Security Information and Event Management (SIEM) has evolved over the years. With the release of the 2020 Garner Magic Quadrant for SIEM, this could be an appropriate time to look at the changes that have shaped SIEM. It's also an opportune time to reflect on what the future looks like for SIEM tools.
Initially, SIEM came as a tool to help organizations become security compliant. With time, it evolved into a sophisticated threat detection system. Later, it would become an investigation and response platform, empowering security operations center analysts to deal with incidents promptly and efficiently. In their various capacities, SIEMs have been the core platform for many security teams.
While trying to figure out how SIEMs will look like in the future, we can't help but notice that the security operations center is constantly innovating and bringing to the table new interoperable technologies. All this is to realize faster speed and greater efficacy.
However, there is still room to learn more about what to expect. In compiling this report, we reached out to cybersecurity experts to pick their thoughts on what they think will be the future of SIEM.
The Weakness in SIEM Tools
A security information and event management (SIEM) system is a software solution that collects various log and event information from different devices across your entire IT infrastructure. Specifically, SIEM collects security data from domains controllers, servers, network devices, and more.
However, SIEM only collects the data, being a one-way communication between the device and software. According to Dr. Bennet Hammer from Hammer IT Consulting, Inc., this is a weakness that future tools should address.
Hammer continues to say that SIEM products need to become more intelligent about providing alerts when action is required. They also should be more effective in offering more advanced analysis. Future SIEM tools should incorporate two-way communication between the sourcing log and event data devices. Having a way to communicate back to the source device offers opportunities to automate many processes. In Hammer's opinion, the future of SIEM will be more intelligent using AI technology.
SOAR Tools Could Soon Replace SIEMs
Sarah McAvoy, the Managing Director at CyberUnlocked, believes that SIEM tools might soon lose their value. Today's SIEM tools perform many functions, from gathering and storing logs for compliance and forensics to generating security alerts for security analysts to investigate. Most SIEM tools have already incorporated some level of automation to reduce the number of events that a security analyst needs to investigate. However, most of the automation is fairly rudimentary based on pre-configured playbooks.
"As SIEM tools evolve, they need to perform a more automated and in-depth analysis of the data ingested from many sources. They must have the capacity to handle threat intelligence feeds, dark web information, logs from networks, and cloud applications. Further, it's not only about the number of data points to correlate. There's also the need to correlate events in time to be able to perform behavioral analysis as they notice changes in a network," McAvoy says.
That's where security orchestration, automation, and response (SOAR) tools are coming in to show their value. These tools are increasingly able to perform the continuous monitoring and triaging of security alerts, functions often done by level 1 security analysts.
How SOAR Works
SOAR tools work to address most of the challenges presented by SIEM. They work by streamlining tasks that were once manual, hence help in the elimination of the most consistent challenge to optimal cybersecurity, which is human error.
Besides, SOAR integrates security tools and automates them depending on the incident response playbooks. For example, the tools gather alarm data from all the integrated platforms. Additionally, they place them in a single location for extensive investigation.
Case management using SOAR tools is effortless as it allows cybersecurity experts to assess, research, and undertake additional relevant investigations within a single case. In other words, these modern versions of SIEM tools focus on looking for anomalies in the network activity. They also look for sophisticated targeted threats, which require behavioral and contextual analysis of the troves of data being gathered.
The analysis should be applicable across devices, users, applications, networks, and cloud environments. It will also be necessary to have more cohesive workflows based on seamless integrations. However, as teams work towards making their environments better, they cannot afford to lose speed or insights.
The Need to Popularize SIEM Tools
SIEM tools and practices are rapidly becoming necessary for IT departments and Managed Service Providers (MSPs) of all sizes, says Matt Bullock, VP of Technical Sales at Accelera IT Solutions. The tools are crucial because of the expanding environment of remote workers, mobile devices, public and private cloud infrastructure. Hackers are also increasingly making large amounts of money from compromising company data.
Company staff and executives now expect access to their data, in real-time, from anywhere. Unfortunately, with the accessibility of data over Wi-Fi and home networks, the threat landscape is wide open. IT departments and MSPs have no choice but to take the time to correctly plan and link all devices into a SIEM architecture if they want to reduce cybersecurity incidents.
They should then use the data collected to determine weak links, including staff who refuse to play by the rules when accessing data locally and remotely. If the corporate world would entirely implement SIEM tools and practices, Bullock believes that the daily news reports of hacking into some large companies would dramatically decrease.
SIEM tools have been around for quite some time and have undergone several renovations. While they may need a facelift in the future, it seems like they are here to stay. Several changes are bound to happen, which will shape the growth of SIEM. These include the development of automated playbooks and incident response. It seems like the future of SIEM will be more of an evolution, not a revolution.