10 Must-Have Features to be a Modern SIEM
Legacy security information and event management (SIEM) systems first became available in the ninities and were adopted by security operations centers because of their promise to provide insights into the deep, dark corners of their networks. SInformation security teams were needing to understand when and where security threats were happening.
However, the first generations of SIEMs required expert data analysis and a skilled team able to filter out the growing avalanche of false positives to discover the real security threats.
Because of the labor-intensive processes and expert skills needed, breaches typically would take weeks or months to uncover, investigate, and mitigate.
That was then—next-gen SIEM is now
Modern SIEMs can now apply new solutions to your security domain that weren’t available with legacy SIEMs. But many SIEMs claim to be “next-generation,” and yet don’t have what’s needed to solve the problems most security teams face today.
What features are needed to be a modern SIEM?
Because legacy SIEMs create a very high signal-to-noise ratio, they’ve become relegated to satisfying compliance requirements and not much else.
Here are the features needed in a next-gen SIEM solution—combining the latest technology with a comprehensive knowledge of how threats emerge:
1. Collect and manage data from all available sources
Present-day threats typically span multiple data sources. To be effective, every data source must be available to your next-gen SIEM for it to analyze and correlate the data. (See Figure 1.) This includes cloud service data, on-premise log data (security controls, databases, and application logs), and network data (flows, packets, etc.).
Figure 1. Your next-generation SIEM should easily access all data sources.
Your SIEM should also include centralized, remote data management. After you have all connectors configured and running, this enables you to easily manage them (start, stop, update, reconfigure) from any location.
2. Well-vetted, big data architecture
Many legacy SIEMs were architected in the early 2000s and use proprietary technology. There is a significant technological difference between then and now. Platforms such as Hadoop, Mongo, Elasticsearch, and Spark simply weren’t available then.
Given the amount of data being collected, what’s now needed is a big data architecture that can scale data, pivot within it, and take advantage of advanced data science algorithms.
3. Flat pricing for log ingestion
Most legacy SIEMs come with volume-based pricing. The more data you collect, the more it costs your organization. This means that even without increasing the number of data sources, your costs likely have significantly increased within just a few years, as shown in Figure 2.
Figure 2. Volume-based vs. flat SIEM licensing models
For example, replacing your firewall with an updated model might increase logging tenfold. With consumption-based pricing, your SIEM license fees automatically increase. But with a flat-rate pricing model, you can ingest data from all sources (instead of cherry-picking) and remain within your budget.
4. Enrichment of user and asset context
Look for a high level of enrichment that yields useful results from all the data you’re collecting. Advances in data science provide many insights that previously had to be correlated by experienced analysts, such as:
- Dynamic peer grouping
- Associating IP addresses with users, machines, and timelines
- Tracking asset ownership
- Associating user and machine types with activities
- Identifying service accounts
- Correlating personal email addresses with employees
- Associating badging station log activity with user accounts and timelines
By using a SIEM that understands context and intent, you can look up asset ownership, user login location, peer groups, and other information that can help you discover abnormal behaviors.
5. User and Entity Behavior Analysis
A modern SIEM baselines behavior through machine learning, statistical analysis, and behavioral modeling—referred to as user and behavior analytics (UEBA).
Once UEBA assesses normal behavior, it can assign risk scores to unusual ones, then expose activities and behaviors that exceed a specified threshold. For example, if you have a user who usually logs in from the US, and now logs in from China for the first time, such an anomaly might be indicative of an attack in progress.
Figure 3. Surfacing abnormal user behavior based on VPN access
6. Automated tracking of lateral movement
By studying past incidents, we know that about 60 percent of attacks involve lateral movement. This is where attackers attempt to evade detection or gain access to higher privileges by changing credentials, IP addresses, and assets. To effectively follow lateral movements from beginning to end, your SIEM must be able to tie such related events together.
7. Improved security information model
Legacy SIEMs have a security model that’s mostly based on discrete events. Manually converting an event series into a structured behavior timeline requires a huge amount of time. For advanced analysis, security data must be stored in a useful form factor—for example, a timeline that contains the entire scope of each user and entity you’re monitoring. When all required information is organized in this way, expert systems immediately provide their complete context when surfacing abnormal events.
8. Prebuilt incident timelines
Using a legacy SIEM usually requires a combination of complex queries, followed by a lot of copying and pasting from each source to a common file (often using a text editor as a repository). Such investigations require huge amounts of time, deep security domain expertise, mastery of query languages, and the ability to interpret results. These skills are both expensive and in short supply.
With an abundance of enriched data in a suitable information model, a modern SIEM can present all available context in a concise and friendly UI—the single pane of glass.
Figure 4. Merging all events—including lateral movements—prebuilt timelines significantly streamline investigations
9. Incident prioritization
The amount of data SOCs need to analyze is staggering. It’s not unusual for large companies to generate hundreds of millions of log entries every day.
Figure 5 – A functioning modern SIEM can filter millions of logs and generate only the legitimate security tickets that need investigation.
Modern SIEMs are designed to reduce the signal-to-noise ratio to where you can regain domain control. The ability to eliminate false positives and focus only on events with abnormal behaviors is essential for robust security, efficient staff performance, and keeping down costs.
On a typical day, a best-in-class SIEM solution might reduce 500 million log entries to 60,000 session timelines, then surface fewer than 50 notable events. From these, a dozen or so tickets might be generated for investigation.
10. Security orchestration and automation response (SOAR)
SIEM vendors use different abbreviations for this capability, which includes two key areas:
- Deploying prebuilt connectors to your IT and security infrastructure, without having to script them yourself
- Easily pull/push data into/out of your access management systems, firewalls, email servers, network access controllers, and other management tools
- Using response playbooks to codify best responses to specific threat types
- Providing workflow automation on top of your orchestration plumbing
- Enabling threat response automation, while also reducing personnel tedium
- The ability to control all your tools from one place
An advanced SOAR solution can free up your highly skilled analysts to create playbooks, while enabling junior analysts to run them. You can realize a faster mean-time-to-resolution while using the efforts of fewer full-time employees.
Upgrading your SIEM solution to one that offers these ten essential features will allow your organization to keep up with today’s expanding threat landscape—without the growing costs of highly-skilled security analysts and outdated log volume and pricing models.
For an in-depth view, see the Exabeam webinar, 10 Must-Have Features of a Modern SIEM.
See Our Additional Guides on Key Information Security Topics
Together with our content partners, we have authored in-depth guides on several other topics that can also be useful as you explore the world of Information security.
Authored by Exabeam
SIEM solutions are powerful tools for centralizing and correlating data from across your systems. These solutions enable you to create comprehensive visibility over your systems and provide important contextual information about events.
See top articles in our SIEM guide:
- 10 SIEM Use Cases in a Modern Threat Landscape
- The Modern Security Operations Center, SecOps and SIEM: How They Work Together
- SIEM Architecture: Technology, Process and Data
SOCs enable security teams to monitor systems and manage security responsibilities from a single location or unit. This enables teams to more comprehensively control assets and can significantly speed incident response and recovery times.
This article defines a SOC and explains the difference between SOC teams and CSIRT teams. It also explains how SOCs operate, covers benefits and challenges of SOCs, and provides a guide for setting up your SOC.
See top articles in our security operations center guide:
- Security Operations Center Roles and Responsibilities
- SecOps: Taking DevOps One Step Further
- How to Build a Security Operations Center for Small Companies
Learn about MITRE ATT&CK, a security research project that is helping the security industry better understand techniques, tactics, and procedures (TTPs) used by threat actors, detecting them, and responding to them more effectively.
The Next Wave of Innovation in SIEM, Security Analytics and TDIR
Are You Thinking About Shifting Your SIEM to the Cloud?
What’s New in Exabeam Product Development – May 2022
Exabeam in Action: Stopping Lapsus$ in Their Tracks
Ransomware: Bigger, Better, and Still Going Strong
The Benefits of UEBA Technology with Industry Experts at the Helm
Subscribe today and we'll send our latest blog posts right to your inbox, so you can stay ahead of the cybercriminals and defend your organization.
See a world-class SIEM solution in action
Most reported breaches involved lost or stolen credentials. How can you keep pace?
Exabeam delivers SOC teams industry-leading analytics, patented anomaly detection, and Smart Timelines to help teams pinpoint the actions that lead to exploits.
Whether you need a SIEM replacement, a legacy SIEM modernization with XDR, Exabeam offers advanced, modular, and cloud-delivered TDIR.
Get a demo today!