​Why the death of SIEM has been greatly exaggerated

Simon Howe, Director of Sales ANZ for LogRhythm

Security Information and Event Management (SIEM) tools have played a central role in corporate IT security for more than a decade, and some now believe their time is up.

Those proclaiming the death of SIEM point to the proliferation of newer analytics tools that can scour infrastructures and alert security staff to anomalies needing closer examination. They believe these tools can replace SIEM while at the same time delivering more value to the enterprise.

Nothing could be further from the truth. SIEM is not only alive and well, it's also being put to work by small and mid-sized firms in increasing numbers. They are seeing value in the ability to proactively monitor their growing IT infrastructures and spot threats before they can cause disruption.

The evolution of SIEM

When SIEM tools first emerged in the early 2000s, they were complex and unwieldy beasts. Requiring large amounts of customisation and careful management, they were only suited to large organisations with big budgets.

However SIEM has evolved and the tools of today bear little resemblance to those of the past. Modern SIEM tools are based on a big data analytics platform which enables them to scour much larger data sets. This is important for organisations experiencing a data deluge and with infrastructures that continue to grow in complexity.

Today's SIEM tools can also deal with large volumes of both structured and unstructured data. This is relevant as potential security threats come in many forms and can only be identified through the careful analysis of both data types.

To achieve this, today's SIEM tools leverage machine-based analytics. This automates the task of examining large volumes of data and allows patterns and incidents to be identified that traditionally may have gone unnoticed.

This capability is what is making SIEM tools attractive for smaller firms. They give them access to analytical capabilities that until recently were only available to large organisations. This comes at a time when they recognise the importance of having a robust security infrastructure in place. They understand that just having anti-virus software and firewalls in place is no longer enough.

No silver bullet

While SIEM has a lot to offer, it should not be regarded as a security 'silver bullet'. The tools are not plug-and-play and cannot simply be deployed and then forgotten.

Once in place, SIEM tools need to become part of a comprehensive security monitoring program. Managed by one person in smaller firms or a team within a large corporate, this program will involve closely monitoring the output of the SEIM tool.

Organisations will also need to put in place an incident response program. When incidents are identified by SIEM, this program will involve deeper investigation into what is going on and what steps are required to overcome any threats identified.

Selecting the best SIEM

Before investing in a SIEM tool, an organisation should carefully assess whether it actually matches its security requirements.

One of the most important factors to consider is what capabilities it can provide out-of-the-box. Many tools require complex configuration before they can be used, which make them inappropriate for organisations without skilled in-house security teams.

It is also important to assess how well the tool will be able to monitor the volume of data being generated by the organisation's IT infrastructure. If it can't deal with the constant flow, it will be unlikely to add the value expected by the security team.

The tool should also not trigger too many security alarms. If it is constantly providing alerts of potential low-level security threats, IT teams will quickly become overwhelmed and may miss critical alerts when they actually occur.

Rather than being swayed by slick user interfaces, those assessing potential SIEM tools should focus on two key criteria - how good is the search function and how powerful is the underlying analytics engine. Both are critical for effective security.

Effective deployment

Once the most appropriate SIEM tool has been selected, an organisation needs to deploy it as quickly and effectively as possible. Here support from the chosen vendor will be critical, as will having the necessary skill set in-house.

While modern tools usually have an intuitive user interface, some training will still be required to ensure maximum value can be gained from the investment. A good SIEM tool will mask much of its underlying complexity, but it is still important to have an understanding of what is going on under the hood.

SIEM tools will continue to play a critical role in the security defences of organisations of all sizes. By understanding how they have evolved and matching your selection to your particular requirements, they can provide much needed enhanced security protection.

Join the CSO newsletter!

Error: Please check your email address.

Tags SIEM DeadSIEM toolsLogRythmIT SecurityIT infrastructuresSIEMcyber securitySimon Howe

More about Modern

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Simon Howe

Latest Videos

  • 150x50

    CSO Webinar: Will your data protection strategy be enough when disaster strikes?

    Speakers: - Paul O’Connor, Engagement leader - Performance Audit Group, Victorian Auditor-General’s Office (VAGO) - Nigel Phair, Managing Director, Centre for Internet Safety - Joshua Stenhouse, Technical Evangelist, Zerto - Anthony Caruana, CSO MC & Moderator

    Play Video

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

More videos

Blog Posts

Market Place