Critical capabilities of the modern SIEM

Modern SIEMs provide extensive machine learning and anomaly detection capabilities for advanced threat detection. This ultimately can assist your security team to increase their effectiveness and reduce the resources required to run security operations – which is important in a time when there is a shortage of security skills and an ever-increasing number of alerts. 

In a nutshell, SIEM allows IT teams to see the bigger picture by collecting security event data from enterprise applications, the cloud and core infrastructure to learn exactly what goes on within the enterprise – creating value from the sum of data which is worth much more than the individual pieces. A single alert from an antivirus filter may not be a cause of panic on its own, but if it correlates with other anomalies, e.g. from the firewall at the same time, this could signify that a severe breach is in progress. 

Legacy vs modern SIEMs

Legacy SIEM solutions do not compare to those offered today. Since the amount of data both produced and collected by organizations has skyrocketed over the past few years, organizations need big data architectures that are flexible and scalable, so they can adapt and grow as the business changes over time. With the ability to handle large and complex implementations, today’s modern SIEM solutions can be deployed in either physical or virtual environments and on premise or in the cloud. Some SIEMs provide a very short implementation time and low maintenance resource requirements, resulting in the SIEM providing value within a matter of days.

SIEM tools must be able to ingest data from all sources – including cloud and on-premise log data – in real time to effectively monitor, detect and respond to potential threats. Modern SIEM solutions do not just have the ability to ingest and analyze more data, they thrive on it. The more data an organization can provide its SIEM, the more visibility analysts will have into the activities and the more effective they will be in detecting and responding to threats.

The modern SIEM provides a host of benefits, such as better threat detection and response. As cyber threats continue to expand and increase, businesses that can complete analysis of security events quickly and more accurately, will have a competitive advantage. A modern SIEM solution provides real-time data analysis, early detection of data breaches, data collection, secure data storage and accurate data reporting to improve threat detection and response times. 

Modern SIEM solutions go beyond basic security monitoring and reporting, they provide analysts with the clarity they need to improve decision-making and response times. With new ways of visualizing data to help analysts better interpret and respond to what that data is telling them, incident response and management becomes more sophisticated. Better analytics means teams can more accurately manage incidents and improve their forensic investigations – all within a single interface.

Automation and machine learning

Today’s IT teams are increasingly resource and time constrained. Enhanced automation frees security analysts from time consuming manual tasks and enables them to better orchestrate responses to threats. The best modern SIEM solutions utilize machine learning and user and entity behavior analytics (UEBA) to help ease the burden of overworked security analysts by automating threat detection, providing enhanced context and situational awareness, and utilizing user behavior to gain better insights. 

Moreover, UEBA enables better detection and response. Attackers often rely on compromised credentials or coercing users into performing actions that damage their own organization’s activity. To identify these types of attacks more quickly and accurately, UEBA can be used to monitor both suspicious user behavior and activities stemming from the cloud, mobile, on-premises applications, endpoints and networks, as well as external threats.

With UEBA, organizations will see a dramatic increase in their SIEM’s ability to track and identify threats. In addition, UEBA eliminates false positives so analysts have greater situational awareness before, during and after a threat occurs – meaning they are more effective and can spend their limited time on threats that will actually have an impact on operations.

Cost control

A modern SIEM solution that has a simple and predictable licensing model also enables businesses to spend less to keep their data secure, regardless of the amount of data they have and the number of sources from which data is logged. SIEM pricing models that are based on data usage are outdated. Data volumes are constantly increasing, and organizations should not be punished for that. 

Modern SIEM pricing models should instead be based on the number of devices sending logs or entities, meaning organizations will not have to worry that their data usage is affecting the cost, but can instead focus on scaling for future business needs. Make sure you analyze the total cost of ownership, also for when the SIEM needs to scale – some vendors have added cost when increasing hardware capabilities or the number of employees that needs access to the SIEM.

Another cost consideration is meeting compliance requirements, although fines, legal fees and damaged reputations can be even more costly. SIEM solutions can automate data collection, store event logs, improve threat identification and reporting, restrict data access, and flag policy and compliance violations to ensure businesses meet their compliance requirements. 

These are undisputed gains but according to Gartner, there are three main areas where a modern SIEM solution should excel: 

1. Advanced threat detection

With a modern SIEM tool, advanced threat detection can be executed in real time, allowing organizations to analyze and report on trends as well as user and entity behavior. With advanced analytics, organizations are empowered to monitor data access, application activity and can proactively detect and control advanced persistent threats (APT).

Threat detection capabilities include enrichment with internal or external contextual information, such as threat intelligence, user names or temporal knowledge. This enables security analysts to operate faster and more efficiently. Organizations should invest in SIEM solutions that provide access to effective ad-hoc queries, machine learning and UEBA capabilities, which will result in more effective and efficient threat hunting.

2. Security Monitoring

SIEM is an effective log management tool, allowing for basic security monitoring and is often used for compliance reporting and real-time monitoring of security controls. SIEM solutions should meet basic threat detection, compliance auditing and reporting requirements. With flexible and convenient collection and storage of logs, auditors’ needs can be accommodated, making compliance much easier.

Popular use cases among customers for basic security monitoring cover a broad range of security sources, including: Perimeter and network devices; endpoint agents; critical applications; and other infrastructure components.

3. Investigation and incident response

Visualization is very important for making sense of your data. A modern SIEM can give you the clarity you need, providing new ways to visualize data that make it easy to interpret and respond to what the data is telling you.

Incident response and management should be easy, fast and actionable, making it convenient to manage incidents within your team and enabling effective forensic investigations. If not within the tool itself, it is important to have world-class integration options to dedicated tools both within and outside of SOAR. With business context, security intelligence, user monitoring, data monitoring and application monitoring – all within a single interface – analysts will be more effective and informed.

Implementing a modern SIEM solution or upgrading an existing SIEM to one that offers analytics and machine learning capabilities will allow organizations to keep up with today’s expanding threat landscape – without the growing costs associated with highly-skilled security analysts and having to deal with outdated log volume and pricing models. Remember also that replacing a SIEM does not necessarily mean that your current investment is lost – some SIEM vendors will help you with a seamless transition to make sure full value is captured and transferred.

Nils Krumrey

Nils Krumrey is an Information Governance expert, Senior Presales Engineer and Architect at Logpoint. Based in the UK but a German native, Nils has 20 years of industry experience and has worked across Europe with some of the largest financial institutions on monitoring and improving their information governance. At Logpoint, he is a technical specialist involved in the architecture, sizing and use case definition for new Logpoint customers in the UK, Ireland and Benelux, with a keen interest in modern SaaS architectures. He holds a BSc in Computer Vision from the University of Koblenz and is a Certified Ethical Hacker (CEH).