Next-generation SIEM turns low-level security monitoring for high-level business goals

As many SIEMs languish unused, new platforms use machine learning to spot and stop malware autonomously

Despite an initial rush to adopt security and information event management (SIEM) tools, complex implementations and a lack of skilled staff left many companies struggling to use SIEM effectively. That's all set to change, however, as a new generation of SIEM tools bolsters top-down monitoring of network and cloud-application activity with applied analytics techniques that help spot security incidents as soon as they're happening.

Those new techniques have emerged as the maturation of security analytics techniques, and the collection of increasingly large and varied types of activity data, enable SIEM vendors to apply new methodologies to the analysis of corporate data. This, in turn, better equips end-user organisations to identify anomalous behaviour – and act on it – as soon as it is happening.

“First-generation SIEMs tended to be complex and focus more on reporting than detection,” explains Bill Taylor, Asia-Pacific and Japan vice president with security-analytics provider LogRhythm.

“We were pulling together security incidents from many devices and reporting them to say that this and that had happened. But businesses were relying on the security device to do the detection – and if it wasn't detecting anything, nothing was going to show up. This is why reports suggest that many SIEMs have hardly been touched since they were installed.”

Evolution of SIEM into SIEM 2.0, as it is known, has revolved around ensuring that the security analytics platform can churn through massive volumes of information to pick out and highlight anomalous behaviour that may indicate malware activity. Wrapping this capability into a broad platform, which also ties into corporate governance and compliance requirements, allows businesses to turn SIEM into business advantage better than ever before.

“Rather than being areas where we'd previously spend months developing and working out SIEM in the customer environment, data inputs and compliance outputs now come pre-bundled,” Taylor says. “The core then allows us unlimited creativity around things like using artificial intelligence, forensics, pattern recognition, profiling, and using threat feeds to add more colour around our environment.”

One of the most significant inputs into the system is increasingly being referred to as user behaviour analysis (UBA) – and it's proving to be indispensable in quickly identifying malicious activity before it leads to the theft of sensitive data from corporate networks or servers.

UBA – which was flagged by Gartner as being the key to effective breach detection – is the latest name for an analytics activity that is increasingly being built into SIEM platforms. This activity is based around the ongoing reassessment of 'normal' network activity so that anomalies – whether caused by advanced persistent threats (APTs), ransomware, or other forms of malware – can be quickly detected with high sensitivity and the offending applications or processes stopped in their tracks.

UBA relies on machine-learning techniques to continually refine models of what can be considered normal network and user behaviour. Since most malware compromises exploit user account privileges to quietly explore what network resources are available for the pillaging, monitoring their activity is akin to using security cameras to trace an employee's movements through a sensitive area of a building.

“You might go left down a particular hallway every day, and we know that you do that,” Taylor explains. “But if you turn right and attempt to access three or four different servers that you've never been interested in before, it's obvious that somebody is up to something. The SIEM will know and can automatically freeze your account, or a hundred other things.”

Such activities may be entirely legitimate. However, once the alarm has been raised, the IT team can investigate it as a matter of priority by proactively contacting the user in question. If there is indeed malware active on the network – or the cloud, as has been made possible by SIEM 2.0 platforms that use APIs to extend monitoring past on-premises systems – that malware can be isolated and traced back to its origin before it does any damage.

Once this detect-and-respond chain has been implemented, businesses will find that they can dramatically shorten the mean time to detection (MTD) and mean time to respond (MTR) within their environment. Given that some industry surveys place the overall MTD at more than 200 days, there is a lot of room for improvement – and appropriately applying new SIEM technologies can slash this to minutes or even seconds.

“If you can bring down the MTD and MTR, you are going to make it very difficult for anybody to come into your organisation regardless of whether credentials are compromised,” Taylor says, noting that some CISOs are adopting MTD and MTR as a key metric with which they can report on cybersecurity capabilities to the company board.

“If there's a compromise we're going to see a different pattern and set of actions,” he continues. “And if I know that I've got a turnaround time of 3 minutes on exfiltration, I can limit damage. It would be a major success if I could turn to my executives and boards to say that 'we are currently at a MTD of a few minutes and an MTR of an hour and a half'.”

By embracing the new machine-learning and business-focused capabilities of modern SIEM platforms, this kind of proactive security infrastructure in place, businesses that have so far failed to make the most of their SIEM are likely to find new benefits from giving it another chance. A broader approach to security monitoring and reporting enables security monitoring to be relevant to the organisation's highest levels, and in compliance and governance terms that mean more to executives than mountains of unprocessed security logs.

In short, SIEM 2.0 is a business tool as much as a security tool – and organisations need to approach its implementation in a way that reflects the change. By taking a new look, says Taylor, even those organisations that had previously struggled to make the most of their SIEM investments will find the going much easier, and the platform more productive, the second time around.

“It's easy to collect information,” he says, “but it's what you do with it, how you manage and interpret it, that matters in the end.”

Join the CSO newsletter!

Error: Please check your email address.

Tags GartnerNext-Generationcloud application activityBill Taylorsecurity monitoringSIEMAsia-PacificLogRhythm

More about BillGartnerindeedLogRhythmMTR

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by David Braue

Latest Videos

  • 150x50

    CSO Webinar: Will your data protection strategy be enough when disaster strikes?

    Speakers: - Paul O’Connor, Engagement leader - Performance Audit Group, Victorian Auditor-General’s Office (VAGO) - Nigel Phair, Managing Director, Centre for Internet Safety - Joshua Stenhouse, Technical Evangelist, Zerto - Anthony Caruana, CSO MC & Moderator

    Play Video

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

More videos

Blog Posts

Market Place