SIEM stands for Security Information and Event Management and is a platform which collects and collates data in a central repository from multiple sources, devices, etc. A SIEM platform is going to collect some combination of system logs (e.g. Windows event logs, Linux logs, etc.), application or service logs (e.g. SQL, ERP solutions, etc.), networking equipment (firewalls, smart switches, etc.), security solution logs (e.g. antivirus), and everything in between.
These logs are processed and analyzed to determine if a security event is occurring or similar. Basically, a SIEM is going to ingest a massive amount of data, digest it, and reveal patterns a person wouldn’t see without an inhuman amount of work. Threats have gotten more and more complex so security got smarter. A SIEM allows you to sort the real threats from the noise.
How a SIEM Is Used
There are more and more persistent hacks where attackers or threat actors breach an environment, wait and learn, and then make their move after passively exploring the environment. It can be hard for a person (if not impossible) to notice that a normal agent is checking ports or similar every few hours (or more), but a SIEM tool can detect such patterns easily (when tuned right).
A Security Operating Center (SOC) may use a SIEM to detect when a threat actor successfully infiltrated a site, or to determine if an attack is underway. With the post-security landscape, detection and prevention is key, but so is response. A SIEM gives you the breadcrumbs to what happened which can give you the key to how to reverse it.
An MSSP (Managed Security Service Provider) may employ their SOC to look for threats with a SIEM to shore up holes in the target environment. They may use a SIEM to provide a pathway for remediation like a traditional SOC, or leverage a SIEM with multiple other tools to create a true EDR (Endpoint Defense and Remediation) strategy.
Traditional businesses may employ SIEM solutions to not just detect external threat actors, but internal issues (some NOCs [Network Operation Centers] even use them). Proper usage of a SIEM can and will prevent (or at least contain) data exfiltration and similar internal threats. The external security aspects are great, but IP (intellectual property) concerns still exist. What happens if a key aspect which sets your business apart from others is released which costs you a competitive edge?
What Makes a Next Generation SIEM
The big difference between a tradition SIEM and a next generation SIEM is in the use of machine learning to process data. This is roughly the same conceptual leap from (now) older heuristic methods to machine learning or AI antivirus solutions. Even with basic filters and processing techniques, there’s too much data for the average person to process it all (or it’s cost prohibitive). That’s where the next generation SIEM solutions come in.
A few megabytes of logs used to be a lot, now it’s not even a full drop in the bucket. No human can parse all of the log data in a sane way; no team can do it either. We’re at the point we need a computer to throw away the trash and highlight what matters. The bar for what is valuable and what isn’t continuously moves with each advancement in the arms race between hackers and security professionals.
A next generation SIEM is one which is able to remove more trash without throwing out the treasure. While an attack may render hundreds or thousands of lines of relevant logs before it trips a system threshold, a next generation SIEM can calculate the pattern before a human even knows it exists. At that point, a security expert looks at the data and makes a decision. A next generation SIEM reduces the false positives, reduces the false negatives, and enables security professionals to focus on the grayest gray areas while the system handles the rest.
What Makes the Real Difference
The move to a next generation SIEM isn’t necessarily rooted in the underlying technology – it’s rooted in the result. A next generation SIEM should proactively react to changes in behavior without (much) tuning, it should be more proactive, it should provide ways to contain a threat near instantly (or even better, it should just do it), and it should be able to handle more throughput than a traditional SIEM. A traditional SIEM needs tuning (by people), and works off of relatively simple rules. A next gen SIEM makes it’s own rules based on the usage and the security zeitgeist (i.e. it’s adaptive).
A next generation SIEM is also going to reduce the work a human has to do for mundane tasks so they can focus on the things the machine learning can’t. A computer can barely write an article, but it can crunch data in a minute that surpasses what a human brain can in a lifetime.
Automation is coming to everything, and that’s what sets a next generation SIEM over the traditional methods. It automates the parts a person doesn’t want to, or can’t, do.
How to Find the Right Next Generation SIEM
Next generation SIEMs are limited because they are similar to any machine learning or big data process. Trash in, trash out. How a system codifies and reduces data can make the difference between stopping a threat and missing it entirely.
The wrong model gets the wrong results. The wrong people monitoring the system for the wrong things gets the wrong results. This process is still arguably in its infancy, but we can see an extreme between the top and the bottom which the market is still working out. Does a next generation SIEM increase the digital divide due to the sheer knowledge required to use it or does it make it more accessible to lower-level technicians? It depends on the product and the process.
Some tools are simple and some are complex. A SIEM is a refinement of generations of technical innovation. There’s a baseline which is higher than most admit, but a reward which keeps you competitive. Security keeps getting harder and the stakes keep going up.
How do you analyze data across a site and determine what needs to be done? Modern security response requires more than just basic prevention: you need the right post-security philosophy to truly succeed. How are you making sure you don’t miss the omens in the chaotic rambling of unending logs? The signs are there, you just need the right tool to divine them.
Definitions
SIEM: This stands for Security Information and Event Management, and is a platform which ingest data and digests it to find patterns for security events. See here for more about Next Generation SIEM.
Threat Actor: A malicious actor looking to compromise a network. This is a general security term for hackers and more.
SOC: This stands for Security Operation Center, and is a critical component for modern security. A SOC is the team which actually analyzes and works on security alerts, both proactive (e.g. patching new vulnerabilities, closing ports or similar, etc.) and reactive (e.g. response to security events and breaches).
MSSP: Managed Security Service Provider – This is a managed service provider (MSP) which provides security remediation and analysis.
NOC: A Network Operations Center ingests data, potentially from a SIEM, but usually with some kind of RMM (Remote Monitoring and Management) system or an SNMP (Simple Network Management Protocol) solution.
Image by Đức Nguyễn from Pixabay