What is Next-Generation SIEM?

The Case for Next-Generation SIEM

Legacy security information and event management (SIEM) solutions were designed during a time when the corporate IT environment was a closed system and security was focused on protecting the perimeter. These days corporations employ dynamic workforces who use multiple laptops and mobile devices to access data stored in hybrid datacenters and cloud applications from across the globe. This means that legacy SIEMs are ill-equipped to handle the rising volume and complexity of data.

With a legacy SIEM security analysts need to spend a lot of time manually switching between solutions and screens while hunting down threats, manually remediating breaches, and writing and tweaking the manual rules in order to find threats. Meanwhile, the supply of cybersecurity experts needed to understand this complex landscape has not been able to keep pace with growing demand.

Compared to a legacy SIEM, which struggles to meet today’s security challenges, a next-generation SIEM improves your security visibility, actionability, and posture, while reducing management and analyst burden.

What Makes a “Next-Generation SIEM”?

Open, Big Data-Based Architecture

Open, Big Data-Based Architecture

Legacy SIEM platforms use proprietary, inefficient architectures that are unable to cope with the volume of data produced by modern enterprises. The data that can be collected from various data sources – including endpoints, applications, network devices, VPNs, servers, and cloud apps – is immense. The rapid increase in network capacity combined with the rapid increase in cloud adoption has created exponential growth in the amount of data that flows across the network and, by extension, to the data that is produced by these flows. This data is not only relevant for security, but for other use cases as well. Legacy SIEMs that use database-based storage cannot cope with today’s scalability requirements. Using proprietary architectures also cause vendor lock-in, which holds your security data hostage.

Next-Generation SIEM Architecture

A next-generation SIEM is built on a big data platform that can handle the massive volumes of data produced by enterprises. This allows for the consumption and analysis of hundreds of terabytes of data in real time and supports economical long-term data retention.

A next-generation SIEM provides customers with the benefits of data portability by storing data using an open data model. This means that you only need to maintain a single copy of your security data, and that data will still be available for other applications to use as needed.

A next-generation SIEM can be deployed on common hardware platforms and allows for improvements to that platform to be safely incorporated. Does not require you to purchase expensive, proprietary hardware.

Definitions

Big Data

A way to capture, store, analyze, search, and in other ways deal with large, complex data sets that overwhelm traditional data processing software.

Open Data

Open data, in this case, refers to data that has been collected by the SIEM but is stored in a common format instead of a proprietary database. This means that other solutions can also utilize the data as needed instead of being required to collect a second copy of the same data.

Real-Time Behavioral Analytics

Real-Time Behavioral Analytics

Legacy SIEMs use signature-based alerts to find threats. However, signature-based alerts are only good at finding known threats, they are very little help at finding unknown threats. Trying to write rules to find abnormalities is very imprecise. For example, you could write a rule that creates an alert each time a user performs ten failed login attempts within one hour. In theory this rule could be used to identify brute force password attacks. However, what if you had a very forgetful user that set off that alert every week? How many times would it take before security analysts stop investigating that type of alert just because they assume it is part of the user’s normal behavior pattern?

Using signature-based rules to find unknown threats inevitably generates a lot of noise and not a lot of value. With the rapid proliferation of cyberthreats these days, legacy SIEMs are completely overwhelmed.

Next-Generation SIEM Behavioral Analytics Capabilities

A next-generation SIEM solution leverages machine learning techniques to sift through massive volumes of data. These techniques include real-time behavior-based security analytics that use a combination of unsupervised, supervised, and statistical algorithms that are custom developed for cybersecurity in order to find both known and unknown threats.

Behavioral analytics start by learning what is normal in your environment and using that information to build a baseline of what normal behavior looks like. The solution can then compare subsequent behavior against the baseline and detect what is abnormal. For example, do people in your organization from marketing generally access research and development prototypes? In some organizations this could be normal behavior. For other organizations, it could be abnormal and a reason for security researchers to dig deeper into that user.

Definitions

Machine Learning

Machine learning is a subfield of artificial intelligence within computer science which is concerned with the design and analysis of algorithms that allow a computer system to learn from data without being explicitly programmed.

More

UBA: User Behavior Analytics

Instead of tracking security events, UBA tracks the actions that users take on the network, creating a baseline. Once a baseline of normal activity has been established, analytics can detect abnormal patterns that could be an indication of an insider threat, targeted attack, or fraud.

UEBA: User and Entity Behavior Analytics

Instead of only tracking users, UEBA also tracks other entities such as endpoints, applications, and networks in order to find threats.

Contextual Enrichment

Contextual Enrichment

An alert without broader context is likely to get lost in the sea of other alerts within the SIEM. In order to decide if an alert is valuable or just noise a security analyst needs to do a lot of manual investigation, many times across multiple screens and databases.

Next-Generation SIEM Data Enrichment Capabilities

A next-generation SIEM solution enriches the data being collected by adding additional contextual information. This includes information about the user, asset, IP address, geolocation, threat intelligence, vulnerability scan results, and more.

If an alert is triggered the contextual information can be used to quickly understand the severity based on the user, the asset involved, and type of data at risk and automatically boost the priority of the alert accordingly. Contextual information also assists security analysts as they investigate alerts.

Packaged Content for Cybersecurity Use Cases

Packaged Content for Cybersecurity Use Cases

Legacy SIEMs are notorious for the long timelines required to integrate new security use cases, as well as their inability to ingest different data formats, which results in a lack of context. Creating correlation rules is painful and time consuming. With cyberattacks that are constantly evolving, creating a new correlation rule for each new attack is a never-ending struggle. Even with trained professionals dedicated to managing and fine-tuning your SIEM, it is impossible to keep up with threats that change at machine speed. In a recent survey, 34% of security professionals say that the need to manually create or refine rules is one of their biggest hurdles in maximizing the value of their SIEM platform. This takes their time away from investigating security incidents.

Next-Generation SIEM Packaged Use Case Content

A next-generation SIEM solution provides easy to use content that comes pre-packaged with the solution. It is also able to ingest dynamic content that reflects current cyber threats. Classifying security analytics content by use case and type of threat it addresses makes it easy for enterprises to customize their deployment to suit their unique needs.

A next-generation SIEM platform supports a wide range of integrations and a robust community environment. While a vendor who actively engages with other security product vendors to make sure that integrations stay current is a great sign, it is best to look for a vendor who also actively looks to engage the user community to create and validate integrations and content. A robust community of users helps provide dynamic content creation and information sharing in order to stay ahead of rapidly evolving threats.

Predictable Cost and Low Total Cost of Ownership

Predictable Cost and Low Total Cost of Ownership

Unfortunately, considering the rapid growth in the volume of data, a major hurdle to good security is the cost of maintaining event data. Legacy SIEMs are typically priced by throughput, either in events per second (EPS) or storage (GB). This forces security analysts to try to forecast how much data will be generated, or to pick and choose which data sources will be important or not. These trade-offs can compromise your threat detection capability. Security buyers are forced to constantly worry about the escalating cost of data instead of focusing on security.

Next-Generation SIEM Pricing Model

Since next-generation SIEM solutions operate better with large amounts of data, their pricing must not penalize the customer for data velocity. A next-generation SIEM takes the unpredictability out of the equation by providing a pricing model that is better aligned with your business. One metric that works better is pricing by the number of users. It accurately reflects the risk to the organization and the complexity of the threats the organization faces but makes the cost of the security solution independent from the amount of information needed to perform optimally. Security analysts won’t need to risk leaving valuable information uncollected.

Automated Incident Response

Automated Incident Response

Identifying threats is only the beginning, responding to threats rapidly is critical. Legacy SIEM solutions were not created with integrated incident response capabilities. This means that legacy SIEM solutions rely on limited integrations with third party technologies for incident response. This process is highly manual, which makes responding to threats quickly impossible.

Next-Generation SIEM Incident Response Capabilities

A next-generation SIEM platform provides automated incident response capabilities to help your security operations center (SOC) team respond rapidly to incidents. The playbooks included in the solution should be based on security industry best practices and include tight integrations with third party solutions such as network security tools, endpoint protection devices, scanning solutions, security orchestration and automation platforms, and threat intelligence solutions. They will contain recommended actions for forensic analysts and incident responders to take as they respond to threats. Next-generation SIEM playbooks will also include optional automated response actions. This means that, based on the alert, a well-defined set of actions can be taken automatically – such as collecting machine and network logs, quarantining devices, suspending user actions, and more – which helps incident responders resolve the incident quicker.

Definitions

SOC: Security Operations Center

A centralized team that handles security issues for an organization. May include both physical and IT security responsibilities depending on the organization.

Cloud-Based Deployment Options

Cloud-Based Deployment Options

37% of cybersecurity professionals consider monitoring cloud infrastructures to be the top challenge facing their security team.

37% of cybersecurity professionals consider monitoring cloud infrastructures to be the top challenge facing their security team. Legacy SIEM solutions are appliance-based and often run on proprietary hardware that you need to install in your on-premises data center. Designed for the era of perimeter security, on-premises solutions were not built with the cloud in mind. With the rapid growth of cloud adoption, on-premises solutions struggle to protect hybrid and cloud deployments.

Next-Generation SIEM Cloud Capabilities

While the majority of SIEM deployments today are on-premises (54%), delivery of SIEM as a service is on the rise (25%). Next-generation SIEM deployments should match the organization’s overall IT strategy rather than push a hardware-based, on-premises solution on the customer. Enterprises today are realizing great benefits, flexibility, agility, and cost savings with hybrid and cloud IT strategies. In fact, many companies today own little to no hardware. As such, a next-generation SIEM solution must allow for virtual and cloud-based deployment options.

Definitions

The Cloud

Also called cloud computing. Instead of a company owning and maintaining servers to run applications and store data, they lease space in a shared data center and employees access these resources via the internet. Software can also be delivered through the cloud (see SaaS).

SaaS: Software as a Service

Also known as web-based software, on-demand software, or hosted software. Customers usually buy SaaS on a subscription basis, and the software is centrally hosted by the software company, most commonly in the cloud.

Available UEBA, NTA, and SOAR Capabilities

Available UEBA, NTA, and SOAR Capabilities

It is no secret that legacy SIEM solutions have fallen behind. They have failed to grow and evolve. Unfortunately, this is mostly because of the limitations in the legacy platform design. Legacy SIEM solutions face a technological cliff and they are not able to adapt and incorporate new technologies in order to keep themselves relevant to address today’s threat landscape.

Next-Generation SIEM Integrated Solution Capabilities

A next-generation SIEM solution continues to evolve. In order to better detect and respond to threats, a next-generation SIEM will include security orchestration, automation and response (SOAR), network traffic analysis (NTA), and user and entity behavior analytics (UEBA) capabilities. These capabilities, once stand-alone products, are increasingly becoming integrated components that are considered standard in a next-generation SIEM.

UEBA enables a deep understanding of threats such as social engineering and account compromise, which helps security analysts visualize threats and understand their context. NTA monitors network traffic, flows, connections, and objects in order to detect threats in the network. SOAR facilitates quick remediation. According to Gartner, UEBA, NTA, and SOAR are among the capabilities that are all gradually converging into the SIEM platform. This convergence is characteristic of a next-generation SIEM.

Definitions

SOAR: Security Orchestration, Automation and Response

A recent term coined by Gartner. SOAR combines security orchestration, case management, incident response, and threat management into a workflow that can be automated and improved as needed.

NTA: Network Traffic Analysis

The process of intercepting and analyzing network traffic in order to detect and respond to advanced threats.

Forward to

Chapter 3: SIEM Analytics

(Coming Soon)