Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Threat Intelligence

3/22/2017
09:35 AM
Connect Directly
Twitter
LinkedIn
Google+
RSS
E-Mail
0%
100%

Future of the SIEM

Current SIEM systems have flaws. Here's how the SIEM's role will change as mobile, cloud, and IoT continue to grow.

Ask security experts about security information and event management (SIEM) systems, and many will tell you SIEMs are becoming dated and need to be revamped. 

The skepticism is understandable. How can SIEM, a multi-billion-dollar market around for many years, keep up as businesses adopt new technologies like cloud systems, mobile, and IoT? When it was invented, SIEM did exactly what organizations needed. Now their needs are more complex.

Behind the curve

SIEMs collect security events in real-time from various event and data sources.

"[SIEM] was a place where you pumped in a whole bunch of data and figured out what was suspicious," says Larry Ponemon, chairman and founder of the Ponemon Institute. "It gave you an alert, quarantined the traffic, sandboxed it.

"For the most part, SIEM made a lot of sense from a business perspective. Dealing with potential attacks and vulnerabilities, without a tool, was like finding a pin in a stack of hay. It was virtually impossible to do manually." 

As attackers became more sophisticated, SIEM systems have failed to keep up.

Today, those same products "barely work at all," says Exabeam CMO Rick Caccia. Older systems aren't built to capture credential or identity-based threats, hackers impersonating people on corporate networks, or rogue employees trying to steal data. 

A recent report by the Ponemon Institute, commissioned by Cyphort, discovered 76% of SIEM users across 559 businesses view SIEM as a strategically important security tool. However, only 48% were satisfied with the actionable intelligence their SIEMs generate.

Caccia likens the current state of the SIEM market to the state of the firewall market six- to seven years ago, before entrants like Palo Alto Networks entered the space with a next-level product that could catch new attacks and quickly solve problems. Similarly, SIEM is struggling with stale technology, new threats, and a need for change.

Shortcomings and challenges

Many of SIEM's current shortcomings stem from its tough mission of monitoring security and detecting threats across the business, says Gartner vice president Anton Chuvakin. It's a hard problem to solve, no matter how security pros choose to tackle it.

"If flying to the moon is hard, you're not going to say your rocket is crap," he quips. "It's just difficult."

Complex mission aside, one key shortcoming of today's SIEM products is their reliance on humans. "SIEM is, in that sense, more rule-based and expert-described," says Chuvakin. "That's a main weakness because at this point, we're trying to get developed tools to try and think for themselves."

The dependence on human experts is a problem because there simply aren't enough of them, he continues. If a business needs five SIEM experts and its entire IT team consists of five people, they don't have the bandwidth to ensure the SIEM is effective.

Amos Stern, co-founder and CEO of Siemplify, explains there is need for better SIEM automation and management of people and systems. Businesses often have several security tools in many silos. SIEM systems will need to connect these silos and automate processes and investigations across these tools, evolving to the point where they function as a "Salesforce for security." 

Caccia echoes the need for greater SIEM intelligence, noting how most systems' rules can't keep up with attackers. For companies struggling with talent, he says, automation could help junior team members perform closer to an expert level.

SIEM implementation is another challenge. "It's a process that sometimes costs more than the actual product," Stern says. "Organizations wouldn't rip and replace their SIEMs with new technology. Right now many are only at the point where their SIEM deployment is mature, or mature enough, to not create a ton of noise."

Cloud, IoT, and the role of SIEM

SIEM challenges will continue to evolve as security managers grapple with cloud services, mobile, the Internet of Things, and other new technologies the IT department doesn't always control.

IoT will be a huge factor as it drives the number of endpoints vulnerable to attackers, says Ponemon. It's getting harder for cybercriminals to infiltrate computers but still fairly easy to hack cameras, refrigerators, microwaves, Bluetooth tools, and other connected devices and use them as an attack vector.

The growth of cloud, especially for SMBs, has transformed how businesses store and handle data. Companies once intimidated by high price of data storage benefit from SIEM providers like ArcSight, Nitro, and others that deploy modules from the cloud, he continues.

Cloud services and IoT devices will rapidly generate increasing amounts of data, and SIEM systems will have to adapt by learning to collect and organize the influx of information.  

"The SIEM evolution is about supporting more data types, supporting more problems," says Gartner's Chuvakin, whose research has focused on user behavior analytics and machine learning. He anticipates these will help SIEM think on its own and relieve the need for human experts. 

Ponemon emphasizes the importance of machine learning and analytics in the next wave of SIEM, but notes companies are hesitant to explore this space. They don't want to build products in an area where they lack the talent necessary to execute.

"A lot of companies aren't making that investment because they feel they don't have the internal resources to implement it properly," he says. "They think the technology might get better; they don't want to be early adopters." 

While this type of evolution is "still a futuristic thing," progress is moving quickly, Ponemon says. 

What's up next?

The SIEM may need a face-lift, but it isn't going anywhere.

"It's not on the way out," says Siemplify's Stern. "It's been around for quite some time."

Caccia foresees several changes in the market shaping the growth of SIEM, including the growth of open-source big data technology and vendors focused on automated playbooks and incident response.

Chuvakin anticipates the immediate future will bring incremental improvements instead of major change. We won't see a break in the SIEM market, but small, gradual changes.

"The future of SIEM will likely be an evolution, and not a revolution," he says. 

Related Content:

Kelly Sheridan is the Staff Editor at Dark Reading, where she focuses on cybersecurity news and analysis. She is a business technology journalist who previously reported for InformationWeek, where she covered Microsoft, and Insurance & Technology, where she covered financial ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
mhkang589
50%
50%
mhkang589,
User Rank: Apprentice
3/23/2017 | 1:43:49 PM
gigo
garbage in garbage out
Siem2Siem
100%
0%
Siem2Siem,
User Rank: Apprentice
3/23/2017 | 9:31:57 AM
SIEM relies on good quality of logging
The most important part of SIEM is the quality of the log data from each of the source.   if you have poor logging from the source, your SIEM will not be effective (Garbage in garbage out).   SIEM is NOT a "Silver Bullet", it requires dedicate resources to tune it to suit your environment.   I do agree that Cloud and IoT devices will generated a lot of noise, if only there is a formal standard (CEF?) that these vendors have to follow to generate the logs that are consistent can easily ingested by the SIEM, we will continue to have the same challenges.   The IR team and process is also important as they need to review and investigate the alerts that are generated by the SIEM.
Windows 10 Migration: Getting It Right
Kevin Alexandra, Principal Solutions Engineer at BeyondTrust,  5/15/2019
Baltimore Ransomware Attack Takes Strange Twist
Kelly Jackson Higgins, Executive Editor at Dark Reading,  5/14/2019
When Older Windows Systems Won't Die
Kelly Sheridan, Staff Editor, Dark Reading,  5/17/2019
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win a Starbucks Card! Click Here
Latest Comment: This comment is waiting for review by our moderators.
Current Issue
Building and Managing an IT Security Operations Program
As cyber threats grow, many organizations are building security operations centers (SOCs) to improve their defenses. In this Tech Digest you will learn tips on how to get the most out of a SOC in your organization - and what to do if you can't afford to build one.
Flash Poll
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2019-12184
PUBLISHED: 2019-05-19
There is XSS in browser/components/MarkdownPreview.js in BoostIO Boostnote 0.11.15 via a label named flowchart, sequence, gallery, or chart, as demonstrated by a crafted SRC attribute of an IFRAME element, a different vulnerability than CVE-2019-12136.
CVE-2019-12173
PUBLISHED: 2019-05-18
MacDown 0.7.1 (870) allows remote code execution via a file:\\\ URI, with a .app pathname, in the HREF attribute of an A element. This is different from CVE-2019-12138.
CVE-2019-12172
PUBLISHED: 2019-05-17
Typora 0.9.9.21.1 (1913) allows arbitrary code execution via a modified file: URL syntax in the HREF attribute of an AREA element, as demonstrated by file:\\\ on macOS or Linux, or file://C| on Windows. This is different from CVE-2019-12137.
CVE-2019-12168
PUBLISHED: 2019-05-17
Four-Faith Wireless Mobile Router F3x24 v1.0 devices allow remote code execution via the Command Shell (aka Administration > Commands) screen.
CVE-2019-12170
PUBLISHED: 2019-05-17
ATutor through 2.2.4 is vulnerable to arbitrary file uploads via the mods/_core/backups/upload.php (aka backup) component. This may result in remote command execution. An attacker can use the instructor account to fully compromise the system using a crafted backup ZIP archive. This will allow for PH...