The Anatomy of a Modern SIEM

By Abhishek Sharma, Senior Technical Marketing Engineer at Securonix

The 8 Critical Features of a Modern SIEM

The cybersecurity landscape is getting more complex. Hackers continue to innovate, and business technologies generate increasing amounts of data. This is making legacy security information and event management (SIEM) solutions obsolete as they struggle with an inability to scale and weak rule-based threat detection techniques. Modern SIEM technology is evolving to meet these new cyber security challenges.

When evaluating SIEM solutions, these are the eight features you should look for that distinguish between a legacy SIEM solution and a modern SIEM solution.

 

Open, Big Data-Based Architecture

Legacy SIEM platforms use a proprietary, inefficient architecture that not only ensures performance deficits, but causes vendor lock-in.

What to look for:

A modern SIEM has an open, big data architecture that provides customers with the benefits of data portability, community-driven platform updates, and available resource pools for management. The SIEM must be able to be deployed on common hardware platforms and allow for improvements to that platform to be integrated.

The data collected through various data sources (such as endpoints, applications, network devices, VPNs, servers, and cloud apps) on the enterprise network today is immense. The upsurge in network capacity combined with the rapid increase in cloud adoption has created a Moore’s Law-like exponential growth in the amount of data that flows across the network and, by extension, to the data that is produced by these flows. This data is not only relevant for security, but for other use cases as well. Legacy SIEMs that use database-based storage cannot cope with today’s scalability requirements.

What to look for:

A modern SIEM needs to use a fundamentally different data store – one that relies on open, big data principles – to be able to handle the massive volumes of data produced by the enterprise. This allows for the consumption and analysis of hundreds of terabytes of data in real time, and for comprehensive, context sensitive, and effective security analytics.

 

Real-Time Behavioral Analytics

Enterprises today use many applications and multiple different authentication systems. This creates an expanded threat landscape for attacks to exploit and complicates the work of the security analyst.

Legacy SIEMs use rule-based correlation, which is dependent on known patterns. This does not work in today’s highly dynamic cyber threat environment. It not only misses new, evolving threats but also creates a flood of false positives.

What to look for:

A modern SIEM leverages machine learning techniques to sift through massive volumes of data. Real-time behavior-based security analytics use a combination of unsupervised, supervised, and statistical algorithms that are custom developed for cyber security in order to find both known and unknown threats. They do this by basing detection on user and entity behavior instead of relying on known signatures. Machine learning techniques used include user behavior baseline profiling and event correlation through association.

 

Contextual Enrichment for Accurate Prioritization of Threats

An alert without broader context is likely to get lost in the sea of other alerts within the SIEM, which means that your security analysts will need to do a lot of manual searching and manipulation to make the alert actionable. SIEM need to be more intelligent in order to enable effective security analytics.

What to look for:

A modern SIEM solution enriches the data being collected by adding contextual information. This includes context about the user, asset, IP address, geolocation, threat intelligence, vulnerability scan results, and more. Now if an alert is triggered, the contextual information can be used to quickly understand the severity based on the actor, the asset on which the threat was identified, and type of data at risk and automatically boost the priority of the alert accordingly.

 

Pre-Packaged Security Content, Use Cases, and a Support Library With Dynamic Security Content

A SIEM is only as good as the data it can ingest and display. Legacy SIEMs are notorious for the long timelines required to integrate new security platforms, as well as their inability to ingest different information formats, which results in a lack of context population.

What to look for:

A modern SIEM supports a wide range of integrations and a robust community environment. While a vendor who actively engages with other security product vendors to make sure that integrations stay current is a great sign, a vendor who also actively looks to engage the user community to create and validate integrations and content is a true blessing.

Creating correlation rules is painful and time consuming. With cyberattacks that are constantly evolving, creating new correlation rule for new attacks is also a never-ending process with legacy SIEMs. Even with trained professionals dedicated to managing and fine-tuning your SIEM, it is impossible to keep up with threats that change at machine speed. In a recent survey, 34% of security professionals say that the need to manually create or refine rules is one of their biggest hurdles in maximizing the value of their SIEM platform. This also takes time away from investigating actual incidents.

What to look for:

A modern SIEM platform provides content that comes pre-packaged with the solution but is also able to ingest dynamic content that reflects current cyber threats. Security analytics content that is classified by the use case and type of threat it addresses makes it easy for enterprises to customize their deployment to suit their unique needs.

As a bonus, a robust community – typically in the form of a threat exchange – helps provide dynamic content creation and information sharing in order to stay ahead of rapidly evolving threats.

 

Predictable Cost and Low Total Cost of Ownership (TCO)

Unfortunately, considering the rapid growth in the volume of data, a major hurdle to good security is the cost of maintaining event data. Legacy SIEMs are typically priced by throughput (events per second (EPS)) or storage (GB) forcing security analysts to try to foresee which data will be important and compromising their threat detection capability.

Security buyers constantly worry about the escalating cost of data instead of focusing on doing the right thing for the organization. Since security analysis solutions operate better with large amounts of data, their pricing must not penalize the customer for data volume.

What to look for:

A modern SIEM will take the unpredictability out of the equation by providing a pricing model that is based on a metric that is better aligned with your business. The number of users is a much better metric since it accurately reflects the risk to the organization and the complexity of the threats it faces, but makes the cost of the security solution independent from the amount of information needed to perform optimally. Security analysts won’t need to risk leaving valuable information uncollected.

 

Automated Incident Response

Identifying threats is only part of the work, responding to threats rapidly is critical. Legacy SIEM solutions do not have integrated incident response capabilities. This means that legacy SIEM solutions rely on limited integrations with third party technologies for incident response. This process is highly manual, which makes responding to threats quickly impossible.

What to look for:

A modern SIEM platform provides automated incident response capabilities to help your security operations center (SOC) team respond rapidly to incidents. Every alert identified should have a playbook of recommended actions for the forensic analysts and incident responders to leverage.

The playbooks for a modern SIEM should be based on industry best practices and include integrations with third party solutions such as network security tools, endpoint protection devices, scanning solutions, security orchestration and automation platforms, and threat intelligence solutions. Based on the alert, a well-defined set of actions can be taken automatically – such as collecting machine and network logs, quarantining devices, suspending user actions, and more – and help incident responders resolve the incident quickly.

Cloud-Based Deployment Options

37% of cybersecurity professionals consider monitoring cloud infrastructures to be the top challenge facing their security team.

Legacy SIEM solutions are appliance-based and often run on proprietary hardware that you need to install in your on-premises data center. Designed for the era of perimeter security, on-premises solutions were not built with the cloud in mind. With the rapid growth of cloud adoption, on-premises solutions struggle to protect hybrid and cloud deployments.

What to look for:

While the majority of SIEM deployments today are on-premises (54%), delivery of SIEM as a service is on the rise (25%).

Given the multiple options available, modern SIEM deployments should match the organization’s overall IT strategy rather than push a hardware solution on the customer. Enterprises today are realizing great benefits, flexibility, agility, and cost savings with hybrid and cloud IT strategies. In fact, many of the largest companies today own no hardware!

Minimal dev-ops and even security expertise is a huge added benefit of a virtual or cloud-based deployment. As such, a modern SIEM solution must allow for traditional enterprise hardware/software as well as virtual and cloud-based deployment options.

Available UEBA, NTA, and SOAR Capabilities

With legacy SIEM detecting, investigating, and remediating threats is a highly manual process that often requires security analysts to utilize several security products, switching from screen to screen in order to build a complete picture of the threat and stop it.

What to look for:

A modern SIEM, being the custodian of an organization’s security data, will include both security orchestration, automation and response (SOAR), network traffic analysis (NTA), and user and entity behavior analytics (UEBA) capabilities.

UEBA enables a deep understanding of threats such as social engineering and account compromise, which helps security analysts visualize threats and understand their context. NTA solutions monitor network traffic, flows, connections and objects in order to detect threats in the network. SOAR facilitates quick remediation. According to Gartner, UEBA, NTA, and SOAR are among the capabilities that are all gradually converging into the SIEM platform. This convergence is characteristic of a modern SIEM.

The 8 Features of a Modern SIEM

  1. Based on an open, big data architecture.
  2. Leverages real-time behavioral analytics including machine learning.
  3. Enriches data with additional context to facilitate accurate prioritization of threats.
  4. Easy access to pre-packaged security content, relevant security use cases, and a support library with dynamic security content.
  5. Predictable cost and low TCO with a pricing model that is aligned with your business.
  6. Automated incident response capabilities through automated playbooks.
  7. Cloud-based SIEM deployment options for cloud or hybrid IT environments.
  8. UEBA, NTA, and SOAR capabilities available in the SIEM platform.

Legacy SIEMs require a lot of manual work. Security analysts need to spend a lot of time switching between solutions and screens while hunting down threats, manually remediating breaches, and writing and tweaking the manual rules the SIEM relies on to find threats. A modern SIEM uses integrated SOAR to drive security response through automated case creation and management, ending swivel chair investigations and freeing up security analysts to focus on security.

Compared to a legacy SIEM, which struggles to meet today’s security challenges, a modern SIEM improves your security posture through improved detection, investigation, and response capabilities.

For analyst perspectives on what capabilities are critical for a modern SIEM, watch the webinar Must-Have Capabilities for a Next-Gen SIEM in 2019 presented by Joseph Blankenship, Principal Analyst at Forrester, and Sachin Nayyar, CEO of Securonix, or read the Gartner research paper Technology Insight for the Modern SIEM.