Security information and event Management (SIEM) tools monitor logs from network hardware and software to spot security threats, detect and prevent breaches, and provide forensic analysis. They help unite the data from many other systems to give a comprehensive view of IT security.
For example, they manage and make sense of security logs from all kinds of devices and carry out a range of functions, including spotting threats, preventing breaches before they occur, detecting breaches, and providing forensic information to determine how a security incident occurred as well as its possible impact.
As such, they are good at ingesting log data from a wide range of network hardware and software systems and analyzing it in real-time. Its purpose is to correlate events and spot individual anomalies or patterns of behavior that may indicate a security breach — using intelligence feeds to ensure that it is aware of new threats as they emerge — and to present log data in a manageable and easily understood form, so it can be interpreted effectively by security staff. SIEM tools are also used to collect log information from security and other systems to generate reports for compliance purposes.
Here are some of the top trends in SIEM:
1. No Longer a Basic Log Repository
Phil Neray, VP of cyber defense strategy at CardinalOps, said SIEMs have significantly evolved from their original role as a “dumb” repository for storing compliance logs.
Often cloud-based for scalability and simplicity, they are now centralized SecOps hubs for managing security incidents across their entire life cycle, from detecting malicious activities using machine learning (ML), to investigating them by examining the kill chain, to quickly responding with automated workflows (security orchestration and automated response (SOAR)), such as isolating compromised endpoints from the network.
“Scalability is key because the modern SIEM ingests massive amounts of data from diverse sources, such as logs, plus events from other security tools, such as firewalls, and threat intelligence, which is used to enrich the data in order to accelerate investigations with additional context,” Neray said.
2. Security Operations Platforms
Oliver Rochford, senior director and security evangelist at Securonix, adds to Neray’s view by predicting that in the next five years, SIEMs will evolve into true security operations platforms, providing event collection and management as a core foundational function but with complementary capabilities, including user and entity behavior analytics, security orchestration and automation, threat intelligence management, and extended network, endpoint, and cloud detection capabilities.
“Security leaders are aggressively following a vendor and technology consolidation strategy over the next years, with the aim of realizing savings in licensing costs, technology complexity, and operational overheads,” Rochford said.
“Many CISOs will seek out consolidated and integrated security operations platforms, based on cloud-SIEM and composed of modular components that can be mixed and matched, and rapidly reconfigured and adapted depending on need and use case.”
3. Machine Learning
Rochford with Securonix added that SIEM is increasingly becoming a standard component in the machine learning development life cycle for security and threat analytics use cases.
One of the greatest challenges in machine learning, after all, is the labeling of data. Without accurate and reliable data labeling, machine learning models cannot be trained and struggle to classify and identify information.
SIEM by default not just collects, but also normalizes data, fitting it into schema useful for analysis and adding additional contextual labels, based on threat intelligence, context, and classification frameworks, such as MITRE ATT&CK. Researchers at many vendors, like Microsoft and Securonix, and threat hunters at large organizations are already tapping into their SIEM data for data science projects, with many SIEM vendors adding support for Jupyter Notebook and similar data science workspaces.
“SIEM is being used as a tool to help solve one of the most fundamental problems in machine learning — obtaining and maintaining reliable, accurate, and usable data,” Rochford said.
“Those vendors that want to stay relevant must understand how AI development life cycles work and include data scientists and developers as buyers and users.”
4. Insurance Coverage
As the cyber insurance industry matures, providers are coming to the realization that customers with technologies such as EDR, MFA, and SIEM yield better profit margins than a customer with no formal security policy.
The cyber insurance industry, therefore, will tighten and become more standardized, and one of those standards will be the one-year log retention and monitoring capabilities that a SIEM provides, according to Matthew Warner, co-founder and CTO at Blumira.
This trend has already come to fruition. At a White House Cybersecurity Summit, for example, a major cyber insurance provider, Resilience, promised to “require policyholders to meet a threshold of cybersecurity best practices as a condition of receiving coverage.”
“Tightening cyber insurance requirements will drive SIEM adoption, especially among managed service providers that rely on cyber insurance as the cornerstone of their businesses,” Warner said.
5. SIEM Growth
All of this adds up to a healthy SIEM market for some time to come.
“SIEM market size will continue to grow healthily, despite calls that SIEM is dead yet again,” said Rochford with Securonix.
“Even XDR has at its core SIEM-like capabilities on top of the endpoint detection and response component. Whether cloud, IoT, or more traditional servers and endpoints, events are not going away, so the need to collect, normalize, aggregate and correlate them won’t either.”