By Olivia Cahoon
Security information and event management (SIEM) software products and services combine security information management (SIM) and security event management (SEM) technology. SIEM software provides real-time analysis of security alerts generated by applications and network hardware. Recent technology trends like the cloud and machine learning shape the evolution of SIEM products and services.
Today’s SIEM solutions offer threat detection and security incident response by analyzing SIM and SEM data in real time for internal and external threat management. By analyzing historical data from compliance reporting and incident investigation, SIEM solutions collect, store, and report log data for more efficient incident response. According to Gartner, capabilities of SIEM include a broad scope of event collection and the ability to correlate and analyze events across disparate sources.
SIEM technology is originally developed for compliance and log management, but is broadly used to detect and investigate attacks as it became an aggregation point for security alerts, says Michael Adler, VP, NetWitness Suite, RSA. While log-centric SIEM solutions highlight anomalies across different sets of logs, it also has a limited scope and cannot detect complex attacks.
“Looking at logs alone lacks the deep visibility and important detail required to fully understand what is happening across the network and environment—from the endpoint to network packet capture,” says Adler. Evolved SIEM software accelerates threat detection and response in addition to providing visibility and incorporating business context to prioritize threats and security incidents.
According to Adler, an evolved SIEM provides unparalleled visibility to see threats anywhere, capabilities to instantly detect the full scope of an attack, and business context to enable analysts to rapidly respond to the threats that matter most.
Modern SIEM solutions also help businesses realize end-to-end Threat Lifecycle Management (TLM). According to Chris Petersen, CTO/SVP, research and development, LogRhythm, TLM is the set of capabilities and workflow across which security teams monitor, investigate, and respond to cyber security threats. “TLM is also the workflow across which an organization can optimize and measure their mean-time-to-detect (MTTD) and mean-time-to-respond (MTTR).”
SIEM solutions deliver TLM and realize reductions in MTTD/MTTR at the lowest total cost of ownership. SIEM software is built on machine data analytics technology infrastructure and unifies and delivers discrete solutions as an integrated user experience and workflow, says Petersen. Solutions include enterprise log management, security analytics, user entity and behavioral analytics, network traffic and behavioral analytics, and security automation and orchestration.
Across this solution set, Petersen says next-generation SIEM platform solutions deliver critical capabilities including big data analytics architecture, machine data intelligence, centralized security intelligence, centralized forensic visibility and search, scenario analytics and AI-powered behavior analytics, for holistic threat detection, case management, task automation, guided workflow, integrated high-speed user experience, and an open platform.
“Enterprises should seek platforms that deliver all the aforementioned solutions and capabilities but not be forced to purchase or adopt all capabilities at once,” says Petersen. Additionally, SIEM platforms are flexible and grow with the enterprise overtime as organization capabilities and needs mature.
SIEM software offers compliance and threat management—two important drivers for purchasing SIEM solutions. In the past decade, compliance drove SIEM purchases across several verticals from small to large enterprises. Due to an increasingly hostile threat landscape, Petersen believes organizations invest more in SIEM for threat detection and response.
Large enterprises, like financial services, are the traditional SIEM software investors who require advanced cyber threat detection capabilities. “However, we now see most medium-sized enterprises looking to mature their security posture by purchasing a SIEM for the first time or upgrading their legacy compliance-centric SIEM to a more modern next generation SIEM,” says Petersen.
According to Sacha Dawes, principal product marketing manager, AlienVault, any organization seeking threat detection and visibility into potentially malicious activity within their network benefits from SIEM capabilities while others deploy SIEM for compliance purposes. He says while single-purpose SIEM software and log management tools provide valuable security information, they often require expensive and time-consuming integration efforts to bring in log files from disparate sources like inventory, vulnerability assessment, and IDS products.
Once the data is obtained, additional time is needed to research and write correlation rules that allow SIEM to identify threats in the environment. “For today’s resource-strapped IT teams, the time and expense required to deploy a traditional SIEM seriously delays their time to threat detection and return on investment. The resource-intensive nature of traditional SIEM platforms can even push comprehensive security out of their reach entirely,” offers Dawes.
Evaluating SIEM Partners
Before selecting a SIEM solution, enterprises should evaluate SIEM partners for the best solution. The first step is considering what resources SIEM partners can dedicate to the enterprise’s project—ranging from infrastructure needs to headcount.
Eric Sun, senior solutions manager, detection and response, Rapid7, advises enterprises to then map out what constitutes success—does the initiative stem from the need to be compliant or does the SIEM need to detect an opportunistic or targeted attack? “If there aren’t sufficient resources to operate or maintain a SIEM, consider a managed detection and response service, especially if the service can include centralized log management.”
Additionally, organizations investing in threat detection and response should evaluate their current approach to SIEM. According to Sun, Locard’s exchange principle shares that a criminal will always bring and take something from a crime scene. “This concept carries into the digital world—it’s critical to collect and identify subtle traces of malicious behavior,” he offers.
Manikandan Thangaraj, director, product management, ManageEngine, suggests enterprises evaluate supported log formats, event and search query processing power, built-in integrations with threat feeds and ticketing tools, and clearly understand the IT infrastructure and compliance objectives. “Smaller security teams should ideally choose a solution that provides a wide range of prepackaged components, so they can quickly see results out of the box,” he says.
While SIEM capabilities are useful for organizations, a SIEM system in isolation may not provide comprehensive security. To accelerate threat detection and response abilities, Dawes believes organizations should seek a partner with solutions that deliver SIEM capabilities along with other essential security controls like asset discovery, vulnerability assessment, intrusion detection, and integrated threat intelligence.
“They should also look for solutions designed to monitor both cloud and on-premises environments to avoid the hassle of deploying multiple point products and enabling the monitoring and management of their full IT infrastructure through a single solution,” says Dawes.
Adjusting to Trends
Recent technology trends shape the evolution of SIEM products and services. As the security industry shifts from preventive controls to detective and corrective control, enterprises realize preventive controls are no longer sufficient for data protection. Sonny Dasgupta, product marketing lead, security operations, Micro Focus, points to an increasing need for fast detection and recovery to minimize damage.
“Real time correlation of data collected from disparate sources across the organization combined with detection analytics and hunting is important for fast and accurate detection,” says Dasgupta.
Security operations centers (SOC) struggle with increased data from the Internet of Things (IoT), IT, mobile, and other sources. With the advent of big data and increasing attack vectors, Dasgupta believes SOC and SIEM should easily scale for expanded visibility and quickly for threat detection from incoming data. “Distributed technologies are key to ensuring scalability and visibility—helping the SIEM to correlate various individual events for threat detection in early stages.”
As the IoT industry grows, it’s increasingly important to improve security measures, stay compliant, and solve problems efficiently. According to Destiny Bertucci, head geek, SolarWinds, in the last few years distributed denial of service attacks grew in number and size and will likely increase both in volume and visibility of data breaches in the coming year. “Organizations must be prepared to prevent these issues and mitigate them quickly should they become significant problems,” says Bertucci.
As machine learning matures it becomes readily available for adoption. According to Bertucci, vendors now equip SIEM solutions with machine learning technology to facilitate increased automation, monitoring, and SIEM software’s overall effectiveness.
According to Dawes, a major challenge faced by companies, especially those with limited security resources, is the industry-wide shortage of security skills. “With companies finding it more difficult than ever to find and retain qualified security staff or lacking the budget to expand their teams, organizations increasingly seek unified solutions that help reduce the load by providing SIEM capabilities plus other essential security controls integrated into a single solution,” he explains.
The widespread adoption of cloud computing technologies also influences SIEM products and services. Cloud technology introduces new challenges and threat vectors that are unique to cloud environments. Dawes says that with more data and services being moved to the cloud, it’s essential that companies choose SIEM systems designed to natively monitor cloud environments.
Additionally, Thangaraj says cutting edge data processing capability, user behavior analytics, and integration with threat intelligence levels make SIEM solutions more powerful than ever before—helping security teams combat advanced threats stemming from both internal and external actors. “SIEM technology is evolving to help organizations tackle cloud security and compliance challenges.”
AlienVault Unified Security Management (USM) is designed for mid-sized enterprises in all industry verticals, especially industries with small IT teams and limited resources. It features unified security management, continuous threat intelligence updates, and security visibility into all environments. USM is compatible with the cloud, on-premise, and hybrid environments. Dawes says pricing starts at $650 per month.
Released in 2005, LogRhythm Platform has over 2,000 customers across five continents in industries like financial services, retail, manufacturing, and government. It serves as the back-end technology for a variety of managed service providers and offers capabilities like multi-tenant support and secure WAN collection. Additionally, LogRhythm’s TLM workflow delivers solutions for user and entity behavior analytics, network traffic and behavior analytics, and enterprise log management. According to Petersen, the platform starts at $28,000 with subscription options also available.
Released in March 2016, ManageEngine offers Log360, intended for enterprises of all sizes across industries. Log360 is a one-stop solution for log management and network security challenges. It is an integrated solution that combines EventLog Analyzer, ADAudit Plus, and Cloud Security Plus into a single console. It features pre-defined auditing and alert functionalities and ease of deployment. Thangaraj says pricing is based on the number of log sources with base pack subscription starting at $795 per year.
Micro Focus offers ArcSight, an enterprise-grade SIEM, data management, and advanced analytics platform that handles cybersecurity needs. It’s built on an open architecture and deployable on premise or in the cloud. The ArcSight solution is comprised of three layers—data collection/distribution, threat detection, and investigation/analytics. According to Dasgupta, ArcSight Enterprise Security Manager helps security analysts and operations teams respond faster to compromise indicators.
Rapid7 released InsightIDR in February 2016. According to Sun, InsightIDR represents Rapid7’s continuous research into attacker behavior and traces left behind. It includes multiple methods of detecting compromise that range from user behavior and analytics to built-in deception technology. InsightIDR is compatible with Microsoft Office 365, Splunk, and FireEye. Sun says InsightIDR is sold by number of assets in the organization.
The RSA NetWitness Suite 11 was released in October 2017. It targets large- and mid-sized enterprises across entertainment, finance, government, healthcare, hospitality, manufacturing, non-profits, retail, and utility markets. NetWitness Suite 11 features a single, modular monitoring platform that combines logs, network, and endpoint visibility to visualize the entire enterprise’s affairs. It also offers network insights, real time parsing and enrichment, advanced analytics, rapid investigations, and prioritized workflow. NetWitness Suite 11 is available as a perpetual license or subscription license. Adler says the subscription license starts at $919 per throughput unit per month.
SolarWinds Log & Event Manager (LEM) 6.3.1 was released in February 2017. It offers features to help organizations improve security and compliance with relative ease and limited impact on IT budgets. Targeted toward small- to mid-sized businesses, SolarWinds LEM detects suspicious activity, mitigates security threats, achieves auditable compliance, and maintains continuous security. Bertucci says pricing starts at $4,495.
SIEM solutions allow SOCs to monitor activity across networks while detecting and responding to evolving threats in real time. It logs and analyzes information to generate alarms of suspicious activity while helping users analyze, detect, and respond to threats in their environment. Before implementing a SIEM solution, enterprises should consider recent technology trends like the IoT and cloud technology as well as SIEM partners that offer those capabilities.
Mar2018, Software Magazine