We often think of the SIEM of the “brain” of the IT network environment, but with news around “next-generation” SIEM, how can a next-gen SIEM improve the benefits and results for your IT security strategy?
How do you define the traditional SIEM solution?
What is a SIEM?
Security Information and Event Management (SIEM) – A SIEM platform centrally collects data from multiple devices on your network, including your existing security appliances. Through an advanced correlation engine, it is able to proactively identify security events not otherwise detected by standalone security technology.
A SIEM system centralizes logging capabilities on security events for enterprises and is principally used to analyze and/or report on the log entries received. The analysis capabilities of SIEM systems can detect attacks not discovered through other means and can direct the reconfiguration of other enterprise security controls to plug holes in enterprise security. Some of the top SIEM products — assuming an attack is still in progress — can even stop detected security breaches.
Traditional SIEM Solutions
Traditional SIEM solutions focus on collecting and indexing log outputs from applications and devices. These are used to search and find particular log details. Such as for this device search and display all logs for this particular day. Often generating 10s to 100s of pages of information, more (1000 pages) if there is something amiss with the device. SIEMs, therefore, allow additional filter parameters to help refine searches – such as this device at this precise time, or for these types of log event outputs. Typically requires high levels of expertise from the end-user to get filters correct.
SIEMs can correlate the logs from many sources when searching on a device- say by IP address. Great for forensic deep dives for auditing compliance event reporting for instance.
Some SIEMs will also take in-network data- but tend to have difficulty using such information effectively- it can generate a tidal wave of flow data for a device adding 1000s more line items in addition to the log data in a search. Therefore it is seldom used. This is a problem, as the network provides the other half of the needed data to detect the most active threats.
By contrast, what is Next-Gen SIEM?
What features or capabilities do these solutions have in contrast to traditional SIEM?
Traditional SIEM solutions find information and some provide some analysis helping provide additional info indicating what might be happening. Such as “credential change logged for this user”, or “this user logged in from multiple devices simultaneously”. However they tend to provide such info with every bit of collected data around that user, or the device in question – so you may see hundreds to thousands of lines of info to sort through to figure out what exactly is happening.
In contrast a Next-Gen SIEM – will ingest both log and flow data – it uses threat models to determine the threats rather than a human brain.
These are complicated models that can detect and match threat behaviors to a particular type of threat such as a DDoS attack vs. a brute force attack, malware infection, APTs loss of credentials, or insider attack. It will leverage but not rely on the proper use of Machine Learning to pick out behaviors that are not normal for the device, application or user, and correlate these events with other rule triggers that can be correlated into a threat model- once a match is found an alert is built that continues to aggregate individual threat behaviors under the Single Line Alert on the UI – this is vs. 100s to 1000s of lines generated by a SIEM beforehand filtering. Better yet this one line tells you the type of threat and the devices and/or user involved and what to do about it.
The best Next-Gen SIEMs will be architected to detect the threats in minutes of becoming active. Stopping Brute force attacks, compromised credentials, and insider threats before critical data is accessed. SIEMs can’t promise this.
Next-gen Siem is really a different category – This is a brand new concept to the industry a lot of education will need to take place – However that said, the benefits are so compelling that we expect a groundswell of adoption over the next 24 months.
Cybriant offers a next-gen SIEM solution – take a look here that our clients utilize with our Managed SIEM with 24/7 Security Monitoring and Analysis service. This service has broad appeal to 90% of organizations that only have firewalls and some sort of simple endpoint solution which is ineffective at quickly or accurately detecting most of the threats discussed above in today’s dynamic environments.