A New Model Born from Needs: Modern SIEM

1

As the SIEM concept approaches its 20th anniversary, let's take a look at how much SIEM systems have evolved since their inception.

While SIEM initially started as a platform for capturing event logs from IT environments, it has since evolved to parse and standardize telemetry, ensuring that all logs, regardless of their source, are analyzed in the same way. Compliance teams leveraged SIEM in their processes to demonstrate IT environment monitoring through audit reports. The analysis of collected data enabled SIEM to generate alerts based on detection rules related to monitored IT environments. However, scalability quickly became a challenge. Although SIEM was designed as a data/big data platform, querying historical data became easier, and as the volume of ingested data grew, managing it became increasingly complex.

Additionally, as the IT environment expanded and more tools were introduced, the sheer volume of alerts became unmanageable, regardless of the size of the security analyst team. Today, organizations using SIEM solutions typically have over 100 data sources connected to their SIEM. Research and feedback indicate that Security Operations Center (SOC) teams can only review 65% of their daily alerts, meaning that more than one-third of alerts remain uninvestigated. In many threat actor attacks, an organization may have had the necessary tools to detect threat actor activity, but the activity went unnoticed either because the tool was not properly configured or because security analysts failed to recognize its significance. Furthermore, SIEM requires ongoing maintenance and tuning, as security teams must allocate personnel to design and adjust detections to keep it operational and identify known threats. However, dedicating a staff member solely to SIEM is often difficult for many organizations.

Modern SIEM solutions have added features to help overcome challenges. Integrated User and Entity Behavior Analytics (UEBA) uses machine learning to look at patterns in the collected data, in addition to detection rules that surface alerts about known threats. To reduce the need for analysts to turn to multiple tools, threat intelligence feeds bring updated information about Indicators of Compromise (IOCs) to the SIEM, thus enriching alerts with additional data and context.

The lack of automation has been another challenge with SIEM. Today's security practitioners want to combine detection and investigation through the correlation and enrichment of alerts with threat intelligence. Risk-based alerting considers the severity of the alert for prioritization by the security team. The enrichment, correlation, and prioritization of alerts are done through automated processes integrated into the SIEM, which can be adjusted according to the needs of the SOC team's environment.

"In addition to requiring a real-time detection engine, SOC teams still need out-of-the-box connectors for all the data sources they want to ingest. This telemetry potentially extends beyond the usual security tools to include application and network performance data, as well as human resources data. For example, a notification from the HR system about an employee's report can be used to add that person to a watchlist for monitoring insider threat activities."

SOC teams want automated response capabilities within the SIEM through integration with ticketing systems and playbooks that can be designed and run in the SIEM. Organizations without security engineering resources look to the SIEM solution provider to deliver detection and threat hunting content. Additionally, GenAI assistants have made it easier for analysts to send queries to the SIEM using natural language instead of the SIEM's query language.

Today's modern SIEM is not the traditional SIEM of the past. If you think your current SIEM's data collection, alerting, detection, investigation, and response workflows do not meet your needs, to find the SIEM of the future, you can explore the leading product Splunk Enterprise Security, a modern SIEM that can truly manage big data with over three thousand add-on components.