Despite an initial rush to adopt security and information event management (SIEM) tools, complex implementations and a lack of skilled staff left many companies struggling to use SIEM effectively. That's all set to change, however, as a new generation of SIEM tools bolsters top-down monitoring of network and cloud-application activity with applied analytics techniques that help spot security incidents as soon as they're happening.
Those new techniques have emerged as the maturation of security analytics techniques, and the collection of increasingly large and varied types of activity data, enable SIEM vendors to apply new methodologies to the analysis of corporate data. This, in turn, better equips end-user organisations to identify anomalous behaviour – and act on it – as soon as it is happening.
“First-generation SIEMs tended to be complex and focus more on reporting than detection,” explains Bill Taylor, Asia-Pacific and Japan vice president with security-analytics provider LogRhythm.
“We were pulling together security incidents from many devices and reporting them to say that this and that had happened. But businesses were relying on the security device to do the detection – and if it wasn't detecting anything, nothing was going to show up. This is why reports suggest that many SIEMs have hardly been touched since they were installed.”
Evolution of SIEM into SIEM 2.0, as it is known, has revolved around ensuring that the security analytics platform can churn through massive volumes of information to pick out and highlight anomalous behaviour that may indicate malware activity. Wrapping this capability into a broad platform, which also ties into corporate governance and compliance requirements, allows businesses to turn SIEM into business advantage better than ever before.
“Rather than being areas where we'd previously spend months developing and working out SIEM in the customer environment, data inputs and compliance outputs now come pre-bundled,” Taylor says. “The core then allows us unlimited creativity around things like using artificial intelligence, forensics, pattern recognition, profiling, and using threat feeds to add more colour around our environment.”
One of the most significant inputs into the system is increasingly being referred to as user behaviour analysis (UBA) – and it's proving to be indispensable in quickly identifying malicious activity before it leads to the theft of sensitive data from corporate networks or servers.
UBA – which was flagged by Gartner as being the key to effective breach detection – is the latest name for an analytics activity that is increasingly being built into SIEM platforms. This activity is based around the ongoing reassessment of 'normal' network activity so that anomalies – whether caused by advanced persistent threats (APTs), ransomware, or other forms of malware – can be quickly detected with high sensitivity and the offending applications or processes stopped in their tracks.
UBA relies on machine-learning techniques to continually refine models of what can be considered normal network and user behaviour. Since most malware compromises exploit user account privileges to quietly explore what network resources are available for the pillaging, monitoring their activity is akin to using security cameras to trace an employee's movements through a sensitive area of a building.
“You might go left down a particular hallway every day, and we know that you do that,” Taylor explains. “But if you turn right and attempt to access three or four different servers that you've never been interested in before, it's obvious that somebody is up to something. The SIEM will know and can automatically freeze your account, or a hundred other things.”
Such activities may be entirely legitimate. However, once the alarm has been raised, the IT team can investigate it as a matter of priority by proactively contacting the user in question. If there is indeed malware active on the network – or the cloud, as has been made possible by SIEM 2.0 platforms that use APIs to extend monitoring past on-premises systems – that malware can be isolated and traced back to its origin before it does any damage.
Once this detect-and-respond chain has been implemented, businesses will find that they can dramatically shorten the mean time to detection (MTD) and mean time to respond (MTR) within their environment. Given that some industry surveys place the overall MTD at more than 200 days, there is a lot of room for improvement – and appropriately applying new SIEM technologies can slash this to minutes or even seconds.
“If you can bring down the MTD and MTR, you are going to make it very difficult for anybody to come into your organisation regardless of whether credentials are compromised,” Taylor says, noting that some CISOs are adopting MTD and MTR as a key metric with which they can report on cybersecurity capabilities to the company board.
“If there's a compromise we're going to see a different pattern and set of actions,” he continues. “And if I know that I've got a turnaround time of 3 minutes on exfiltration, I can limit damage. It would be a major success if I could turn to my executives and boards to say that 'we are currently at a MTD of a few minutes and an MTR of an hour and a half'.”
By embracing the new machine-learning and business-focused capabilities of modern SIEM platforms, this kind of proactive security infrastructure in place, businesses that have so far failed to make the most of their SIEM are likely to find new benefits from giving it another chance. A broader approach to security monitoring and reporting enables security monitoring to be relevant to the organisation's highest levels, and in compliance and governance terms that mean more to executives than mountains of unprocessed security logs.
In short, SIEM 2.0 is a business tool as much as a security tool – and organisations need to approach its implementation in a way that reflects the change. By taking a new look, says Taylor, even those organisations that had previously struggled to make the most of their SIEM investments will find the going much easier, and the platform more productive, the second time around.
“It's easy to collect information,” he says, “but it's what you do with it, how you manage and interpret it, that matters in the end.”