In this article, we detail the evolution of next-generation SIEM. Traditional SIEMs are primarily used to improve network visibility and network security while supporting compliance. They ingest, collect and store log data across applications, networks and systems.
SIEM makes it easier to capture and search for data that helps organizations with auditing, forensics, and incident response.
Because it acts as a central data repository that provides visibility across the enterprise, it is often used by Security Operations Centers (SOCs) as the primary console for identifying and investigating events that indicate active threats and attack activity.
The "S" in SIEM has matured for several years.
Limitations of traditional and second-generation SIEMs
Earlier versions of SIEM had mediocre search capabilities, which made it difficult to retrieve data collected over time. Administrators can perform simple correlations, allowing them to group related data together based on time and/or IP address.
While this is helpful, second-generation SIEMs have significantly improved searchability issues, but no real security analytics yet. Some people try to add these techniques.
However, fundamentally, these platforms are designed for local log collection. Adding new analytical capabilities such as network traffic analysis, network detection and response (NDR) or user entity behavior analysis (UEBA) is nearly impossible, so these technologies are "add-on" rather than truly integrated.
The same goes for clouds. Today's shift to hybrid, decentralized, and multi-cloud environments requires a complete re-architecture of SIEM.
Traditional and second-generation SIEM platforms cannot adequately invest in rebuilding a completely new product. So they try "MacGyver" it works in the cloud. However, most cannot handle the required volume and/or provide complete visibility without manually associating multiple installations. Newer cloud-native offerings lack the capabilities of traditional SIEMs.
This has led to a dramatic increase in incidents, false positives, and the high number of incidents that SOC analysts encounter when determining whether a threat is real, whether an activity is ongoing, or how to respond in a timely and accurate manner. Traditional SIEMs fall short when it comes to threat detection, investigation and response.
Why is next-gen SIEM better than traditional SIEM?
A true next-generation SIEM designed as a cloud-native SaaS platform that works reliably in distributed, hybrid, multi-cloud environments.
It can accept a wider range of telemetry, including applications, network endpoints and cloud, and threat intelligence.
It provides a unified set of analytics, trained machine learning (ML) and artificial intelligence (AI) for accurate detection; gathers context related to attacks to prioritize and validate campaigns (investigation); And it's dynamically responsive for faster, more precise remediation.
The following requirements outline the capabilities that a next-generation SIEM should provide to meet the demands of today's modern infrastructure:
-
Cloud-native, hybrid and multi-cloud deployments
-
Collect and manage data from all available sources
-
big data architecture
-
full observability
-
Proactive thread detection and repair
-
automatic thread repair
-
Compliance (e.g. GDPR, to name a few)
Supports cloud-native, hybrid and multi-cloud deployments
Next-generation SIEMs must be purpose-built to run in a variety of public and private cloud environments, including AWS, Microsoft Azure, GCP, and more.
This includes the ability to seamlessly manage and support data requirements across geographically dispersed clouds (also known as "federated search"). The same must be true for hybrid environments, as most businesses will still maintain data in the cloud and on-premises.
Supporting a multi-cloud environment is more than collecting data from the cloud. SIEM must support the ability to properly collect data and apply advanced threat analytics across multiple clouds to identify threats hiding in public cloud environments.
Improve full observability
Due to their infrastructure and data-based licensing models, many SIEMS have difficulty ingesting and integrating data at scale across the enterprise. However, being able to send data from other security solutions, applications, endpoints, network packet information, etc. to the SIEM to get a holistic view of the environment is critical.
Additionally, most SIEM and XDR solutions are rule-based ML/AI engines. A true next-generation SIEM uses trained machine learning, which delivers better results than rule-based ML/AI because it draws on a wider range of data sources rather than fixed data sets.
This allows any analysis powered by ML/AI to pinpoint attacks earlier in the lifecycle, rather than waiting for rules to fire. Additionally, trained machine learning detection models can more effectively spot new attacks and variants that can easily evade rules-based systems.
Support big data architecture
Because the SIEM is the "source of truth" for the SOC, it's perfectly positioned to provide context about users, applications, networks, devices, and events across virtually every IT system across an organization. Traditional SIEMs do not handle large-scale data well and also generate a high percentage of false positives, especially as businesses move to the cloud, as it generates far more events than on-premises solutions.
Instead, a next-generation SIEM should scale to handle more data sources, increased data volumes, the ability to search security-related data sets, and continuous monitoring and analysis. The combination of these capabilities, along with third-party threat intelligence feeds, enhances the ability to detect more sophisticated attacks.
Better threat detection through automation
A next-generation SIEM provides a unified set of analyzes that can be linked together, often referred to as model linking, with the ability to chain analyzes. Model chain analysis removes ambiguity in identifying threats through cross-validation of alerts.
Example: You see early warnings of dangerous behavior combined with unusual lateral movement. Then, there's the potential for command and control (C2) communications, as well as geolocation issues. This data is unified with context to establish real threats.
Using a traditional SIEM, it can take days or weeks for security teams to gather all the necessary context and manually verify the various events that are part of an attack campaign. For security teams to actually respond and prevent breaches.
Facilitate Priority Investigations
Most SIEM and security analytics platforms simply correlate the stages of an attack, increasing the level of risk. They provide indicators of compromise for each attack stage or whatever data source was used to trigger the incident, but it's up to the analyst to determine whether the included alert sets are relevant to the attack.
A next-generation SIEM must be able to deliver a unified dataset across any data source. Combined with extensive analysis, it can provide the context necessary to relieve security teams of the extensive manual work required to conduct investigations and confirm the effectiveness of attack campaigns.
As mentioned earlier, the ability to link analytical models together, cross-validate attack activity, and submit those results to an enterprise risk engine is critical to prioritizing attacks. Instead, most SIEMs simply rely on aggregated third-party risk scores rather than generating dynamic risk scores that are specifically relevant to the organization.
Enable Dynamic Threat Remediation
For most SIEMs and related SOARs, there is a lack of context and precision in the response playbook. Often, they only provide guidance. IT teams have to collaborate to come up with the right corrective actions for the organization, which slows down response times.
A next-generation SIEM must gather a full set of "relevant" context through the right set of telemetry to provide accurate details about an attack, allowing for a precise set of actions to stop the breach. It's important to get rid of static playbooks to generate dynamic responses instead of customizing static response actions, which slows down fixes.
Additionally, next-generation SIEMs must be able to prioritize individual actions to minimize business disruption and provide steps for a targeted response. Prioritizing actions based on risk enables security teams to take the necessary steps to stop or limit attacks, rather than waiting to take all actions at once.
Support compliance
A next-generation SIEM must support and improve on the most common use case of traditional SIEMs, regulatory compliance. This is achieved by enabling centralized compliance auditing and reporting across the business infrastructure.
A next-generation SIEM should have built-in support and reporting for common compliance requirements and standards, such as the Health Insurance Portability and Accountability Act (HIPAA), Payment Card Industry Data Security Standard (PCI DSS), and Sarbanes-Oxley (SOX) , NIST, GDPR, MITER attack framework, etc.
A true next-generation SIEM improves every phase of security operations. It is designed to address all use cases related to observability, compliance and auditing.
It also accelerates accurate threat detection, investigation and response.