kras99 - stock.adobe.com
Once upon a time, IT viewed firewalls -- which filter traffic based on port, protocol and IP addresses -- as the best way to keep networked devices secure.
But as network traffic grew -- fueled by greater internet connectivity and user access -- firewalls became less effective. They lacked visibility into the content and context of data, which meant they couldn't adequately classify traffic. That created a demand for better technologies that could monitor access to systems to counter the increasing number and sophistication of network attacks.
In the early '90s, commercial intrusion detection systems (IDSes) came on the scene. These systems could evaluate network traffic against a set of rules and known attacks, generating an alert if an attack was identified. Prior to IDS, log and system message analysis was performed manually, and administrators achieved only limited success in detecting an active intrusion.
The varied nature of networks through the '90s and early 2000s, however, meant that IDSes generated a large number of false positives, wasting time and resources. They also lacked the ability to centralize and correlate event data from across multiple systems.
What the industry needed was a more dynamic approach to network security, one that provided greater visibility into the overall operating environment. That led security vendors to further combine two concepts: security information management (SIM) and security event management (SEM). The result was security information and event management (SIEM), a term Gartner coined in a 2005 IT security report.
SIEM's evolution was based on the need for a tool that could pinpoint genuine threats in real time by more effectively gathering and prioritizing the thousands of security alerts generated by firewalls, antivirus software and IDSes. SIEM systems could identify potential security risks by centralizing, normalizing and analyzing event data across an IT environment. This enabled security teams to become more efficient and effective as they tackled ever-increasing volumes of traffic across complex IT infrastructures.
But despite their benefits, first-generation SIEM systems had shortfalls. Their dashboards and reports were basic and their alerts lacked sophistication. Early SIEMs also suffered from poor scalability, with each stage of the process -- ingesting data, defining policies, rules and thresholds, reviewing alerts, and analyzing anomalies -- requiring manual intervention.
At the same time, networks were being accessed by an even larger group of users -- among them remote workers, customers and third parties. Attackers were soon able to operate undetected by working around rule-based triggers.
SIEM becomes more analytical
The arrival of low-cost, scalable storage, such as Apache Hadoop and Amazon S3, underpinned the next stage in the history of SIEM. They made it possible for SIEM systems to use big data analytics to improve correlation and interpretation of live and historical data, though alert thresholds were mostly manually preconfigured.
Around 2015, integrating machine learning and AI into SIEM tools made them even more efficient at orchestrating security data and managing fast-evolving threats. This meant SIEM systems could fire off alerts about zero-day threats and attack patterns, as well as known threats. The accuracy and usefulness of SIEM alerts were further improved after SIEM began ingesting log data from cloud-deployed infrastructures, SaaS applications and other nonstandard data sources, among them third-party threat intelligence feeds that contained indicators of compromise gleaned from multiple sources.
More powerful anomaly detection has been a cornerstone in SIEM's evolution. AI-powered automated profiling and rule creation added a dynamic layer of detection capabilities. User and entity behavior analytics (UEBA) gave SIEM a further boost. UEBA relies on event information, machine learning and statistical analysis to generate a baseline of normal behavior, enabling it to detect activities outside of accepted ranges that could result in a real threat. Consider a malicious hacker using an administrator's stolen credentials, for example. They may be able to gain access to sensitive systems, but it would be almost impossible for them to mirror the administrator's actions. A SIEM using UEBA could detect, flag and stop the access.
SIEM evolves as attacks become more complex
SIEM tools continue to evolve as the number and complexity of cyber attacks increase. Vendors are marketing new concepts to differentiate their products with new or additional features. Security orchestration automation and response (SOAR) is a good example. SOAR uses APIs to integrate SIEM systems with other security tools. This enables security teams to improve their ability to detect complex threats and lateral movements by automatically executing preplanned actions in response to specific incidents.
SIEMs tools have become an established part of most security operation centers in organizations of all sizes and across all industries. They are deployed in a variety of ways, among them appliances, software and managed security services. Although SIEM systems are primarily used to monitor and detect threats in cloud and on-premises resources, their real-time telemetry also enables operations teams to analyze and resolve network issues. Incident response teams use their logs for forensic examination of historical security events and to collect evidence for law enforcement investigations. Compliance teams can also use SIEM data to fulfill monitoring, auditing and reporting requirements specified in regulations such as GDPR, HIPAA and PCI DSS.
SIEM tools are available through all the large providers, but implementation and integration costs are just part of the equation. Companies need at least three to four trained staff members to manage and monitor a SIEM tool and to investigate any alerts it generates. Larger organizations will require even bigger staffs. This is one reason resource-pinched organizations might use a managed security service provider.
Being more proactive
SIEM's evolution means it has matured into something far more than the sum of its two initial parts -- SIM and SEM. Any form of technology engineered to detect and prevent threats has SIEM at its core. The tool's ability to collect and analyze data logged by devices and software on the network is the only way to gain visibility into large, complex infrastructures.
SIEM-based security tools play a vital role in data security and whatever form SIEM products and services eventually morph into, the goal will always be the same: Pinpoint threats to hosts, prioritize those at greatest risk and automatically mitigate the risk in real time.
This is the only way security teams can react quickly enough to prevent attacks from developing into full-blown data breaches. SIEM tools will continue to improve, enabling them to process billions of events. But the most important advances will be how SIEM turns this data into actionable information and how those actions can be automated to accelerate security incident investigation and response processes.
Regardless of how these next-gen tools are rebranded -- the latest iterations being TDIR, for threat detection, investigation and response, and XDR, for extended detection and response -- SIEM will play a key role.
Machine learning and AI are starting to improve our understanding of what is happening on a network, but SIEM's real breakthrough will arrive when alerts can be predictive as well as reactive. This will be the point when SIEM becomes a true intrusion detection and prevention system, blocking not just known malicious activity but stopping a cyber attack in its tracks before it can occur -- without disrupting everyday operations and activities. When that day comes, SIEM will need a new name and a new acronym.