Threat Intelligence
3/22/2017
09:35 AM
Connect Directly
Twitter
LinkedIn
Google+
RSS
E-Mail
50%
50%

Future of the SIEM

Current SIEM systems have flaws. Here's how the SIEM's role will change as mobile, cloud, and IoT continue to grow.

Ask security experts about security information and event management (SIEM) systems, and many will tell you SIEMs are becoming dated and need to be revamped. 

The skepticism is understandable. How can SIEM, a multi-billion-dollar market around for many years, keep up as businesses adopt new technologies like cloud systems, mobile, and IoT? When it was invented, SIEM did exactly what organizations needed. Now their needs are more complex.

Behind the curve

SIEMs collect security events in real-time from various event and data sources.

"[SIEM] was a place where you pumped in a whole bunch of data and figured out what was suspicious," says Larry Ponemon, chairman and founder of the Ponemon Institute. "It gave you an alert, quarantined the traffic, sandboxed it.

"For the most part, SIEM made a lot of sense from a business perspective. Dealing with potential attacks and vulnerabilities, without a tool, was like finding a pin in a stack of hay. It was virtually impossible to do manually." 

As attackers became more sophisticated, SIEM systems have failed to keep up.

Today, those same products "barely work at all," says Exabeam CMO Rick Caccia. Older systems aren't built to capture credential or identity-based threats, hackers impersonating people on corporate networks, or rogue employees trying to steal data. 

A recent report by the Ponemon Institute, commissioned by Cyphort, discovered 76% of SIEM users across 559 businesses view SIEM as a strategically important security tool. However, only 48% were satisfied with the actionable intelligence their SIEMs generate.

Caccia likens the current state of the SIEM market to the state of the firewall market six- to seven years ago, before entrants like Palo Alto Networks entered the space with a next-level product that could catch new attacks and quickly solve problems. Similarly, SIEM is struggling with stale technology, new threats, and a need for change.

Shortcomings and challenges

Many of SIEM's current shortcomings stem from its tough mission of monitoring security and detecting threats across the business, says Gartner vice president Anton Chuvakin. It's a hard problem to solve, no matter how security pros choose to tackle it.

"If flying to the moon is hard, you're not going to say your rocket is crap," he quips. "It's just difficult."

Complex mission aside, one key shortcoming of today's SIEM products is their reliance on humans. "SIEM is, in that sense, more rule-based and expert-described," says Chuvakin. "That's a main weakness because at this point, we're trying to get developed tools to try and think for themselves."

The dependence on human experts is a problem because there simply aren't enough of them, he continues. If a business needs five SIEM experts and its entire IT team consists of five people, they don't have the bandwidth to ensure the SIEM is effective.

Amos Stern, co-founder and CEO of Siemplify, explains there is need for better SIEM automation and management of people and systems. Businesses often have several security tools in many silos. SIEM systems will need to connect these silos and automate processes and investigations across these tools, evolving to the point where they function as a "Salesforce for security." 

Caccia echoes the need for greater SIEM intelligence, noting how most systems' rules can't keep up with attackers. For companies struggling with talent, he says, automation could help junior team members perform closer to an expert level.

SIEM implementation is another challenge. "It's a process that sometimes costs more than the actual product," Stern says. "Organizations wouldn't rip and replace their SIEMs with new technology. Right now many are only at the point where their SIEM deployment is mature, or mature enough, to not create a ton of noise."

Cloud, IoT, and the role of SIEM

SIEM challenges will continue to evolve as security managers grapple with cloud services, mobile, the Internet of Things, and other new technologies the IT department doesn't always control.

IoT will be a huge factor as it drives the number of endpoints vulnerable to attackers, says Ponemon. It's getting harder for cybercriminals to infiltrate computers but still fairly easy to hack cameras, refrigerators, microwaves, Bluetooth tools, and other connected devices and use them as an attack vector.

The growth of cloud, especially for SMBs, has transformed how businesses store and handle data. Companies once intimidated by high price of data storage benefit from SIEM providers like ArcSight, Nitro, and others that deploy modules from the cloud, he continues.

Cloud services and IoT devices will rapidly generate increasing amounts of data, and SIEM systems will have to adapt by learning to collect and organize the influx of information.  

"The SIEM evolution is about supporting more data types, supporting more problems," says Gartner's Chuvakin, whose research has focused on user behavior analytics and machine learning. He anticipates these will help SIEM think on its own and relieve the need for human experts. 

Ponemon emphasizes the importance of machine learning and analytics in the next wave of SIEM, but notes companies are hesitant to explore this space. They don't want to build products in an area where they lack the talent necessary to execute.

"A lot of companies aren't making that investment because they feel they don't have the internal resources to implement it properly," he says. "They think the technology might get better; they don't want to be early adopters." 

While this type of evolution is "still a futuristic thing," progress is moving quickly, Ponemon says. 

What's up next?

The SIEM may need a face-lift, but it isn't going anywhere.

"It's not on the way out," says Siemplify's Stern. "It's been around for quite some time."

Caccia foresees several changes in the market shaping the growth of SIEM, including the growth of open-source big data technology and vendors focused on automated playbooks and incident response.

Chuvakin anticipates the immediate future will bring incremental improvements instead of major change. We won't see a break in the SIEM market, but small, gradual changes.

"The future of SIEM will likely be an evolution, and not a revolution," he says. 

Related Content:

Kelly Sheridan is Associate Editor at Dark Reading. She started her career in business tech journalism at Insurance & Technology and most recently reported for InformationWeek, where she covered Microsoft and business IT. Sheridan earned her BA at Villanova University. View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
mhkang589
50%
50%
mhkang589,
User Rank: Apprentice
3/23/2017 | 1:43:49 PM
gigo
garbage in garbage out
Siem2Siem
100%
0%
Siem2Siem,
User Rank: Apprentice
3/23/2017 | 9:31:57 AM
SIEM relies on good quality of logging
The most important part of SIEM is the quality of the log data from each of the source.   if you have poor logging from the source, your SIEM will not be effective (Garbage in garbage out).   SIEM is NOT a "Silver Bullet", it requires dedicate resources to tune it to suit your environment.   I do agree that Cloud and IoT devices will generated a lot of noise, if only there is a formal standard (CEF?) that these vendors have to follow to generate the logs that are consistent can easily ingested by the SIEM, we will continue to have the same challenges.   The IR team and process is also important as they need to review and investigate the alerts that are generated by the SIEM.
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
Security Operations and IT Operations: Finding the Path to Collaboration
A wide gulf has emerged between SOC and NOC teams that's keeping both of them from assuring the confidentiality, integrity, and availability of IT systems. Here's how experts think it should be bridged.
Flash Poll
New Best Practices for Secure App Development
New Best Practices for Secure App Development
The transition from DevOps to SecDevOps is combining with the move toward cloud computing to create new challenges - and new opportunities - for the information security team. Download this report, to learn about the new best practices for secure application development.
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2013-7445
Published: 2015-10-15
The Direct Rendering Manager (DRM) subsystem in the Linux kernel through 4.x mishandles requests for Graphics Execution Manager (GEM) objects, which allows context-dependent attackers to cause a denial of service (memory consumption) via an application that processes graphics data, as demonstrated b...

CVE-2015-4948
Published: 2015-10-15
netstat in IBM AIX 5.3, 6.1, and 7.1 and VIOS 2.2.x, when a fibre channel adapter is used, allows local users to gain privileges via unspecified vectors.

CVE-2015-5660
Published: 2015-10-15
Cross-site request forgery (CSRF) vulnerability in eXtplorer before 2.1.8 allows remote attackers to hijack the authentication of arbitrary users for requests that execute PHP code.

CVE-2015-6003
Published: 2015-10-15
Directory traversal vulnerability in QNAP QTS before 4.1.4 build 0910 and 4.2.x before 4.2.0 RC2 build 0910, when AFP is enabled, allows remote attackers to read or write to arbitrary files by leveraging access to an OS X (1) user or (2) guest account.

CVE-2015-6333
Published: 2015-10-15
Cisco Application Policy Infrastructure Controller (APIC) 1.1j allows local users to gain privileges via vectors involving addition of an SSH key, aka Bug ID CSCuw46076.

Dark Reading Radio
Archived Dark Reading Radio
In past years, security researchers have discovered ways to hack cars, medical devices, automated teller machines, and many other targets. Dark Reading Executive Editor Kelly Jackson Higgins hosts researcher Samy Kamkar and Levi Gundert, vice president of threat intelligence at Recorded Future, to discuss some of 2016's most unusual and creative hacks by white hats, and what these new vulnerabilities might mean for the coming year.