![\"next-gen](\"https:\/\/solutionsreview.com\/security-information-event-management\/files\/2016\/06\/security.jpg\")
<\/p>\n<\/p>\n
SIEM<\/a> is a broad and complex category, just as much as its cybersecurity cousins endpoint security and identity and access management. Yet while next-gen innovations in endpoint security and IAM receive a noticeable amount of attention from cybersecurity experts, next-gen SIEM solutions don\u2019t receive the same press.<\/span><\/p>\n Why is that? And what does next-gen SIEM<\/a> even look like? For more information, we spoke to Gary Southwell, Co-Founder of SIEM solution provider <\/span>Seceon<\/span><\/a>\u00a0and current GM of CSPi<\/a>. Here\u2019s our conversation, edited slightly for readability: \u00a0\u00a0\u00a0<\/span><\/p>\n Gary Southwell: Traditional SIEM solutions focus on collecting and indexing log outputs from applications and devices. \u00a0These are used to search and find particular log details\u2014such as \u201cfor this device, search and display all logs for this particular day.\u201d These processes often generate 10s to 100s of pages of information, more\u2014possibly up to 1000 pages\u2014if there is something amiss with the device. \u00a0SIEM solutions, therefore, allow additional filter parameters to help refine searches\u2014such as \u201cthis device at this precise time,\u201d or \u201cfor these types of log event outputs.\u201d Typically, these solutions require high levels of expertise from the end-user to get filters correct.<\/span><\/p>\n SIEMs can correlate the logs from many sources when searching on a device\u2014say by IP address. It\u2019s great for forensic deep dives for auditing compliance event reporting for instance.<\/span><\/p>\n Some SIEMs will also take in network data but tend to have difficulty using such information effectively\u2014it can generate a tidal wave of flow data for a device, adding 1000s more line items in addition to the log data in a search. This is a problem, as the network provides the other half of the needed data to detect most active threats<\/span><\/p>\n GS: Traditional SIEM solutions find information, and some feature analysis to help provide additional info indicating what might be happening on your network. These can include events such as \u201ccredential change logged for this user,\u201d or \u201cthis user logged in from multiple devices simultaneously\u201d.<\/span><\/p>\n However, traditional SIEM solutions tend to provide such info with every bit of collected data around the user or device in question \u2013 so you may see hundreds to thousands of lines of info, which you must sort through to figure out what exactly is happening. <\/span><\/p>\n They also take a long time to get data out (often days) in busy environments unless you put in tens of dedicated high-end computing devices, which can make the solution all that more complicated to deploy and support. \u00a0This is a problem: loss of credentials is the number one cause of critical data loss and most attackers are in and out with the data they want on the same day as the credentials were lost. <\/span><\/p>\n In contrast, a next-gen SIEM solution will ingest both log and flow data. It uses threat models to determine the threats rather than relying on a human brain. \u00a0<\/span><\/p>\n These are complicated models that can detect and match threat behaviors to a particular type of threat such as a DDoS attack versus a brute force attack, malware infection, APTs loss of credentials, or insider attack. \u00a0It will leverage but not rely on the proper use of machine learning<\/a> to pick out behaviors that are not normal for the device, application, or user, and correlate these events with other rule-triggers that can be correlated into a threat model. <\/span><\/p>\n Once a match is found, an alert is built that continues to aggregate individual threat behaviors under a single line alert on the user interface\u2014this is versus hundreds to thousands of lines generated by a SIEM solution before hand-filtering. \u00a0Better yet, this one line tells you the type of threat and the devices and\/or user involved, and what to do about it.<\/span><\/p>\n The best next-gen SIEM solutions will be architected to detect the threats within minutes of them becoming active. This includes stopping brute force attacks, compromised credentials, and insider threats before critical data is accessed. Legacy SIEMs can\u2019t promise this.<\/span><\/p>\n Next-gen SIEM stops the threats as they are detected automatically, with no human operator involved. Using AI techniques, they take specific appropriate actions to stop each type of threat such as writing filters to firewalls to stop malware, APTs, ransomware, DDoS attacks, data exfiltration, etc. \u00a0It can also connect to the directories as an admin and disable a particular user\u2019s credentials to stop critical device data access. These actions are specific to the type of threat and the progression of the threat, taking appropriate action before critical harm to the enterprise.<\/span><\/p>\n GS: First, there are very few platforms that do all these functions. \u00a0Gartner is just in the midst of recognizing the category in 2018. <\/span><\/p>\n It\u2019s also a totally different mindset that flies counter to what the security culture has built processes around to date i.e. the need for highly skilled threat hunters to dig through piles of data to find problems, often taking hours to days. Next-gen SIEM\u2019s approach makes that work fully automated. It shakes up the status quo with a whole different methodology and set of work processes. These smart people can be freed up to stop such threats from reoccurring or occurring in the first place. \u00a0These can represent big changes in day-to-day cybersecurity work.<\/span><\/p>\n Further, next-gen SIEM solutions\u00a0are being rapidly adopted by a large market segment nobody is tracking very well: managed security services providers (MSSPs<\/a>). \u00a0They realize this solution allows them to profitably offer threat detection and containment services.<\/span><\/p>\n GS: Next-gen SIEM is a broad category and most are a simple evolution of existing SIEM capacities, adding more functions from other product types under the one platform such as vulnerability screening. These solutions are seeing slow but steady adoption for large enterprises and governments.<\/span><\/p>\n Next-gen SIEM represents a brand new concept to the industry, but we expect a groundswell of adoption over the next 24 months. In many cases, it will show up in powerful new MSSPs\u2019 threat detection and containment services, so it may be masked. \u00a0<\/span><\/p>\n These solutions will have broad appeal to the 90% of enterprises that only have firewalls and some sort of legacy endpoint security solution which can be ineffective at quickly or accurately detecting most of the threats discussed above. However, larger enterprises are realizing what cybersecurity platforms they have do not scale and are completely ineffective. \u00a0<\/span><\/p>\n Equifax was a watershed event. This was the first incident where mass firings took place for complete reliance on ineffective processes that are embraced by many today as best practices. \u00a0There were 1,400 breaches like Equifax in the US alone last year. Therefore we expect a more open-minded outlook for a more effective way\u2014at least for those enterprises that are housing valuable information that needs protection.<\/span><\/p>\n Thanks again to Gary Southwell of <\/b>Seceon<\/span><\/b><\/a>\u00a0and CSPi<\/a><\/strong>\u00a0for his time and expertise!<\/b><\/p>\n SIEM is a broad and complex category, just as much as its cybersecurity cousins endpoint security and identity and access management. Yet while next-gen innovations in endpoint security and IAM receive a noticeable amount of attention from cybersecurity experts, next-gen SIEM solutions don\u2019t receive the same press. Why is that? And what does next-gen SIEM […]<\/p>\n","protected":false},"author":41,"featured_media":484,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"inline_featured_image":false,"footnotes":""},"categories":[551],"tags":[95,145,86,199,21,22],"acf":[],"yoast_head":"\n
Widget not in any sidebars
\nSolutions Review: How do you define the traditional SIEM solution? What makes it traditional?<\/b><\/h3>\n
SR: By contrast, what is next-gen SIEM? What features or capabilities do these solutions have in contrast to traditional SIEM?<\/b><\/h3>\n
SR: Why hasn\u2019t next-gen SIEM seen as much publicity as, say, next-gen endpoint security? Where is the conversation surrounding it?<\/b><\/h3>\n
SR: How you foresee next-gen SIEM adoption? What will motivate enterprises to look at next-gen SIEM more closely?<\/b><\/h3>\n
Widget not in any sidebars
\u00a0<\/span><\/p>\n","protected":false},"excerpt":{"rendered":"