What do legacy SIEM and NG-SIEM Solutions Have in Common?
Around 10 years ago, in the ancient history of SIEM, the security community knew each of the malware signatures that attacked our networks. But today, when attackers are generating new malware threats, new attack vectors and tools every second, we’re sending our SOC teams out on an impossible mission.
To be fair, the industry did not ignore the vast proliferation of threats. Traditional security information and event management (SIEM) technology tried to help organize and make sense of the mess, but it fell short. The industry’s response was a new class of “Next-Generation SIEM” solutions, peddling the magic of AI. These products typically add user and entity behavior analytics to a SIEM architecture. They track human behavior, which is a fundamental shift from original SIEMs, which typically track events and devices, not users. Unfortunately many of these NG-SIEM solutions added only incremental benefit – but never fixed the core problem
When evaluating NG-SIEMs, enterprises need to look beyond flashy promises of “AI” and ask the hard questions that will tell them if the solution they are evaluating will be truly effective:
- Is this solution still based mainly on human-written rules?
NG- SIEMs still need to correlate behavior deviations and, as such, require human-written correlation rules. Just as with original SIEM, these rules have inherent disadvantages when it comes to detecting previously unseen threats. Rules development is sometimes obscured as part of a NG-SIEM deployment engagement – but they remain the enabling foundation of next-gen SIEMs, thus perpetuating the cost and management complexity problems of original SIEMs.
- Is this NG-SIEM proactive or reactive?
Despite the more advanced analytics regime, many NG-SIEMs can only detect attacks after the fact, not in real time. Improved detection accuracy is only marginally beneficial when that detection occurs long after nefarious activity has occurred.
- Is it passive?
Both original and many -SIEMs are designed for alerting, not responding. They may have native orchestration capabilities that enable manual incident response workflows to be triggered by alerts, or they may accomplish this by integrating with one or more of today’s orchestration and automation vendors. They do not, however, provide machine-based incident response that can automatically contain or remediate threats in real time.
- Does it include open-source elements that enable community enrichment?
Some of the most successful and effective technologies in different IT arenas today are based on open-source offerings, which are developed by a large community of contributers. One example is Elastic’s data search, which is enriched and improved by millions of users. Another is Snort, whose open-source network intrusion detection system (NIDS) was enrciched by the large Snort community . This trend has unfortunately not yet reached the SIEM arena, where most vendors charge high fees for their products, but do not open them up to be used – and improved – by large audiences of developers and security experts. A truly effective SIEM will include an element in open-source, which will enable it to constantly evolve thanks to the contributions of a large community of users.
Fundamentally, many of the same issues that plagued original SIEM are also present in many next-generation SIEM. Improved analytics may sharpen detection accuracy, and orchestration may codify and accelerate workflow, but it does not change the fundamental process of manual detection, incident investigation and response. What is truly needed is a new kind of SIEM that does not rely on the same failed architecture as original or next-generation SIEM. What we should strive for is a solution that can automatically detect, classify, investigate, and mitigate threats in real time, with no reliance on human-generated rules or manual processes.