Should We Move to a New Definition of SIEM?

Should We Move to a New Definition of SIEM?

Should we move to a new definition of SIEM? What should experts and enterprises consider and discuss in relation to SIEM solutions

Why do we need to consider a new definition of SIEM? IT decision-makers across the U.S. still don’t think of SIEM as a necessary component of their modern cybersecurity platforms. Previously, SIEM only belonged in the realm of large or global enterprises. However, these solutions evolved, and continue to do so; now, they offer capabilities suited to cybersecurity of all sizes. 

Here’s why we must consider a new definition of SIEM? 

   

Towards a New Definition of SIEM 

SIEM In the Past

Previously, SIEM performed many of the tasks it does today; it collected and aggregated data from disparate network locations, scanned the information for security event data, and generated alerts. 

Yet only large enterprises selected and deployed SIEM. This stemmed from SIEM’s compliance capabilities, which are still in operation today. The solutions provide out-of-the-box compliance reporting capabilities, which can help with fulfilling mandates. 

Additionally, many organizations considered SIEM as far too expensive to either deploy or maintain. Further, SIEM requires a dedicated IT security team, which proves hard to assemble during the ongoing cybersecurity staffing crisis. Finally, SIEM suffered from the notion that it generated several false-positive alerts. These alerts can bury legitimate security events and cause burnout.     

Recently, SIEM has started to innovate to match the threat landscape. Here’s what changed. 

SIEM Now

First, the definition of SIEM must separate itself from false positives. While false alerts still exist, solution providers work continually to limit them. Capabilities such as contextualization can help IT teams recognize false positives faster. Automation tools can help reduce the investigation workload and thus prevent burnout. Normalization enables teams to track security events across disparate databases and reporting languages. 

Second, many SIEM providers work to make deploying and maintaining their solutions more affordable. Offering managed security services (MSS) provides one option; this assists enterprises with limited IT security teams to maintain 24/7 cybersecurity monitoring. 

However, another means of reducing the costs of SIEM is to make it lightweight and offering different pricing options and models. The diversity in the market favors the customer. Also, enterprises can reduce costs by taking SIEM deployment slowly. Trying to deploy SIEM too quickly can overwhelm your IT security team and your cybersecurity policy. It indicates a two-way street in terms of reducing costs. 

Modern solutions also provide the tools necessary to reduce risks and cyber-attacks. These can include phishing detection, user and entity behavioral analytics to combat insider threats, and ransomware detection.  

Perhaps the most important change in the definition of SIEM begins with the data consumed. In the past, traditional SIEM consumed historic log data via predefined rules. This limited their effectiveness. Now, SIEM can consume dynamic log data and user activity data, which more accurately reflects the threat landscape.      

How Might the Definition of SIEM Change? 

We spoke with Avi Chesla of empow to learn more about the changing SIEM marketplace. In addition, Solutions Review reports on security orchestration, automation, and response (SOAR) which may reveal the future of cybersecurity.

You can learn more in our SIEM Buyer’s Guide and in our SOAR Buyer’s Guide.

   

Ben Canner

Ben Canner is an enterprise technology writer and analyst covering Identity Management, SIEM, Endpoint Protection, and Cybersecurity writ large. He holds a Bachelor of Arts Degree in English from Clark University in Worcester, MA. He previously worked as a corporate blogger and ghost writer. You can reach him via Twitter and LinkedIn.
Ben Canner