Thanks to SIEM evolution, analytical cybersecurity solutions remain relevant to enterprise policies today.
Understanding SIEM evolution provides valuable insights into the evolution of cybersecurity overall. Every cybersecurity product changes and adapts to the demands of the market and to changes in cyber attacks. Looking back, we may yet be able to predict the future of the solutions for enterprises.
With this information in mind, we hope enterprises can better determine their InfoSec use case and select the right solution for them.
Here’s our brief history of SIEM evolution:
What is SIEM?
Before we can explore SIEM evolution in-depth, we must first understand what exactly we mean by “SIEM.” Usually, SIEM—Security Information and Event Management—refers to solutions combining a log management solution and a threat monitoring solution.
Under normal circumstances, every application, database, and network location generates plaintext data. Compiling and normalizing all of this data proves essential to analyzing it and discovering potentially lurking security events.
However, as enterprise networks scale, discovering all of the locations within your IT environment can present its own challenge; from there, manually collecting all of the data, then normalizing it into a consistent language, adds another layer of complexity. Without a solution, your IT security team can swiftly become overwhelmed.
SIEM performs all these functions automatically, increasing enterprise visibility into its IT environment and illuminating dark spaces. Then, SIEM follows programmed correlation rules to evaluate the data for security events and alert your security team to investigate.
With that context established, we can more closely examine SIEM evolution.
The Time Before SIEM
To summarize, SIEM evolved from a simple log management tool to an absolute necessity in enterprise cybersecurity. But why?
The roots of SIEM begin with simple log management. In fact, SIEM didn’t even exist until (relatively) recently. At the time, log management simply collected data automatically and stored it for a predetermined amount of time. Only rarely did enterprises analyze this logged data for security information; few security analytics tools existed then. Moreover, the solutions could only indicate signs of a breach far after its discovery.
The earliest incarnations of SIEM’s ancestors took shape after this: Security Information Management and Security Event Management. The former offered log management as well as historical analysis, and forensic capabilities for enterprises. Meanwhile, the latter provided threat management for network environments and incident response support.
In other words, the earliest days of log management lacked the actual threat monitoring necessary to modern cybersecurity. Only when SIM and SEM technologies merged did SIEM takes it first steps in the cybersecurity marketplace.
The Early Days of SIEM Evolution
When SIEM first attracted attention from the cybersecurity market, enterprises generally employed the solutions as a compliance tool.
Large enterprises, in addition to small-to-medium-sized businesses (SMBs), have governmental and industrial cybersecurity compliance mandates they must fulfill. Obviously, larger enterprises must fulfill more mandates than smaller businesses; this can add another stressor to your IT security team’s already busy schedule, even if you have a larger team.
With SIEM, enterprises can more readily complete their regulatory obligations. Typically, the solutions provide out-of-the-box template reports for major compliance initiatives like HIPAA; this, in turn, allows for easy filling with fewer resources and a lesser time commitment.
Due to this emphasis, smaller businesses once dismissed SIEM as an expense beyond their needs; these businesses reasoned they could fulfill their much lower mandatory obligations on their own.
However, while SIEM solutions still provide compliance, the direction of SIEM evolution now aligns it more closely with cybersecurity needs. Here’s how.
SIEM Evolution and Threat Monitoring
In the earliest days of SIEM, cybersecurity solutions and capabilities focused on prevention. If enterprises could deflect or deter malware and hackers, so the logic went, enterprises could rest easy.
Unfortunately, as hackers developed and refined their cyber attacks, this security paradigm became less and less viable. Currently, no preventative cybersecurity capability or policy can defend against 100% of all digital threats. While a strong security perimeter remains a crucial component to your digital safety, you must supplement it with threat monitoring.
Threats which penetrate your digital perimeter can dwell on your IT environment for months before your team detects it. The longer the threat lingers on the network, the more damage it can wreak. Therefore, you need to cut hackers off at the pass, so to speak, with your security analytics capabilities.
Thanks to SIEM evolution, these solutions increase your network visibility, thereby reducing hacker dwell time. Additionally, the most recent incarnations of SIEM solutions featured behavior analytics to help monitor users and third-parties. Further, solution providers have added new layers of sophistication to their correlation capabilities; this permits enterprises to adjust their correlation rules with greater ease.
Since enterprises must deploy, evaluate, and manage their own correlation rules, this is an important capability for enterprise InfoSec.
Security Operations Evolution
Interestingly, SIEM evolution correlates with the evolution of security operations centers (SOCs) in a sort of symbiotic relationship.
We covered the importance and capabilities of a fully functional security operations center in previous articles; at its core, a security operations center should form the heart of your cybersecurity posture and policies. Ideally, your SOC should serve as the core of your incident response plans and your threat monitoring efforts. In addition, your SOC should house your threat hunting team, who conducts investigations based on SIEM’s security alerts.
Indeed, SIEM evolution led to the rise and refinement of security alerts. As vendors continue to innovate their security alerting and anti-false positive capabilities, SOCs can improve their threat hunting to match. Threat hunting can’t simply rely on human intelligence—these alerts help direct their investigations.
Moreover, these alerts can help guide your enterprise’s incident response plans; these need to correspond to the most relevant threats facing your industry vertical and size.
The evolution of SIEM doesn’t just follow the history of cyber attacks. It corresponds to the evolution of other cybersecurity solutions and technologies. After all, SIEM works best as part of a larger InfoSec platform with IAM and endpoint security. You should always remember that when selecting your solution.
If you would like to learn more about SIEM and where it stands now in the current marketplace, be sure to check out our 2019 Buyer’s Guide. We detail the top vendors in the field, their key capabilities, and our Bottom Lines.
Latest posts by Ben Canner (see all)
- SMBs: Why You Need a Small Business Cybersecurity Strategy - October 23, 2019
- 5 Key Security Analytics Capabilities for Security Operations Centers - October 17, 2019
- 40 Percent of Security Practitioners Don’t Report to the Board - October 15, 2019