5 Must-Have Features of Next-Gen SIEMs

essidsolutions

Choosing a SIEM is a big decision. It can cost up to $1 million per year to license and maintain a large traditional, legacy-based SIEM. Security teams purposefully hold back the collection of security data due to the high cost. This behavior, however, puts the enterprise at even more risk from a cyber attack. Jack Naglieri, CEO and co-founder of Panther Labs, discusses five essential features that next-gen SIEM providers must incorporate into their solution to meet the demands of high-growth cloud-based enterprises. 

Ask the CEOs or leaders of today’s incumbent SIEM providers, and each will tell you that innovation is essential to company growth or even for maintaining their current market position. Still, the trend for startups to disrupt slow-moving incumbents – pervasive throughout the technology sector – is alive and well in the SIEM world too. 

Nobody wants to be the Kodak, MySpace, or Blockbuster of cybersecurity, and incumbents should be in the best position to anticipate the changing needs of their customers. Still, companies are designed to resist change, and managers are incentivized to maintain the status quo. 

The Evolution of SIEM 

The origins of today’s SIEM platforms can be traced back to the early 2000s when two new species of monitoring tools began to emerge on the market. These tools were security information management (SIM) and security event management (SEM) solutions. 

Early SIMs were primarily logged management solutions with some historical analysis and forensic capabilities. SEMs served as a threat management tool designed to fight threats in early network environments by providing incident response support. Both SIM and SEM solutions proved to be essential as more and more commerce and communications became digitized. 

As SIM and SEM vendors looked for ways to increase their market share, they each began to eye the other’s piece of the cybersecurity pie. By 2005, solutions that included both SIM and SEM capabilities began to emerge on the market. That’s when Gartner researchers Mark Nicolett and Amrit Williams coined the new term – security information and event management (SIEM).

These new SIEM tools offered log management and security event correlation alerting by drawing from other cybersecurity tools like firewalls and antivirus. This aggregation of security data from disparate sources brought with it its own set of problems, however. 

The existing SIM and SEM vendors that hurried to fill the demand for SIEM solutions were ill-equipped to structure security data, scale as the demand for cloud services exploded, or provide the ability to automate responses to alerts.

As a result of adapting existing SIM and SEM tools, without regard to the changing threatscape and the move to the cloud, today’s legacy SIEMs are woefully inadequate. This has generated market pressure for a new and better generation of SIEM solutions.

Below are five essential features that next-gen SIEM providers must incorporate into their solution to meet the demands of high-growth cloud-based enterprises. 

See More: 6 SIEM Myths to Avoid to Strengthen Your Organization’s Cybersecurity

Key Features of a Next-Generation SIEM 

Here are five innovations that incumbent SIEM providers have missed and every next-generation solution must include.

1. Detections-as-code

As software eats the world and the adoption of Python continues to follow right along with it, security teams need to equip themselves with the skills to write elegant, tested, and powerful detections. By using software to process logs, teams can more easily express and maintain logic to flag attacker behaviors. As attacks become more complicated, detection platforms must also compensate for this change.

2. SIEM as a modular data platform

More and more organizations rely on the security team’s SIEM deployment as the one and only log management solution. The “SIEM” should accommodate this dependency and shift to a robust, data analytics platform and use cloud data warehouse technology to accommodate multiple streams of logic. For example, taking a detection-in-depth approach requires multiple mechanisms, such as rule-based machine learning, anomaly detection, and correlation of threat intelligence.

3. Data sharing

A platform designed to share the collected security telemetry can help with teams wanting to pay it forward and share indicators or attack patterns with other organizations that may also be facing a similar, known attack. Platforms like Snowflake directly make this possible for the first time with security as an application. Historically, this has been very difficult due to the nuance of using such data-sharing systems that rely on protocols like STIX/TAXII.

4. API access

Automation can greatly reduce the overhead of the security team by using code to take action on repetitive tasks, such as pinging users, enriching/context fetching alerts, and any other manual analyst workflow. SIEMs will need to reach out to APIs and allow other systems to call back into the SIEM with an API to support this workflow. Examples of such workflows include automatically closing alerts, updating detections, configuring new inputs, and much more. This also enables more savvy security teams to write their own custom automation and make use of the rich data and capabilities that exist in the SIEM. Integrating into CI/CD pipelines also complements the idea of both automation and API access by enabling security teams to use source control for detections.

5. Advanced alert routing

To complement detections-as-code, having an advanced way of routing alerts to the right queue can help the security team collaborate with multiple internal teams within an organization or ensure the right severity is set depending on the values of the log. Alert routing ensures that the correct action and urgency are applied to each finding. 

See More: 3 Steps for CISOs to Get More Out of SIEM Tool

Closing Thoughts

As companies switch to cloud services, the amount of security data they need to manage is exploding. They need a modern and automated way to monitor, process, store, and investigate their security data. Companies need a SIEM solution that can scale as their demand for security increases. 

Choosing a SIEM is a big decision. It can cost up to $1 million per year to license and maintain a large traditional, legacy-based SIEM. Security teams purposefully hold back the collection of security data due to the high cost. This behavior, however, puts the enterprise at even more risk from a cyber attack. 

Sluggish innovation from incumbent providers caused by a motivation to maintain the status quo, combined with the ever-rising cost of adapting a legacy SIEM to a cloud-first world, has made this sector ripe for disruption. 

Use these five essential features as guideposts to direct your search for an innovative provider of the next-generation SIEM solution. It’s the best way to future-proof your decision. 

Did you find this article helpful? Tell us what you think on LinkedInOpens a new window , TwitterOpens a new window , or FacebookOpens a new window . We’d be thrilled to hear from you.

 

Contact ESSID Solutions

    By clicking Send Message, you agree to our Terms of Use and Privacy Policy.

    Reach out to us for a free consultation on big data consultancy and development services.

    Contact

    Rua Alexandre de Sa Pinto 143
    1300-034 Lisbon
    Portugal

    [email protected] +351927159955
    Privacy Policy Terms of Service Refund and Returns Policy

    © 2024 ESSID SOLUTIONS LDA