Security Information and Event Management (SIEM) systems have been the cornerstone of many IT security monitoring strategies. But as the threats facing organizations and the tools used to protect against them have become more complex, SIEMs have become more like sieves.
Sieve. /siv/ noun. 1. A utensil consisting of a wire or plastic mesh held in a frame, used for straining solids from liquids, for separating coarser from finer particles, or for reducing soft solids to a pulp.
How Did This Happen?
With attacks from highly-skilled adversaries hitting organizations from multiple vectors in order to exploit any potential weakness, security professionals have been forced to implement a number of different point tools to mount a reliable defense. Over time, most organizations have built a security arsenal to include intrusion prevention systems, endpoint protection, detection and response systems, antivirus, firewalls, identity and access management systems, and many other tools. These systems create a lot of log data – and the combined weight of that data simply became too much for security teams to reliably manage without a purpose-built tool.
This is why SIEM systems became popular. They became a must-have for organizations to capture and manage all the data that their meshwork of security solutions create. With this data captured in one place, monitoring rules could be constructed, initially to generate alerts when certain event thresholds had been exceeded, but ultimately extending to detect complex event sequences envisioned by security subject matter experts. The theory was that alerts raised by the SIEM would be investigated by the organization’s security incident response team.
But as attacks increased in volume and persistency – and IT infrastructures became more complex – the SIEM-based monitoring approach became too noisy (generating too many alerts) and too difficult to maintain. Thresholds and rules would need to be constantly updated when infrastructure usage changed or new security tools were added. As a consequence, noisy alerts were often ignored, and out-of-date rules missed significant security events. Threats continued to get through the meshwork of tools that SIEMs were designed to hold together – and that’s when SIEM-based monitoring started to act more like a sieve.
Target became the poster child for missing alerts after its 2013 data breach that resulted in 40 million stolen credit card numbers. And a study that Enterprise Strategy Group (ESG) published earlier this year found that nearly a third of companies are ignoring at least half of all security alerts due to their inability to keep up with the large volume.
To make matters worse, the sheer volume of data being created by the different security and IT infrastructure tools has become too much for many SIEMs to handle. The reality is that simply managing security data has become a “big data” problem, and many SIEMs were not build on “big data” architectures. Thus another opportunity for threats to either be missed or ignored because of data overload came into play.
There’s some irony in the fact that SIEM systems were originally presented as a solution to help security teams deal with high volumes of security-related data, and now their usefulness is being challenged by that very same issue. Clearly, something has to be done.
While SIEMs may be struggling to find their way in the new reality of security data overload, the need for security monitoring is not going away anytime in the near future – nor should it. SIEM systems provide a critical foundation on which to build a cybersecurity defense. The current challenges that SIEMs face – producing too many low-quality security events and not enough meaningful insights to detect advanced threats – can be overcome.
SIEMs just need more brainpower, the type that can be added with advanced analytics that operate on the “big data” store formerly known as the SIEM database.
Basic analytic capabilities – like being able to search event logs, apply thresholds and human expert-created rules, and run reports – are no longer enough. In order to level the playing field with today’s sophisticated cyber criminals, advanced analytics – those that can provide insights regarding unusual behaviors in the data, relationships in the data, and even predictions of what may happen next and/or how it can be addressed – are becoming essential. One way to think of advanced analytics is as a team of “algorithmic assistants” employed by the security team to be ever-vigilant, looking for unusual behaviors in the data. Security pros still use their knowledge to guide the operation of the analytics, but the tedious and sometimes impossible-for-humans tasks of analyzing massive data sets is done by the analytics.
Advanced analytics, such as machine learning-based behavioral analytics, are already proving how they can help SIEM systems do their job better. These capabilities provide numerous improvements over the capabilities of static, human-defined rules and thresholds that have to be continuously updated and fine-tuned based on current threat activity. Machine learning can learn what normal activity looks like in massive and constantly changing security and IT data so it can automate the identification of unusual activity that may indicate a system compromise or a data exfiltration event. And since malicious activity rarely happens in isolation, linking together unusual behaviors based on common entities such as users, hosts, domains, or IP addresses, allows organizations to identify the root cause of an attack more quickly.
Instead of simply reporting on what happened, this type of advanced security analytics allows organizations to spot attacks and identify their root cause in near real time, essentially closing the sieve. While the usefulness of SIEMs may have been stretched to its “leaking” point, complementing them with more intelligent technology, like machine learning-powered advanced analytics, can make all the difference in an organization’s ability to sift out the real threats instead of letting them slide through their defenses.