SIEM Essentials QuizRead More
The need: Monitoring user activity within and outside the network
The need: Specialized tools to monitor, analyze and detect threats
The need: Deriving more insights into security data from multiple sources
The need: An organized way to address and manage security incidents and alerts
The need: Automatically verifying regulatory requirements and generating audit reports, managing data privacy and governance
According to Gartner’s Critical Capabilities for SIEM 2017 report, next-generation SIEMs must incorporate additional technologies alongside the traditional log management, statistical analysis, alerting and reporting capabilities. New SIEMs must include:
SIEMs have been a fundamental infrastructure of the Security Operations Center (SOC) for over two decades. However, SOC analysts experience several pains that traditional SIEMs can’t solve. Below we show how next-generation SIEM technology can solve these pains.
Security Operations Center Pain
How a Next-Generation SIEM can Help
Alert fatigue – too many alerts to review and incidents to investigate
Next-generation SIEMs generate less alerts for security analysts to review [explain how facilitated by behavioral profiling]
They can also categorize incidents based on risk reasons, incident type, and priority, enabling analysts to filter and prioritize based on risk scores and business impact.
Analyst fatigue due to mundane tasks
Next-generation SIEMs provide security automation via playbooks. They integrate with IT systems and security tools to automatically attach more evidence to incidents and aid investigators in closing incidents quickly.
Takes too long to investigate incidents
Next-generation SIEMs create a timeline that pulls together all the evidence related to a specific incident, across multiple users and organizational systems. This allows analysts to view the entire scope of an incident and its potential risks on one pane of glass.
Lack of skilled analysts – need to quickly train and on-board new staff
Next-generation SIEMs are easier to use and provide easy to interpret incidents packaged with ancillary information. They also allow easy ways to query and explore security data, without requiring analysts to become SQL experts or data scientists. This allows even junior analysts to assess risks, prioritize incidents, and push confirmed incidents to a next-tier analyst.
There are three main options for procuring a SIEM platform. Following are some of their pros and cons.
Open source tools such as OSSIM, OSSEC and Apache Metron can provide many SIEM capabilities including event collection, processing, correlation and alerting. Some open source solutions also provide Intrusion Detection System (IDS) capabilities.
No upfront expense, simpler to implement an open source SIEM than traditional SIEM solutions.
Ongoing maintenance costs can outweigh the saving in license costs. Open Source SIEMs are not fully featured, mainly suitable for smaller deployments. No next-gen SIEM features.
Traditional SIEM tools from players like HPE, IBM and McAfee (now Intel Security) were the common choice of large organizations building a SOC to centralize security activity and incident response.
In recent years, new lightweight SIEM solutions have emerged, which are powerful, less expensive and much faster to implement. Three of these solutions have been featured in the Gartner SIEM Magic Quadrant 2018: Exabeam, Rapid7 and Securonix.
Enterprise grade, proven technology, most products have at least some next-gen SIEM capabilities.
License costs, SOC procedures are built around a specific solution’s processes, leading to vendor lock in.
The ELK stack – ElasticSearch, Logstash and Kibana – is a great starting point for building your own SIEM solution. In fact, most of the new contenders in the SIEM market are based on this stack. Can be suitable for very large organizations who need tailored capabilities, and want to integrate with previous investments in threat intelligence, monitoring or analytics.
Complete customization of all SIEM capabilities, easier integration with legacy systems and in-house security feeds.
Very high upfront expense and an ongoing development cost to support changes and maintenance.
SIEMs provided and managed by Managed Security Service Providers (MSSP) are a growing trend. Managed SIEMs are making it possible for smaller organizations, which do not have sufficient full time security staff, to enter the SIEM game.
There are four common SIEM hosting models:
For more details on SIEM hosting models, see our guide to SIEM Architecture.
Procuring a SIEM involves several different costs, some of which are capital expenditures and some are operating expenditures.
Organizations adopting SIEM on-premise will have to provision hardware to run the SIEM. To determine how much hardware is needed, you should first estimate the number of events the SIEM needs to handle:
The number and type of servers needed is defined by event volume, as well as the storage format, your decision whether to store data locally on in the cloud, the ratio of log compression, encryption requirements, and quantity of short-term data vs. long-term data retention.
For more details on SIEM hardware sizing, see our guide on SIEM Architecture.
The same calculation of Events Per Day can be used to determine the SIEM’s storage requirements. The cost of storage will depend on your SIEM deployment model:
A SIEM is not valuable without security analysts who can receive and act upon its alerts. Security. Analysts are needed to:
Analysts must be skilled and trained, preferably with a relevant security certification.
If you use a Managed Security Service Provider (MSSP), analysts will be outsourced by the service provider, or work will be divided between in-house staff and external suppliers.
If you use a SIEM with AI or machine learning capabilities, the tool’s intelligence is not a substitute for human analysts. You will still need analysts, but effective AI processing of security data can substantially reduce false positives, help security analysts get the data they need faster, substantially reducing analyst labor.
When purchasing a SIEM, consider which standards or regulations your organization as a whole needs to comply with (across all departments – because SIEM is a cross-organizational infrastructure.
Important to consider:
Exabeam provides next-generation Security Management Platform, a modern SIEM that combines end-to-end data collection, analysis, monitoring, threat detection and automated response in a single management and operations platform.
Exabeam is a modern SIEM platform that provides all the next-gen SIEM capabilities defined in Gartner’s model:
Exabeam provides threat identification with behavioral analysis based on machine learning. It creates behavioral baselines and intelligently identifies anomalies. Exabeam can also dynamically group peers of entities to identify suspicious individuals, and detect lateral movement across different computer systems and user accounts. To enable forensic analysis, Exabeam automatically collects all the evidence related to an incident and constructs timelines to visualize security incidents.
Exabeam provides unlimited log data retention, leveraging modern data lake technology. It provides context-aware log parsing and presentation that helps security analysts quickly find what they need, and makes it possible to build rules and queries using natural language. Analysts can quickly explore, slice and dice security data without requiring expert knowledge of data science or SQL. Like traditional SIEM platforms, Exabeam also provides prebuild compliance reports for PCI-DSS, SOX, GDPR, and more.
Exabeam provides customizable case management designed for security incidents. It provides a centralized approach to incident response, gathering data from hundreds of tools and orchestrating a response to different types of incidents, via tools like email servers, active directory and firewalls, using security playbooks. Playbooks can automate investigations, containment, and mitigation.
Exabeam provides a point-and-click interface that lets anyone in the SOC easily create complex queries on security data. When an incident is identified, it collects evidence and organizes it into a complete incident timeline. Analysts can also enter an Alert ID from an anti malware or DLP tool, and immediately view a timeline of all related security events.
Exabeam’s next-generation capabilities can help resolve the most common pain points in the modern SOC:
Must replace existing log management platform
Can replace existing log management platform or maintain your investment and augment it with analytics and other advanced features to improve detection, investigation and response
Server costs should be estimated based on estimated an Events Per Day model.
Exabeam server costs are similar to that of a traditional SIEM for the same event volume.
Dedicated, expert-level in-house security staff needed to interpret and investigate SIEM alerts
Prioritized, friendly SIEM alerts with automated incident timelines – allows managing the SIEM with part-time or junior security analysts.
To test drive a next-generation SIEM, request a demo of the Exabeam Security Management Platform.
If you'd like to see more content like this, visit the Exabeam Information Security Blog
SIEM Essentials QuizRead More
Evaluation criteria, build vs. buy, cost considerations and complianceRead More
SIEM under the hood - the anatomy of security events and system logsRead More
User and Entity Behavioral Analytics detects threats other tools can’t seeRead More
A comprehensive guide to the modern SOC - SecOps and next-gen techRead More
From correlation rules and attack signatures to automated detection via machine learningRead More
Beyond alerting and compliance - SIEMs for insider threats, threat hunting and IoTRead More
Security Automation and Orchestration (SOAR) - the future of incident responseRead More
How SIEMs are built, how they generate insights, and how they are changingRead More
Components, best practices, and next-gen capabilitiesRead More