Ask security experts about security information and event management (SIEM) systems, and many will tell you SIEMs are becoming dated and need to be revamped.
The skepticism is understandable. How can SIEM, a multi-billion-dollar market around for many years, keep up as businesses adopt new technologies like cloud systems, mobile, and IoT? When it was invented, SIEM did exactly what organizations needed. Now their needs are more complex.
Behind the curve
SIEMs collect security events in real-time from various event and data sources.
"[SIEM] was a place where you pumped in a whole bunch of data and figured out what was suspicious," says Larry Ponemon, chairman and founder of the Ponemon Institute. "It gave you an alert, quarantined the traffic, sandboxed it.
"For the most part, SIEM made a lot of sense from a business perspective. Dealing with potential attacks and vulnerabilities, without a tool, was like finding a pin in a stack of hay. It was virtually impossible to do manually."
As attackers became more sophisticated, SIEM systems have failed to keep up.
Today, those same products "barely work at all," says Exabeam CMO Rick Caccia. Older systems aren't built to capture credential or identity-based threats, hackers impersonating people on corporate networks, or rogue employees trying to steal data.
A recent report by the Ponemon Institute, commissioned by Cyphort, discovered 76% of SIEM users across 559 businesses view SIEM as a strategically important security tool. However, only 48% were satisfied with the actionable intelligence their SIEMs generate.
Caccia likens the current state of the SIEM market to the state of the firewall market six- to seven years ago, before entrants like Palo Alto Networks entered the space with a next-level product that could catch new attacks and quickly solve problems. Similarly, SIEM is struggling with stale technology, new threats, and a need for change.
Shortcomings and challenges
Many of SIEM's current shortcomings stem from its tough mission of monitoring security and detecting threats across the business, says Gartner vice president Anton Chuvakin. It's a hard problem to solve, no matter how security pros choose to tackle it.
"If flying to the moon is hard, you're not going to say your rocket is crap," he quips. "It's just difficult."
Complex mission aside, one key shortcoming of today's SIEM products is their reliance on humans. "SIEM is, in that sense, more rule-based and expert-described," says Chuvakin. "That's a main weakness because at this point, we're trying to get developed tools to try and think for themselves."
The dependence on human experts is a problem because there simply aren't enough of them, he continues. If a business needs five SIEM experts and its entire IT team consists of five people, they don't have the bandwidth to ensure the SIEM is effective.
Amos Stern, co-founder and CEO of Siemplify, explains there is need for better SIEM automation and management of people and systems. Businesses often have several security tools in many silos. SIEM systems will need to connect these silos and automate processes and investigations across these tools, evolving to the point where they function as a "Salesforce for security."
Caccia echoes the need for greater SIEM intelligence, noting how most systems' rules can't keep up with attackers. For companies struggling with talent, he says, automation could help junior team members perform closer to an expert level.
SIEM implementation is another challenge. "It's a process that sometimes costs more than the actual product," Stern says. "Organizations wouldn't rip and replace their SIEMs with new technology. Right now many are only at the point where their SIEM deployment is mature, or mature enough, to not create a ton of noise."
Cloud, IoT, and the role of SIEM
SIEM challenges will continue to evolve as security managers grapple with cloud services, mobile, the Internet of Things, and other new technologies the IT department doesn't always control.
IoT will be a huge factor as it drives the number of endpoints vulnerable to attackers, says Ponemon. It's getting harder for cybercriminals to infiltrate computers but still fairly easy to hack cameras, refrigerators, microwaves, Bluetooth tools, and other connected devices and use them as an attack vector.
The growth of cloud, especially for SMBs, has transformed how businesses store and handle data. Companies once intimidated by high price of data storage benefit from SIEM providers like ArcSight, Nitro, and others that deploy modules from the cloud, he continues.
Cloud services and IoT devices will rapidly generate increasing amounts of data, and SIEM systems will have to adapt by learning to collect and organize the influx of information.
"The SIEM evolution is about supporting more data types, supporting more problems," says Gartner's Chuvakin, whose research has focused on user behavior analytics and machine learning. He anticipates these will help SIEM think on its own and relieve the need for human experts.
Ponemon emphasizes the importance of machine learning and analytics in the next wave of SIEM, but notes companies are hesitant to explore this space. They don't want to build products in an area where they lack the talent necessary to execute.
"A lot of companies aren't making that investment because they feel they don't have the internal resources to implement it properly," he says. "They think the technology might get better; they don't want to be early adopters."
While this type of evolution is "still a futuristic thing," progress is moving quickly, Ponemon says.
What's up next?
The SIEM may need a face-lift, but it isn't going anywhere.
"It's not on the way out," says Siemplify's Stern. "It's been around for quite some time."
Caccia foresees several changes in the market shaping the growth of SIEM, including the growth of open-source big data technology and vendors focused on automated playbooks and incident response.
Chuvakin anticipates the immediate future will bring incremental improvements instead of major change. We won't see a break in the SIEM market, but small, gradual changes.
"The future of SIEM will likely be an evolution, and not a revolution," he says.