Why the death of SIEM has been greatly exaggerated
- 29 August, 2016 03:16
Security Information and Event Management (SIEM) tools have played a central role in corporate IT security for more than a decade, and some now believe their time is up.
Those proclaiming the death of SIEM point to the proliferation of newer analytics tools that can scour infrastructures and alert security staff to anomalies needing closer examination. They believe these tools can replace SIEM while at the same time delivering more value to the enterprise.
Nothing could be further from the truth. SIEM is not only alive and well, it's also being put to work by small and mid-sized firms in increasing numbers. They are seeing value in the ability to proactively monitor their growing IT infrastructures and spot threats before they can cause disruption.
The evolution of SIEM
When SIEM tools first emerged in the early 2000s, they were complex and unwieldy beasts. Requiring large amounts of customisation and careful management, they were only suited to large organisations with big budgets.
However SIEM has evolved and the tools of today bear little resemblance to those of the past. Modern SIEM tools are based on a big data analytics platform which enables them to scour much larger data sets. This is important for organisations experiencing a data deluge and with infrastructures that continue to grow in complexity.
Today's SIEM tools can also deal with large volumes of both structured and unstructured data. This is relevant as potential security threats come in many forms and can only be identified through the careful analysis of both data types.
To achieve this, today's SIEM tools leverage machine-based analytics. This automates the task of examining large volumes of data and allows patterns and incidents to be identified that traditionally may have gone unnoticed.
This capability is what is making SIEM tools attractive for smaller firms. They give them access to analytical capabilities that until recently were only available to large organisations. This comes at a time when they recognise the importance of having a robust security infrastructure in place. They understand that just having anti-virus software and firewalls in place is no longer enough.
No silver bullet
While SIEM has a lot to offer, it should not be regarded as a security 'silver bullet'. The tools are not plug-and-play and cannot simply be deployed and then forgotten.
Once in place, SIEM tools need to become part of a comprehensive security monitoring program. Managed by one person in smaller firms or a team within a large corporate, this program will involve closely monitoring the output of the SEIM tool.
Organisations will also need to put in place an incident response program. When incidents are identified by SIEM, this program will involve deeper investigation into what is going on and what steps are required to overcome any threats identified.
Selecting the best SIEM
Before investing in a SIEM tool, an organisation should carefully assess whether it actually matches its security requirements.
One of the most important factors to consider is what capabilities it can provide out-of-the-box. Many tools require complex configuration before they can be used, which make them inappropriate for organisations without skilled in-house security teams.
It is also important to assess how well the tool will be able to monitor the volume of data being generated by the organisation's IT infrastructure. If it can't deal with the constant flow, it will be unlikely to add the value expected by the security team.
The tool should also not trigger too many security alarms. If it is constantly providing alerts of potential low-level security threats, IT teams will quickly become overwhelmed and may miss critical alerts when they actually occur.
Rather than being swayed by slick user interfaces, those assessing potential SIEM tools should focus on two key criteria - how good is the search function and how powerful is the underlying analytics engine. Both are critical for effective security.
Once the most appropriate SIEM tool has been selected, an organisation needs to deploy it as quickly and effectively as possible. Here support from the chosen vendor will be critical, as will having the necessary skill set in-house.
While modern tools usually have an intuitive user interface, some training will still be required to ensure maximum value can be gained from the investment. A good SIEM tool will mask much of its underlying complexity, but it is still important to have an understanding of what is going on under the hood.
SIEM tools will continue to play a critical role in the security defences of organisations of all sizes. By understanding how they have evolved and matching your selection to your particular requirements, they can provide much needed enhanced security protection.