Security Information and Event Management (SIEM) tools monitor network hardware and software logs to spot security threats, detect and prevent breaches, and provide forensic analysis. They help unite data from many other systems to give a complete view of IT security.
For example, they manage and interpret security logs from all types of devices and perform a range of functions including detecting threats, preventing breaches before they happen, detecting breaches, and providing security. forensic information to determine how a security incident also occurred. as its possible impact.
As such, they are good at ingesting log data from a wide range of network hardware and software systems and analyzing it in real time. Its goal is to correlate events and spot individual anomalies or patterns of behavior that may indicate a security breach – using intelligence feeds to ensure it is aware of new threats as they arise. emerge – and to present log data in a manageable and easily understandable form, so that it can be interpreted effectively by security personnel. SIEM tools are also used to collect log information from security systems and other systems to generate reports for compliance purposes.
Here are some of the top SIEM trends:
1. No longer a basic log repository
Phil Neray, Vice President of Cyber Defense Strategy at CardinalOpssaid SIEMs have evolved significantly from their original role as a “dumb” repository for storing compliance logs.
Often cloud-based for their scalability and simplicity, they are now centralized SecOps hubs for managing security incidents throughout their lifecycle, from detecting malicious activity to using machine learning. (ML), to their investigation by examining the kill chain, to rapid response with automated systems. workflows (security orchestration and automated response (SOAR)), such as isolating compromised endpoints from the network.
“Scalability is essential because modern SIEM ingests huge amounts of data from various sources, such as logs, as well as events from other security tools, such as firewalls and threat intelligence. , which are used to enrich the data to expedite investigations with additional context,” Neray said.
2. Security Operations Platforms
Oliver Rochford, Senior Director and Safety Evangelist at Securonixadds to Neray’s perspective by predicting that over the next five years SIEMs will evolve into true security operations platforms, providing event collection and management as a basic core function, but with complementary capabilities including user and entity behavior analysis, security orchestration and automation, threat intelligence management, and extensive network, endpoint, and cloud detection capabilities.
“Security leaders are aggressively pursuing a strategy of vendor and technology consolidation over the next several years, with the goal of realizing savings on licensing costs, technology complexity and operational overhead,” said Rocheford.
“Many CISOs will be looking for consolidated, integrated, cloud-SIEM-based security operations platforms comprised of modular components that can be mixed and matched, and quickly reconfigured and adapted based on business needs and scenarios. use.”
3. Machine Learning
Rochford with Securonix added that SIEM is increasingly becoming a standard component in the machine learning development lifecycle for security and threat analytics use cases.
After all, one of the biggest challenges in machine learning is labeling data. Without accurate and reliable data labeling, machine learning models cannot be trained and struggle to classify and identify information.
By default, SIEM not only collects, but also normalizes the data, fitting it into a useful schema for analysis and adding additional contextual labels, based on threat information, context, and frameworks. classification, such as MITER ATT&CK. Researchers from many vendors, such as Microsoft and Securonix, and threat hunters from large organizations are already leveraging their SIEM data for data science projects, with many SIEM vendors adding support for Jupyter Notebook and workspaces. similar data science work.
“SIEM is used as a tool to help solve one of the most fundamental problems in machine learning – obtaining and maintaining reliable, accurate and usable data,” Rochford said.
“Vendors who want to stay relevant need to understand how AI development lifecycles work and include data scientists and developers as buyers and users.
4. Insurance coverage
As the cyber insurance industry matures, vendors are realizing that customers with technologies such as EDR, MFA, and SIEM generate better profit margins than a customer without a formal security policy.
So the cyber insurance industry will tighten up and become more standardized, and one of those standards will be the year-long log retention and monitoring capabilities that a SIEM provides, according to Matthew Warner, co-founder and CTO at Blumira.
This trend has already materialized. At a White House cybersecurity summit, for example, a major cyberinsurance provider, Resilience, promised “to require policyholders to meet a cybersecurity best practice threshold as a condition of receiving coverage. “.
“Tighter cyber insurance requirements will drive SIEM adoption, especially among managed service providers who rely on cyber insurance as a cornerstone of their business,” Warner said.
5. SIEM Growth
This all adds up to a healthy SIEM market for some time to come.
“The size of the SIEM market will continue to grow healthily, despite calls that SIEM is dead yet again,” said Securonix’s Rochford.
“Even XDR has SIEM-like capabilities at its core in addition to the endpoint detection and response component. Whether it’s cloud, IoT, or more traditional servers and endpoints, events never go away not, so the need to collect, normalize, aggregate and correlate them won’t go away either.