SIEM (Security Information and Event Management) happens to be one of those InfoSec technologies that is discussed ad infinitum, yet the majority of those discussing the technology have trouble visualizing how SIEM can be an effective ally for protecting enterprise systems. After all, SIEM has become somewhat shrouded in mystery and has transformed from a technology that just correlates security logs, into a technology that can take action to actually alleviate security problems.
To better grasp what SIEM means to a modern-day enterprise, one must delve into the technologies that gave rise to SIEM, namely IPS (Intrusion Prevention Systems) and IDS (Intrusion Detection Systems). Both IPS and IDS were normally placed at the edge of the network, examining packets traveling to and fro, while determining if those packets contained any information that indicated an unauthorized attempt was being made to access corporate data.
In the early days, IPS and IDS did a decent job of identifying intrusions and creating the needed alerts that indicated unauthorized entry into enterprise systems. In most cases those intrusions were identified using defined policies and algorithms to detect authorization attempts that fell outside of defined norms. Yet, IPS and IDS started to fail in their design to detect intrusions, simply because intruders became more intelligent in regards on how to spoof IPS and IDS systems.
That situation led to something akin to an arms race, where hackers started using more sophisticated attack vectors and IPS and IDS vendors incorporated more detection capabilities, machine learning, anomaly detection and so on. Yet, breaches still continue and even more troubling, go undetected for longer periods of time.
Yet, those factors have not slowed down the IPS and IDS markets. Gartner estimates that by 2020, 60 percent of enterprise information security budgets will be allocated for rapid detection and response approaches and by 2018 80 percent of endpoint protection platforms will include user activity monitoring and forensic capabilities.
Nevertheless, market growth is not always an indicator of a security technology’s effectiveness. Many enterprises have come to realize that they need more than IPS, IDS, Firewalls, and Anti-Malware systems, they also need the ability to better examine the data behind those attacks, as well as infer action based upon the analysis of that data. That is exactly where SIEM has come into play.
As Gartner describes it, Security information and event management (SIEM) technology supports threat detection and security incident response through the real-time collection and historical analysis of security events from a wide variety of event and contextual data sources. It also supports compliance reporting and incident investigation through analysis of historical data from these sources. The core capabilities of SIEM technology are a broad scope of event collection and the ability to correlate and analyze events across disparate sources.
That rather dry description does a poor job of describing what SIEM is capable of in practice. Something that Kevin Watson, CEO of Netsurion, wants to make perfectly clear. Watson said “Cyberattacks are succeeding at alarming rates, and the impact of data breaches on multi-location brands, individual franchisees, and other businesses can be catastrophic and unrecoverable.”
While that assessment may be somewhat obvious to security practitioners, there is an underlying theme here. Watson added “SIEM brings with it the ability to look at data in varying levels of detail and analyze multiple data sets, forming a more complete picture of network activity and security events.”
It is that real-time analysis that gives SIEM the much-needed punch to make a difference during security incidents. However, it is also those very same abilities that have kept SIEM technology out of reach for small and medium businesses. For SIEM to be truly effective, CPU intensive algorithms and policy engines must be implemented, as well as a mechanism to gather and store large volumes of log and transaction data. Therein lies the real rub with SIEM, the businesses that it can benefit the most are often the ones ill equipped to provision and manage a SIEM solution.
Watson said “It is critical for service providers to add advanced SIEM services to their portfolios, which will enable service providers, such as Netsurion, to deliver stronger protection without the costs and complexity of full-time, dedicated resources.”
However, the cloud in the form of hosted and managed services has started to meet the processing needs of SIEM solutions, and has helped to democratize access to the high end technology that makes SIEM effective.
Watson added “Netsurion is addressing the SMB market by balancing the need for added security without further over-complicating the IT environment.” There is obviously a need for SIEM in the SMB market, and the market is growing. Research firm Frost and Sullivan is anticipating a CAGR of 14.6% through 2019, with the SMB market making up the lion’s share of that growth.
Obviously, SMB operators shouldn’t just dive into SIEM solutions without performing due diligence, a process which can be eased by attending Netsurion’s Webinar on 1/26/17, or by reading GigaOM’s reports on the SIEM market.