Since the birth of SIEM, there have been major shifts in the threat and security operations landscape which render the technologies of yesteryear – and even so called “NG-SIEM” solutions - obsolete. What has changed, and what needs to change to make SIEM effective?
The state of cybersecurity has evolved one threat at a time, with organizations constantly adding new technologies to combat new threats. The result? Enterprises are left with complex and costly infrastructures that simply cannot keep pace with the velocity of today’s dizzying threat landscape. This piecemeal approach to cybersecurity is unsustainable – enterprises cannot keep heaping technology onto their already unmanageable infrastructures and expect to keep their networks and systems secure.
Traditional security information and event management (SIEM) technology tried to help organize and make sense of the mess, but it fell short. Later attempts to improve upon SIEM added only incremental benefit – but never fixed the core problem. In order to develop SIEM that will effectively address today’s needs, we need to first understand how the landscape has changed.
The More Things Changed, The More SIEM Stayed the Same
The two decades since SIEM products first appeared have seen a radical transformation in the threat and security operations landscape. Key developments include:
- Automated attacks: Cyber-attacks are no longer the work of hacker-craftsmen operating out of mom’s basement. They are highly sophisticated, backed by well-funded criminal organizations and nation states. They are machine-generated and constantly morphing, dramatically increasing attack velocity and effectively making every attack “brand new.” Because SIEMs rely on human-written correlation rules, they will always be reactive in nature, because rules can only be written against attacks that have already happened. While this might have been sufficient back in the age of hacker-vandals, it is wholly insufficient in today’s sophisticated threat environment.
- Information overload from a constantly changing threat landscape: With the threat landscape and attack surface constantly changing, an enormous amount of security content is generated both by machines and humans to provide situational awareness of the current threat landscape. This has created a big data problem for SIEMs – they simply can’t automatically consume and operationalize all of this content. Instead, teams of security experts must write rules in an attempt to leverage all of this content, which further exacerbates the reactive issues with SIEMs.
- Infrastructure bloat: At the turn of the century, SIEMs were designed to manage and winnow alert volume thrown off by the original progenitor of the alert overload problem: IDS/IPS. Since that time, security infrastructure has grown to include a large volume of tools and sensors – the average large enterprise has 70 different vendors in its security infrastructure – which generate a cacophony of alerts. A survey by FireEye of C-level security executives at large enterprises found that 37% of respondents receive more than 10,000 alerts each month. Of those alerts, 52% were false positives, and 64% were redundant alerts (noise) . This survey indicates that traditional SIEM correlation rules do a poor job at separating out false positive and redundant alerts from actual threats. Security organizations do not need more tools (in fact, in many cases they have more tools than they can deploy, causing a security shelf-ware problem); rather, they need to make better use out of the tools and data they have.
- Security penetrates the board room, but CISOs don’t: Data breaches have become a board-level issue in recent years, but CISOs continue to have difficulty getting a “seat at the table” in the board room. One of the main reasons for this phenomenon is the inability of CISOs to articulate the effectiveness of their security programs in easily understood terms, because they themselves are unsure of the effectiveness of their own programs. CISOs are often not confident that they have the right tools in place or the right people to manage them, and technology purchases are often a “check the box” decision, rather than a strategic one. The latest Mandiant M-Trends report indicates that it takes an average of 101 days for companies to detect a network intrusion – which speaks to the reason why CISOs might not be confident in their own programs. At the same time, CISOs are the first to be blamed if a breach occurs, which is the main reason why the average CISO’s tenure is two to four years, depending on the industry. This all leaves CISOs in a position where they can’t trust their infrastructure, can’t trust their staffs, and can’t trust that their superiors won’t fire them at the first sign of trouble.
- The Market wants community enrichment
Some of the most successful and effective technologies in different IT arenas today are based on open-source offerings. One example is Elastic’s data search, which is enriched and improved by millions of users. Another is Snort, whose vast open-source community enriches network intrusion detection system (NIDS) software. This trend has unfortunately not yet reached the SIEM arena, where most vendors charge high fees for their products, but do not open them up to be used – and improved – by large audiences of developers.
Amid all these changes, SIEMs have remained largely unchanged. They aggregate and manage log files and attempt to identify attacks with pre-written security correlation rules. Even so called next-generation SIEMs simply cannot respond fast enough to attacks in process, because they are not designed for real-time incident identification and response.
What organizations need is a SIEM technology that can fully exploit all of the data generated by the infrastructure - as well as any external security intelligence source - and automatically identify, analyze and respond to threats in real time. With those capabilities in their corner, enterprises will be able to dramatically improve incident detection and response, simplify security management requirements, and slash SIEM total cost of ownership.