10 Features to be a Next-gen SIEM - Exabeam

10 Must-Have Features to be a Modern SIEM

October 06, 2018

Orion Cassetto

That was then—next-gen SIEM is now. Modern SIEMs can now apply new solutions to your security domain that weren’t available with legacy SIEMs. But many SIEMs claim to be “next-generation,” and yet don’t have what’s needed to solve the problems most security teams face today. What features are needed to be a next-gen SIEM?

Legacy security information and event management (SIEM) systems first became available in the ninities and were adopted by security operations centers because of their promise to provide insights into the deep, dark corners of their networks. Security teams were needing to understand when and where security threats were happening.

However, the first generations of SIEMs required expert data analysis and a skilled team able to filter out the growing avalanche of false positives to discover the real security threats.

Because of the labor-intensive processes and expert skills needed, breaches typically would take weeks or months to uncover, investigate, and mitigate.

That was then—next-gen SIEM is now

Modern SIEMs can now apply new solutions to your security domain that weren’t available with legacy SIEMs. But many SIEMs claim to be “next-generation,” and yet don’t have what’s needed to solve the problems most security teams face today.

What features are needed to be a modern SIEM?

Because legacy SIEMs create a very high signal-to-noise ratio, they’ve become relegated to satisfying compliance requirements and not much else.

Here are the features needed in a next-gen SIEM solution—combining the latest technology with a comprehensive knowledge of how threats emerge:

1. Collect and manage data from all available sources

Present-day threats typically span multiple data sources. To be effective, every data source must be available to your next-gen SIEM for it to analyze and correlate the data. (See Figure 1.) This includes cloud service data, on-premise log data (security controls, databases, and application logs), and network data (flows, packets, etc.).

Figure 1. Your next-generation SIEM should easily access all data sources.

Your SIEM should also include centralized, remote data management. After you have all connectors configured and running, this enables you to easily manage them (start, stop, update, reconfigure) from any location.

2. Well-vetted, big data architecture

Many legacy SIEMs were architected in the early 2000s and use proprietary technology. There is a significant technological difference between then and now. Platforms such as Hadoop, Mongo, Elasticsearch, and Spark simply weren’t available then.

Given the amount of data being collected, what’s now needed is a big data architecture that can scale data, pivot within it, and take advantage of advanced data science algorithms.

3. Flat pricing for log ingestion

Most legacy SIEMs come with volume-based pricing. The more data you collect, the more it costs your organization. This means that even without increasing the number of data sources, your costs likely have significantly increased within just a few years, as shown in Figure 2.

Figure 2. Volume-based vs. flat SIEM licensing models

For example, replacing your firewall with an updated model might increase logging tenfold. With consumption-based pricing, your SIEM license fees automatically increase. But with a flat-rate pricing model, you can ingest data from all sources (instead of cherry-picking) and remain within your budget.

4. Enrichment of user and asset context

Look for a high level of enrichment that yields useful results from all the data you’re collecting. Advances in data science provide many insights that previously had to be correlated by experienced analysts, such as:

  • Dynamic peer grouping
  • Associating IP addresses with users, machines, and timelines
  • Tracking asset ownership
  • Associating user and machine types with activities
  • Identifying service accounts
  • Correlating personal email addresses with employees
  • Associating badging station log activity with user accounts and timelines

By using a SIEM that understands context and intent, you can look up asset ownership, user login location, peer groups, and other information that can help you discover abnormal behaviors.

5. User and Entity Behavior Analysis

A modern SIEM baselines behavior through machine learning, statistical analysis, and behavioral modeling—referred to as user and behavior analytics (UEBA).

Once UEBA assesses normal behavior, it can assign risk scores to unusual ones, then expose activities and behaviors that exceed a specified threshold. For example, if you have a user who usually logs in from the US, and now logs in from China for the first time, such an anomaly might be indicative of an attack in progress.

Figure 3. Surfacing abnormal user behavior based on VPN access

6. Automated tracking of lateral movement

By studying past incidents, we know that about 60 percent of attacks involve lateral movement. This is where attackers attempt to evade detection or gain access to higher privileges by changing credentials, IP addresses, and assets. To effectively follow lateral movements from beginning to end, your SIEM must be able to tie such related events together.

7. Improved security information model

Legacy SIEMs have a security model that’s mostly based on discrete events. Manually converting an event series into a structured behavior timeline requires a huge amount of time. For advanced analysis, security data must be stored in a useful form factor—for example, a timeline that contains the entire scope of each user and entity you’re monitoring. When all required information is organized in this way, expert systems immediately provide their complete context when surfacing abnormal events.

8. Prebuilt incident timelines

Using a legacy SIEM usually requires a combination of complex queries, followed by a lot of copying and pasting from each source to a common file (often using a text editor as a repository). Such investigations require huge amounts of time, deep security domain expertise, mastery of query languages, and the ability to interpret results. These skills are both expensive and in short supply.

With an abundance of enriched data in a suitable information model, a modern SIEM can present all available context in a concise and friendly UI—the single pane of glass.

Figure 4. Merging all events—including lateral movements—prebuilt timelines significantly streamline investigations

9. Incident prioritization

The amount of data SOCs need to analyze is staggering. It’s not unusual for large companies to generate hundreds of millions of log entries every day.

Figure 5 – A functioning modern SIEM can filter millions of logs and generate only the legitimate security tickets that need investigation.

Modern SIEMs are designed to reduce the signal-to-noise ratio to where you can regain domain control. The ability to eliminate false positives and focus only on events with abnormal behaviors is essential for robust security, efficient staff performance, and keeping down costs.

On a typical day, a best-in-class SIEM solution might reduce 500 million log entries to 60,000 session timelines, then surface fewer than 50 notable events. From these, a dozen or so tickets might be generated for investigation.

10. Security orchestration and automation response (SOAR)

SIEM vendors use different abbreviations for this capability, which includes two key areas:

  • Deploying prebuilt connectors to your IT and security infrastructure, without having to script them yourself
  • Easily pull/push data into/out of your access management systems, firewalls, email servers, network access controllers, and other management tools


  • Using response playbooks to codify best responses to specific threat types
  • Providing workflow automation on top of your orchestration plumbing
  • Enabling threat response automation, while also reducing personnel tedium
  • The ability to control all your tools from one place

An advanced SOAR solution can free up your highly skilled analysts to create playbooks, while enabling junior analysts to run them. You can realize a faster mean-time-to-resolution while using the efforts of fewer full-time employees.

Upgrading your SIEM solution to one that offers these ten essential features will allow your organization to keep up with today’s expanding threat landscape—without the growing costs of highly-skilled security analysts and outdated log volume and pricing models.

For an in-depth view, see the Exabeam webinar, 10 Must-Have Features of a Modern SIEM.

Recent SIEM Articles

New Logging Standard for Federal Cyber Detection and Response

Read More

Hitting “Refresh” on Federal Cybersecurity in 2021

Read More

Cloud SIEM: Features, Capabilities, and Advantages

Read More

Exabeam Adds Automated Incident Diagnosis to Speed Investigations

Read More

Exabeam Fusion XDR and Exabeam Fusion SIEM now available in Google Cloud Marketplace

Read More

Recent Information Security Articles

7 Detection Tips for the Log4j2 Vulnerability

Read More

Exabeam/KPMG Joint Special Session After Report

Read More

New CISO? 5 Things to Achieve In Your First 90 Days

Read More

5 Security Questions to Consider this Holiday Season

Read More

Our Customers Have Spoken: Exabeam named a 2021 Gartner Peer Insights™ Customers’ Choice for SIEM

Read More