That's not to say all SIEM systems are trapped in time as gatherers of forensics: some SIEM and log management systems are now beginning to detect attacks in real-time, security experts say. SIEM is gradually evolving into a real-time analysis and alarm technology, some experts say.
This next-generation SIEM is the subject of a new report sponsored by RSA and co-written by CSC, RSA, Terremark, and Verizon, called "Transforming Traditional Security Strategies into an Early Warning System for Advanced Threats." And one of the key ingredients for this new SIEM model is so-called "big data" analytics, where threat detection capabilities come from reams of information from various sources analyzing behavioral and other trends rather than old-school signature-based technology.
SIEM needs to add "pervasive" visibility via network packet-capture and session reconstruction, the reports says, and analytics that drills down and look at risk specific to an organization, and compares behaviors; scalability; and a centralized repository that provides security data.
Eddie Schwartz, vice president and CISO, RSA, the security division of EMC, says it's all about taking the best of SIEM – such as correlation and handling large amounts of data – and combining that with features such as contextual analysis, and external threat intelligence, which NetWitness offers, for example. "This mirrors the move we have been making from technology at RSA ... that addresses the ongoing benefits of SIEM, with big data on the back-end, and unifying security management on the front-end with a console that brings together capabilities of investigating, correlation, and malware analysis," he says.
The report calls the next-generation SIEM's visibility to be able to fully reconstruct activity in the network or systems to better ID malware, track the bad guy's movements once he's inside, and the ability to confirm that malicious activity is under way.
Also, SIEM systems should be able to gather and use data from various sources to detect advanced attacks. "For example, security analytics systems should search for behavior patterns and risk factors, not just static rules and known signatures. Security analytics systems should also consider the relative value of enterprise assets at risk, flagging events associated with high-value assets," the report says.
So these tools need to be able to scale well. "Security analytics platforms must include features such as a distributed n-tier storage architecture and an analytics engine that normalizes and processes large, disparate data sets at very high speed. Data storage and analytics must scale together linearly," the report says.
They also should be able to automatically integrate threat intelligence from various sources in a centralized way, according to the report.
"Breaches aren't really smash-and-grab anymore. The vast majority of breach and compromise cases last year occurred over a period of months. Our experience shows it's more valuable to get a complete view of what happened over the long haul and take mitigation steps than to get a near real-time
analysis of events," says Jonathan Nguyen-Duy, director of global security services at Verizon Business, who co-authored the report.
The full SIEM security brief is available here for download (PDF).
Have a comment on this story? Please click "Add Your Comment" below. If you'd like to contact Dark Reading's editors directly, send us a message.