SIEM is a broad and complex category, just as much as its cybersecurity cousins endpoint security and identity and access management. Yet while next-gen innovations in endpoint security and IAM receive a noticeable amount of attention from cybersecurity experts, next-gen SIEM solutions don’t receive the same press.
Why is that? And what does next-gen SIEM even look like? For more information, we spoke to Gary Southwell, Co-Founder of SIEM solution provider Seceon and current GM of CSPi. Here’s our conversation, edited slightly for readability:
Solutions Review: How do you define the traditional SIEM solution? What makes it traditional?
Gary Southwell: Traditional SIEM solutions focus on collecting and indexing log outputs from applications and devices. These are used to search and find particular log details—such as “for this device, search and display all logs for this particular day.” These processes often generate 10s to 100s of pages of information, more—possibly up to 1000 pages—if there is something amiss with the device. SIEM solutions, therefore, allow additional filter parameters to help refine searches—such as “this device at this precise time,” or “for these types of log event outputs.” Typically, these solutions require high levels of expertise from the end-user to get filters correct.
SIEMs can correlate the logs from many sources when searching on a device—say by IP address. It’s great for forensic deep dives for auditing compliance event reporting for instance.
Some SIEMs will also take in network data but tend to have difficulty using such information effectively—it can generate a tidal wave of flow data for a device, adding 1000s more line items in addition to the log data in a search. This is a problem, as the network provides the other half of the needed data to detect most active threats
SR: By contrast, what is next-gen SIEM? What features or capabilities do these solutions have in contrast to traditional SIEM?
GS: Traditional SIEM solutions find information, and some feature analysis to help provide additional info indicating what might be happening on your network. These can include events such as “credential change logged for this user,” or “this user logged in from multiple devices simultaneously”.
However, traditional SIEM solutions tend to provide such info with every bit of collected data around the user or device in question – so you may see hundreds to thousands of lines of info, which you must sort through to figure out what exactly is happening.
They also take a long time to get data out (often days) in busy environments unless you put in tens of dedicated high-end computing devices, which can make the solution all that more complicated to deploy and support. This is a problem: loss of credentials is the number one cause of critical data loss and most attackers are in and out with the data they want on the same day as the credentials were lost.
In contrast, a next-gen SIEM solution will ingest both log and flow data. It uses threat models to determine the threats rather than relying on a human brain.
These are complicated models that can detect and match threat behaviors to a particular type of threat such as a DDoS attack versus a brute force attack, malware infection, APTs loss of credentials, or insider attack. It will leverage but not rely on the proper use of machine learning to pick out behaviors that are not normal for the device, application, or user, and correlate these events with other rule-triggers that can be correlated into a threat model.
Once a match is found, an alert is built that continues to aggregate individual threat behaviors under a single line alert on the user interface—this is versus hundreds to thousands of lines generated by a SIEM solution before hand-filtering. Better yet, this one line tells you the type of threat and the devices and/or user involved, and what to do about it.
The best next-gen SIEM solutions will be architected to detect the threats within minutes of them becoming active. This includes stopping brute force attacks, compromised credentials, and insider threats before critical data is accessed. Legacy SIEMs can’t promise this.
Next-gen SIEM stops the threats as they are detected automatically, with no human operator involved. Using AI techniques, they take specific appropriate actions to stop each type of threat such as writing filters to firewalls to stop malware, APTs, ransomware, DDoS attacks, data exfiltration, etc. It can also connect to the directories as an admin and disable a particular user’s credentials to stop critical device data access. These actions are specific to the type of threat and the progression of the threat, taking appropriate action before critical harm to the enterprise.
SR: Why hasn’t next-gen SIEM seen as much publicity as, say, next-gen endpoint security? Where is the conversation surrounding it?
GS: First, there are very few platforms that do all these functions. Gartner is just in the midst of recognizing the category in 2018.
It’s also a totally different mindset that flies counter to what the security culture has built processes around to date i.e. the need for highly skilled threat hunters to dig through piles of data to find problems, often taking hours to days. Next-gen SIEM’s approach makes that work fully automated. It shakes up the status quo with a whole different methodology and set of work processes. These smart people can be freed up to stop such threats from reoccurring or occurring in the first place. These can represent big changes in day-to-day cybersecurity work.
Further, next-gen SIEM solutions are being rapidly adopted by a large market segment nobody is tracking very well: managed security services providers (MSSPs). They realize this solution allows them to profitably offer threat detection and containment services.
SR: How you foresee next-gen SIEM adoption? What will motivate enterprises to look at next-gen SIEM more closely?
GS: Next-gen SIEM is a broad category and most are a simple evolution of existing SIEM capacities, adding more functions from other product types under the one platform such as vulnerability screening. These solutions are seeing slow but steady adoption for large enterprises and governments.
Next-gen SIEM represents a brand new concept to the industry, but we expect a groundswell of adoption over the next 24 months. In many cases, it will show up in powerful new MSSPs’ threat detection and containment services, so it may be masked.
These solutions will have broad appeal to the 90% of enterprises that only have firewalls and some sort of legacy endpoint security solution which can be ineffective at quickly or accurately detecting most of the threats discussed above. However, larger enterprises are realizing what cybersecurity platforms they have do not scale and are completely ineffective.
Equifax was a watershed event. This was the first incident where mass firings took place for complete reliance on ineffective processes that are embraced by many today as best practices. There were 1,400 breaches like Equifax in the US alone last year. Therefore we expect a more open-minded outlook for a more effective way—at least for those enterprises that are housing valuable information that needs protection.
Latest posts by Ben Canner (see all)
- Revisiting Whether SOAR Will Replace SIEM in Business Cybersecurity - May 29, 2020
- Changing SIEM From Reactive to Proactive with Threat Hunting - May 27, 2020
- Top-Down SIEM: An Interview with Avi Chesla of Empow - May 21, 2020