Legacy security information and event management (SIEM) systems first became available in the ninities and were adopted by security operations centers because of their promise to provide insights into the deep, dark corners of their networks. Security teams were needing to understand when and where security threats were happening.
However, the first generations of SIEMs required expert data analysis and a skilled team able to filter out the growing avalanche of false positives to discover the real security threats.
Because of the labor-intensive processes and expert skills needed, breaches typically would take weeks or months to uncover, investigate, and mitigate.
That was then—next-gen SIEM is now
Modern SIEMs can now apply new solutions to your security domain that weren’t available with legacy SIEMs. But many SIEMs claim to be “next-generation,” and yet don’t have what’s needed to solve the problems most security teams face today.
What features are needed to be a modern SIEM?
Because legacy SIEMs create a very high signal-to-noise ratio, they’ve become relegated to satisfying compliance requirements and not much else.
Here are the features needed in a next-gen SIEM solution—combining the latest technology with a comprehensive knowledge of how threats emerge:
1. Collect and manage data from all available sources
Present-day threats typically span multiple data sources. To be effective, every data source must be available to your next-gen SIEM for it to analyze and correlate the data. (See Figure 1.) This includes cloud service data, on-premise log data (security controls, databases, and application logs), and network data (flows, packets, etc.).
Figure 1. Your next-generation SIEM should easily access all data sources.
Your SIEM should also include centralized, remote data management. After you have all connectors configured and running, this enables you to easily manage them (start, stop, update, reconfigure) from any location.
2. Well-vetted, big data architecture
Many legacy SIEMs were architected in the early 2000s and use proprietary technology. There is a significant technological difference between then and now. Platforms such as Hadoop, Mongo, Elasticsearch, and Spark simply weren’t available then.
Given the amount of data being collected, what’s now needed is a big data architecture that can scale data, pivot within it, and take advantage of advanced data science algorithms.
3. Flat pricing for log ingestion
Most legacy SIEMs come with volume-based pricing. The more data you collect, the more it costs your organization. This means that even without increasing the number of data sources, your costs likely have significantly increased within just a few years, as shown in Figure 2.
Figure 2. Volume-based vs. flat SIEM licensing models
For example, replacing your firewall with an updated model might increase logging tenfold. With consumption-based pricing, your SIEM license fees automatically increase. But with a flat-rate pricing model, you can ingest data from all sources (instead of cherry-picking) and remain within your budget.
4. Enrichment of user and asset context
Look for a high level of enrichment that yields useful results from all the data you’re collecting. Advances in data science provide many insights that previously had to be correlated by experienced analysts, such as:
- Dynamic peer grouping
- Associating IP addresses with users, machines, and timelines
- Tracking asset ownership
- Associating user and machine types with activities
- Identifying service accounts
- Correlating personal email addresses with employees
- Associating badging station log activity with user accounts and timelines
By using a SIEM that understands context and intent, you can look up asset ownership, user login location, peer groups, and other information that can help you discover abnormal behaviors.
5. User and Entity Behavior Analysis
A modern SIEM baselines behavior through machine learning, statistical analysis, and behavioral modeling—referred to as user and behavior analytics (UEBA).
Once UEBA assesses normal behavior, it can assign risk scores to unusual ones, then expose activities and behaviors that exceed a specified threshold. For example, if you have a user who usually logs in from the US, and now logs in from China for the first time, such an anomaly might be indicative of an attack in progress.
Figure 3. Surfacing abnormal user behavior based on VPN access
6. Automated tracking of lateral movement
By studying past incidents, we know that about 60 percent of attacks involve lateral movement. This is where attackers attempt to evade detection or gain access to higher privileges by changing credentials, IP addresses, and assets. To effectively follow lateral movements from beginning to end, your SIEM must be able to tie such related events together.
7. Improved security information model
Legacy SIEMs have a security model that’s mostly based on discrete events. Manually converting an event series into a structured behavior timeline requires a huge amount of time. For advanced analysis, security data must be stored in a useful form factor—for example, a timeline that contains the entire scope of each user and entity you’re monitoring. When all required information is organized in this way, expert systems immediately provide their complete context when surfacing abnormal events.
8. Prebuilt incident timelines
Using a legacy SIEM usually requires a combination of complex queries, followed by a lot of copying and pasting from each source to a common file (often using a text editor as a repository). Such investigations require huge amounts of time, deep security domain expertise, mastery of query languages, and the ability to interpret results. These skills are both expensive and in short supply.
With an abundance of enriched data in a suitable information model, a modern SIEM can present all available context in a concise and friendly UI—the single pane of glass.
Figure 4. Merging all events—including lateral movements—prebuilt timelines significantly streamline investigations
9. Incident prioritization
The amount of data SOCs need to analyze is staggering. It’s not unusual for large companies to generate hundreds of millions of log entries every day.
Figure 5 – A functioning modern SIEM can filter millions of logs and generate only the legitimate security tickets that need investigation.
Modern SIEMs are designed to reduce the signal-to-noise ratio to where you can regain domain control. The ability to eliminate false positives and focus only on events with abnormal behaviors is essential for robust security, efficient staff performance, and keeping down costs.
On a typical day, a best-in-class SIEM solution might reduce 500 million log entries to 60,000 session timelines, then surface fewer than 50 notable events. From these, a dozen or so tickets might be generated for investigation.
10. Security orchestration and automation response (SOAR)
SIEM vendors use different abbreviations for this capability, which includes two key areas:
- Deploying prebuilt connectors to your IT and security infrastructure, without having to script them yourself
- Easily pull/push data into/out of your access management systems, firewalls, email servers, network access controllers, and other management tools
- Using response playbooks to codify best responses to specific threat types
- Providing workflow automation on top of your orchestration plumbing
- Enabling threat response automation, while also reducing personnel tedium
- The ability to control all your tools from one place
An advanced SOAR solution can free up your highly skilled analysts to create playbooks, while enabling junior analysts to run them. You can realize a faster mean-time-to-resolution while using the efforts of fewer full-time employees.
Upgrading your SIEM solution to one that offers these ten essential features will allow your organization to keep up with today’s expanding threat landscape—without the growing costs of highly-skilled security analysts and outdated log volume and pricing models.
For an in-depth view, see the Exabeam webinar, 10 Must-Have Features of a Modern SIEM.