A SIEM by any other name

Security Information and Event Management tools (SIEMs) have been around for a while, especially relative to the pace of cybersecurity. There are some who question the value of SIEM and continue to predict its death. These views are incorrect and miss the point. While modern SIEMs may not resemble SIEMs from earlier eras which had very different cybersecurity needs and technologies, the functional purpose of SIEMs remains the same.

As the famous quote from Shakespeare’s Romeo and Juliet goes, “That which we call a rose, by any other name would smell as sweet”. While the sensationalist framing of the death of SIEMs is effective in highlighting the capabilities of modern technologies it is important to remember that no matter how much you change what is going on under the hood, these so-called new tools still perform core SIEM functionalities.

 

What is a SIEM really?

It is important to first understand what a SIEM does. Fundamentally the barebones of a SIEM begins with the ability to ingest logs and events by filtering them through a system of rules and queries (i.e., analytics) to produce both alerts to help respond to cybersecurity incidents as well as reports. Early SIEMs were motivated significantly by compliance requirements and the creation of reports but they dealt with a tiny fraction of the data being generated. While data was parsed and normalised then, the concept of enriching it or applying advanced machine learning and complex threat models to link individual events together only started occurring recently.

But the fundamental process of putting a layer of analytics over logs and events remains the same. While this may be an effective tactic to highlight the advanced capabilities of these platforms, it does not mean that SIEMs are obsolete. These platforms still maintain their core SIEM characteristics platforms even if they continuously innovate new tools like AI and automation to adapt to exponential rises in the volume, velocity, and variety of threats.

In addition to more advanced analytics, SIEM platforms are adding more automation to help security analysts accomplish more in less time. ML models are used to analyse data as well as automate manual tasks to aid in investigations. Modern SIEM platforms combine these continually advancing analytic tools with a single UI to achieve robust threat detection and response functionality.

There is a long history of technology with which to better contextualise these new developments. Take the concept of electric vehicles (EVs), which are seen as the inevitable successor of conventional fossil fuel-powered vehicles with pioneering brands like Tesla. The first EVs were actually invented in the 19th century and don’t resemble the smart, computer-powered efficiency of modern EVs. Yet, the concept of a vehicle powered by an electric motor remains the same. Similarly, look at the example below:

(“yet another shot of the old tv in chinook motel” by gothopotam is licensed under CC BY 2.0.)

 

(“SONY PRODUCT LAUNCH [SONY A1 OLED 4k ULTRA HD TV]-128295” by infomatique is licensed under CC BY-SA 2.0.)

 

Whether they use CRT or OLED, both examples are still TVs as most people would define them – screens that are able to display moving images accompanied by sound. Whether they are vehicles, TVs or SIEMS, there is no need to change the name when their purpose remains the same.

 

Not all SIEMs are the same

At the same time, it is important to acknowledge the progress that SIEMs have made. Modern computing generates significantly more volumes of data across a range of devices, devices and applications are more powerful and complex by orders of magnitude. Traditional SIEMs that use on-premise systems and unwieldy UIs simply cannot cut it anymore for a variety of reasons. In the past, threats were less complex, and it was common to be able to use a single event to identify malicious activity. These days, threats are significantly more complex to identify and require multiple events to be analysed, both in isolation and in patterns, to be able to identify suspicious actions. The old layers of analytics like regex capabilities and simple ‘AND/OR’ functions cannot handle or make the best use of the volumes of data being generated. Modern tools that enrich data and help analyse it using statistics, complex modeling and machine learning enable modern SIEMs to produce much richer and deeper analytics.

The next generation of SIEMs escape many of the problems of traditional SIEMs by using the SaaS model. Solutions like Securonix’s Next-Gen SIEM that are deployed natively on the cloud enable both scalability and flexibility, and do not require constant intensive manpower for maintenance. Cloud native architectures allow for more standardised solutions that can meet specific requirements across different organisations

Are SIEMs dead? The answer is no. While it is true that traditional SIEMs are antiquated there is a new generation of Cloud SIEMs that take advantage of the expansive suite of new cybersecurity tools like UEBA, SOAR and XDR. Securonix is a proud part of this vanguard for next generation SIEMs with its commitment to using the latest in artificial intelligence and analytics to provide effective cybersecurity at scale.

Securonix Threat Labs Monthly Intelligence Insights – May 2024
Securonix Launches Expanded Partner Program to Bring the Benefits of...
Securonix Appoints Dev Singh as Head of Sales for ASEAN Region
Securonix Threat Labs Monthly Intelligence Insights – April 2024