The Seismic Shift Shaking Up SIEM
In an increasingly volatile cyber landscape, where the growth of new and increased threats are posing ever greater risks, the role of Security Information and Event Management (SIEM) solutions is being placed under the microscope.
Examining its current capabilities, many organisations are of the opinion that a major shift is underway in the area, and a significant transformation is needed to keep it adequate for today’s use.
SIEM, a security solution that collects, analyses, and correlates log data and security events from various sources within an organisation's IT infrastructure, provides a centralised platform for monitoring, detecting, and responding to potential security threats and incidents.
SIEM solutions typically ingest data from sources such as firewalls, intrusion detection/prevention systems (IDS/IPS), antivirus software, servers, and other security devices, and then apply predefined rules, correlation algorithms, and machine learning techniques to identify patterns and anomalies that may indicate security breaches or malicious activities.
Traditional SIEM approaches, however, are proving inadequate in addressing the complexities of modern cyber threats.
"In our view, SIEM solutions no longer deliver against organisations' operational security needs in today's rapidly evolving cyber landscape," said Amit Tailor, Director of Systems Engineering at Palo Alto Networks.
SIEM is evolving, however, in two different directions: One is the platform play, with cloud-based, comprehensive, integrated platforms. The other is the specialised approach, focusing on niche SIEM aspects.
These rapid changes, consolidated by numerous mergers and acquisitions, mean the area is so dynamic that organisations may be left wondering how they can bring their SIEM up to current cyber secure spec.
“It’s pretty clear that cybersecurity is changing, and the SIEM needs to change with it,” says Mikkel Drucker, CEO of Logpoint.
The current concern
A concern with the current state of play for SIEM is a fundamental one, the detection of security breaches or nefarious activities.
Current SIEM systems collect log data and then normalises this data into a standardised format for analysis. It uses predefined rules and correlation algorithms to analyse the collected log data and identify patterns that may indicate security incidents or threats, based on known attack patterns, signatures, and indicators of compromise.
Additionally, SIEM solutions employ anomaly detection techniques using machine learning algorithms and statistical models to establish baselines of normal activity and flag significant deviations as potential threats, helping to identify previously unknown or emerging threats.
And here is the first hurdle. “Given the vast amount of new threats which appear every day, today's SIEMs are not effective against the emerging and sophisticated threats out there which don't follow pre-existing patterns,” says Amit.
Adversarial behaviour is changing, making it more difficult to detect. One such tactic gaining popularity is the use of Living Off the Land Binaries and Scripting (LOLBAS) techniques. This involves leveraging legitimate applications and tools already present on the target system for malicious purposes, rather than introducing new malware.
By abusing trusted software in unexpected ways, attackers can blend in with normal system activity, making it more difficult for traditional security solutions to distinguish malicious behaviour from benign activity.
While LOLBAS techniques were initially associated with advanced persistent threat (APT) groups, they are now being adopted by a broader range of threat actors, further complicating the detection and response efforts of security teams.
And this drives into the second issue, something of a perennial issue for cybersecurity: staffing.
“Security analysts are overworked and overwhelmed by the sheer number of false positive alerts, IOCs decaying too fast to add value, and, ultimately, alert fatigue, which causes errors and increases cyber risk,” says Mikkel. “The challenge is that the more logs we put into a SIEM system, the more false positives are created.”
Can SIEM be saved?
Just as adversaries are increasingly looking to AI to upskill their attacks, so is industry.
“AI and machine learning can help improve the accuracy of threat detection with SIEMs and reduce the number of false positives they generate, a major problem with traditional SIEMs,” says Amit. “This enables security teams to focus on genuine incidents and not waste time potentially investigating non-existent threats.”
Alongside this prioritisation, AI can help explain what the output of the SIEM means and provide meaningful recommendations, giving a more nuanced view of what requires further investigation.
Amit however, doubts if that will be enough, “AI-enhanced SIEMs are still not enough in today's threat landscape, which is constantly evolving.” Amit argues in order to fully leverage AI’s abilities, SIEM has to integrate into Security Operations Centres (SOCs).
SOCs and SIEM solutions serve distinct but complementary roles in an organisation's cybersecurity posture. While SIEM solutions provide the centralised data collection and analysis capabilities, SOCs leverage these insights, along with other security tools and processes, to orchestrate and execute incident response and mitigation efforts.
“In a converged platform, AI is being used to embed automation, saving analysts time and effort in responding to incidents or managing risks such as attack surface exposures,” explains Amit. “Moreover, AI now gives security teams the flexibility to add, customise, or modify automation with these capabilities according to their specific needs.”
By combining the data collection and analysis capabilities of a SIEM solution with the incident response processes of an SOC, organisations can gain a centralised view of their security landscape. Having this view enables the SOC to prioritise incidents based on their potential impact and initiate appropriate response actions, such as containing a malware infection or investigating suspicious network traffic.
SIEM’s future status
Although views may differ on what to do with SIEM, the verdict is clear: a paradigm shift is upon us.
“SIEM isn’t dead, but it’s changing rapidly, and we’ll see SIEM divide two categories – the comprehensive platforms, merging SIEM with technologies like XDR, NDR, and SOAR, and the point solutions, specialising in a specific aspect of the SIEM, like analytics, and integrating well with other solutions,” concludes Mikkel.
For Amit, the future of SIEM is one that incorporates it into a centralised platform, one that utilises other capabilities like EDR and SOAR to keep up with emerging risks.
Whatever the approach individual companies, or industry decides to take, SIEM is seemingly due a shakeup.
******
Make sure you check out the latest edition of Cyber Magazine and also sign up to our global conference series - Tech & AI LIVE 2024
******
Cyber Magazine is a BizClik brand