June 27, 2023
Anomali Threat Research

Take Your SIEM to the Next Level

<p>Security Information and Management (SIEM) systems originated as an integration of two separate but parallel systems – Security Information Management (SIM) and Security Event Management (SEM). While SIMs focused primarily on collecting, storing, and analyzing log data from security devices and systems, SEMs focused on real-time monitoring and analysis of security events. The two disciplines merged when Gartner analyst Mark Nicolett coined the term SIEM in a research brief published in 2005. At the time, the merger of the two disciplines made sense; the need for a comprehensive solution was becoming pervasive, and Security and IT vendors leaned in quickly.</p> <p>SIEMs were effective at data collection from sources generating log data, which would be indexed and stored in a log repository (which turned out to be useful for compliance purposes). They were (and still are) effective at using rules, signatures, and analytics to identify known threats when predetermined criteria are met, then feeding that data into workflows, case management, and collaboration solutions. As useful as SIEMs have been, they are now running into hard limitations, including:</p> <h2>Visibility</h2> <ul> <li><strong>Lack of context</strong>: Because SIEM systems typically rely on rules and signatures to identify security events, they provide limited external context about the alerts they generate. A lack of actioned visibility leads to an incomplete or inaccurate understanding of the severity of an incident, challenging security analysts to stay ahead of a complex, dynamic threat environment.</li> <li><strong>Log data source limitations</strong>: SIEM solutions rely on log data from various sources, but they may not collect all relevant logs. They may also fail to capture critical information due to cost or storage limitations in log sources or network configuration/compatibility requirements. These limitations leave blind spots in the security monitoring process.</li> <li><strong>Limited threat intelligence integration</strong>: While SIEM solutions often incorporate threat intelligence feeds, their integration and updating processes with (e.g.) intrusion detection systems, firewalls or vulnerability scanners may not be seamless (or missing entirely), leading to outdated threat intelligence. A real-time solution providing actionable visibility by integrating external threat intelligence with internal attack surface information is mission-critical for any enterprise subject to cyber threats.</li> </ul> <h2>Automation</h2> <ul> <li><strong>Alert Fatigue</strong>: SIEM technologies generate a large number of alerts, many of which are false positives (flagging benign events as malicious), false negatives (missing actual security incidents), or what might be considered low-priority events. This level of noise can overwhelm security teams, making it difficult to identify the signal of genuine threats.</li> <li><strong>Limited automation and response capabilities</strong>: SIEM systems often lack robust automation and response features against complex correlation requirements. Many SIEM systems are also limited in providing monitoring and threat detection in cloud-based environments, which means security teams need to manually investigate and respond to alerts.</li> <li><strong>Inability to handle large-scale data</strong>: SIEM technologies often struggle to handle the volume and velocity of data generated by modern networks and systems. Slow response times lead to delays in processing and analyzing data, potentially missing time-sensitive security events.</li> </ul> <h2>Optimization</h2> <ul> <li><strong>Complex configuration and maintenance</strong>: Setting up and maintaining a SIEM system is expensive, complicated, and time-consuming, requiring expertise in configuring log sources, creating correlation rules, and ensuring the system is up to date. An overly complex user experience can also hinder adoption, which limits its use for non-technical staff who may need to interact with SIEM data.</li> <li><strong>Difficulty in identifying advanced threats</strong>: Traditional SIEM technologies focus on known patterns and signatures, making it challenging to quickly identify sophisticated and evolving threats that do not match predefined rules. A lack of advanced search capabilities and intuitive user interfaces can increase the amount of time needed for investigation, particularly if it's outside the scope of known threats.</li> <li><strong>Poor scalability</strong>: Scaling up a SIEM system to handle increased data volumes, additional log sources, or distributed networks can be challenging, requiring significant investments in infrastructure or licensing costs which are amplified for enterprises undergoing digital transformation. A lack of scalability also limits views of past events, giving an incomplete picture of potential risks. SIEMs cannot analyze historical data going back months or years, making it slow and expensive to access archived materials.</li> </ul> <p>SIEMs still have a critical role to play in the security framework of any organization. However, there is a need to include a more forward-leaning approach to stay ahead in the modern threat landscape while maximizing the value of your non-trivial SIEM investment. This requires thinking along three vectors:</p> <p><strong>Actioned Visibility</strong> – Being able to take immediate action across all security telemetry and supply chains to address potential threats before they move into execution mode. This requires visibility that goes beyond the scope of traditional SIEMs by including threat and attacker insights augmented with curated and peer intel, delivering context that can go far beyond current SIEM storage limitations. This effectively reduces cycle times from weeks to minutes. </p> <p><strong>Automated SecOps</strong> – Events are coming in at high speed and higher volume, and security analyst burnout is becoming pervasive. Automated workflows supported by AI engines can deliver high-fidelity, signal-based threat correlation and analytics to automate routine analyst tasks such as intelligence analysis, trigger investigations, security gap identification, and security posture updates. Analysts will be in a much better position to separate signal from noise, handling threat detection with speed (e.g. a 90% reduction in the time required for investigations), precision and context, while reducing the stress associated with unsustainable workloads.</p> <p><strong>Optimized Cyber Stack</strong> – Being able to optimize the value from your existing security infrastructure to understand risk exposure, prioritize security investments, and capture and share intelligence to security controls to identify attacker TTPs and prevent breaches. Enterprises have a significant number of specialized security solutions that are not fully integrated with external defense resources such as ISACs or MITRE ATT&amp;CK. Integrating operational security data with business context enables CISOs to make informed decisions. Correlating dynamic data sources into an actionable framework enables analysts to deliver a more significant impact and is a genuine force multiplier.</p> <p>An approach using these three vectors already exists and is in use in some of the most demanding security environments across a broad range of industries. To learn more about Anomali, please visit <a href="https://www.anomali.com/platform">https://www.anomali.com/platform</a>.</p>

Get the Latest Anomali Updates and Cybersecurity News – Straight To Your Inbox

Become a subscriber to the Anomali Newsletter
Receive a monthly summary of our latest threat intelligence content, research, news, events, and more.