and fair) to say that the SIEM landscape has evolved. The first SIEMs crawled out of the sea as the descendants of a variety of different security technologies: log management systems (LMS), security log/event management (SLM/SEM), security information management (SIM), security event correlation (SEC), and many others.
The earliest incarnations of SIEMs were rather limited. In their infancy, they struggled to scale across large campuses and companies, and were often excruciatingly slow to deploy. They also required large dedicated teams to manage, pushing the overall cost up even further. Worse, they offered scant insight into network flow or user activity, both of which are key areas of interest for security professionals.
What SIEMs look like today
However, just as all technologies evolve over time, SIEMs too have adapted to deliver more of the things that were demanded of them. They added new features and functions that offered value to the business world, such as threat monitoring and detection, which escalated their status within security operations centers. So, while we still tend to use the term SIEM, what we are actually referring to now is a completely metamorphosed technology for which SIEMs laid the foundation, and continue to be an important component – providing some, but not all of the security capabilities that companies need to achieve full visibility.
So, what does a modern threat monitoring and detection solution offer that traditional SIEMs don’t?
- Unified capabilities: Modern SIEMs are one-stop-shops for event monitoring and analytics. The factors that drove this were largely cost, the natural convergence of technologies, and the need to overcome the InfoSec talent shortage. With SIEMs able to do so much more, companies can eliminate other services and applications, and they only need to train their staff to use one tool.
- Threat intelligence capabilities: Today’s SIEMs work with threat intelligence platforms to proactively detect emerging threats. Given that the threat intelligence market is estimated to be worth nearly $4 billion this year (not including free and open source platforms), according to Markets and Markets Research, and will be worth almost $9 billion by 2020, this kind of integration seems to make a lot of sense.
- Incident response and forensic capabilities: If something untoward happens, modern SIEM platforms can allow you to piece together what happened using the vast amounts of data that they’ve gathered.
- Big data and advanced analytics: Not only can today’s SIEMs support big data collection, but they also enable organizations to conduct risk assessments of assets, personnel, and resources. This includes individual employees, computers, and everything in-between.
What the future holds
SIEMs, particularly their current incarnation as threat monitoring and detection solutions, aren’t going anywhere. However, in order to survive, SIEMs do need to be able to adjust so that they can accommodate the changing needs of organizations, and they need greater flexibility to allow for easy integration with emerging technologies. In particular, they will need to continue to strengthen the following capabilities:
- Cloud monitoring and management: Over the past few years, there has been a seismic shift as companies ditch on-premises software and hardware in favor of the cloud, which promises to be cheaper and reduce management headaches. While some SIEMs today are able to monitor cloud infrastructure and applications effectively, most tend to do so with one arm tied behind their back. The range of services they can integrate with, and the depth of data they can gather, is limited, especially if compared to on-premises environments. This is something that’s likely to change, especially as organizations start to demand a more granular depth of information from the cloud services they rely on.
- Managed detection and response providers (MDRs): MDRs are gaining popularity, as companies increasingly wash their hands of the tricky job of detecting and responding to threats, and leave it to outsourced service providers. As these providers become more popular, it will become increasingly critical that SIEMs have the ability to play nice with them.
- Orchestration: Currently, some aspects of basic SIEM workflow automation exist. Given the maturation and commoditization of machine learning, we will likely see more SIEM orchestration that speeds up playbook execution amongst disparate products.
Long live the SIEM
SIEM isn’t dead. Maybe we need to find a new term to describe the broad set of capabilities that we’re referring to when we say “SIEM” today – threat monitoring, threat detection, incident response, forensics and orchestration. But, that probably wouldn’t be appropriate either, as SIEMs continue to evolve and adapt – further expanding the capabilities of this technology. They are constantly being upgraded to integrate with new technologies and deploy more easily with fewer staffing requirements. And with artificial intelligence and machine learning continuing to grow in adoption and impact, it’s safe to say the SIEMs featured in tomorrow’s security operations centers will be entirely different creatures than they are today.