In this article

Cybersecurity has become relevant to every business in 2020. An IDG study last year showed that implementing cybersecurity "best practices" was a top priority as organizations continue to invest in solutions to stop attacks. This year 59 percent of organizations are prioritizing protection of sensitive data, while 20 percent are interested in timely intelligence that can expose risky employees and third-party threats.

A critical capability required to fulfill these needs is the ability to identify, analyze and predict security incidents happening within business networks. Despite the importance of this capability, 56 percent of companies report gaps in coverage of their IT security infrastructure that, in turn, introduce dangerous blind spots to the company. As if the blind spots aren't enough of a challenge, 25 percent admit to spending their time chasing false positives in the areas they can see.

To address this growing challenge, companies are turning to next-generation SIEM solutions. Formally known as Security Information and Event Management, SIEM technology is an essential element for organizations to understand threats and take action in real time.

What is SIEM?

SIEM is a technology offering that combines security information management (SIM) and security events management (SEM) to provide centralized and more powerful security capabilities. The solution receives and aggregates log data from different sources such as computers, servers, network components and software. 

Logs and event information are also collected from security devices such as anti-malware programs, intrusion detection/prevention systems and firewalls. Using this information, the technology can alert security professionals of potential risks and incidents within an organization's network.

The first (and often most important) phase of a SIEM solution is getting the data: we need to collect and store pertinent event information from a broad range of sources and perform any additional processing required to prepare the data for subsequent analytics. Phase two is where things to get interesting: the data is categorized and analyzed with the goal of identifying anomalies and providing alerts in real time.

Traditional SIEM technology approaches this with rule-based logic, aggregating event logs and identifying anomalies by comparing new events with some reasonable baseline. Next-generation SIEM extends the traditional solutions with advanced analytics leveraging emerging domains such as artificial intelligence (AI) and machine learning (ML). 

Phase three focuses on reporting and remediation, potentially using automation capabilities built into the SIEM to guarantee timely response to more serious threats. Whether using a traditional or next-generation SIEM, the analytics must provide solid insight into activities and potential risks within the IT environment. 

Why SIEM is essential for robust security 

Every reputable cybersecurity best practice framework recommends that organizations effectively identify and address risks. The NIST Cybersecurity Framework (CSF), for example, recommends that organizations have the capability to identify, protect, detect, respond and recover from cyber incidents. SIEMs play a critical role in creating the visibility and response capabilities required to accomplish each of those steps.

To optimize security even further, after a SIEM solution generates a threat alert, Security Orchestration Automation and Response (SOAR) products can be integrated to improve the efficiency of security operations and enable security teams to take action on credible threats immediately. Increasingly, leading SIEM vendors are tightly integrating automation technology as a means of facilitating SOAR as a model for reporting and remediation.

How SIEM solutions address key security challenges

Without the capability to monitor security events in real-time, cyber-attacks can remain undetected. 

Attacks can go weeks, months and sometimes years without being detected. Additionally concerning, attackers can secretly remain within your network for the same amount of time without the organization noticing. 

Detection becomes even more challenging when an insider, such as an employee or contractor who better knows how to evade your security controls, is involved. The use of SIEM technology offers new capabilities that enhance security operations and increase visibility into such cases. 

The best SIEM technology can conduct analytics to identify abnormal network, user and device behaviors while considering relevant threat intelligence information. This enables the swift detection of malicious activities from both external and insider threat actors.   

Compliance requirements continue to grow in complexity, and the ramifications can be detrimental. 

Sixty-six percent of organizations indicate that compliance mandates are a decisive factor for their cybersecurity investments. As regulators enforce new cybersecurity regulations with hefty fines attached for non-compliance, 50 percent of organizations plan to increase their security expenditure. For example, the recently legislated California Consumer Privacy Act (CCPA) and the General Data Protection Regulation (GDPR) have been enacted to hold companies accountable for protecting personal data and consumer privacy.

This need for enhanced compliance management is further driving the adoption of SIEM technology, as security specialists and auditors look for ways to assess and provide evidence that their organizations are compliant. Good SIEM solutions suitably provide heightened analysis and reporting needed for regulations such as CCPA, GDPR, HIPAA, PCI-DSS and more. 

Already overloaded security teams can only handle so much, automated incident response is the new norm. 

Incident investigation and response activities often involve inspecting malware samples, tracing attack sequences and analyzing potentially millions of traffic logs. In the past, security analysts struggled to manually reconstruct events from unevenly deployed platforms, users and devices. 

Thankfully, modern SIEM tools utilize machine learning capabilities to collect, analyze and present logs and events in ways that simplify forensic investigations and response. Intelligent SIEM tools also add user-centric data and system context to increase the accuracy of detection, reduce false positives, empower security analysts to trust automated response functions and help teams focus on the most critical alerts.

Solutions that can help

Gartner, a leading technology research and advisory company, reported that innovation in the SIEM market shows exciting details on the development and commercialization of intelligent tools that detect threats in real time. Next-gen SIEM vendors increasingly leverage machine learning, statistical analysis, deep insight and more to maximize capacities with higher accuracy and faster detection of significant security events. 

Gartner's Magic Quadrant tool is referenced by many technology decision-makers. It provides a culmination of research and insights on the positions of competing products that leaders are likely considering. In the SIEM space, the latest Gartner report features over fifteen SIEM providers, describing Splunk and Exabeam as key industry leaders and calling out Fortinet as a niche player providing immense value to businesses. 

Exabeam

Security Management Platform includes seven components that span beyond the limitations of traditional SIEM solutions. From advanced analytics to a built-in case manager and responder capabilities, the platform provides a seamless process for monitoring users, identities and entities and taking quick action. In addition to a simplified pricing model, Exabeam offers abridged functions to help less-experienced SIEM users organize logs and streamline investigation and response actions.

Fortinet

FortiSIEM includes several solution components centered around log collection and analysis from Windows and Linux, file integrity monitoring, endpoint detection and response, threat intelligence and user behavior analytics. The tool is suitable for compliance needs since it offers a set of packages to accelerate compliance actions with regulations such as PCI, ISO27001, FISMA and HIPAA.

Splunk

Splunk Enterprise and Splunk Cloud are core products that can be used for collecting, analyzing and visualizing a broad range of both IT operations and security use cases. The products have also been enhanced to include improved and real-time monitoring and security automation with threat intelligence. An attractive quality for companies seeking flexibility, Splunk offers several deployment options including on-premise, cloud-based IaaS and hybrid mode.

WWT and your SIEM journey

SIEM is a critical component of every security program. While there are several reputable, high performing solutions available in the market today, selecting the best options requires considerations unique to each organization, such as existing security infrastructure, long-term technology roadmaps and more.

At WWT, we can help you understand how to address challenges unique to your company in order to achieve the business outcomes you need. No matter where you are in your SIEM journey, together we can evaluate, design, implement and operate the best technology to monitor and protect your environment. Reach out to schedule a briefing and hear more about WWT and how we can help your organization overcome your security operations challenges.

We also understand that consolidating and simplifying your tech stack is essential. We believe in understanding and making the most of the capabilities you already own before adding new solutions. Join a Tools Rationalization Workshop where we can help you map out your existing tool portfolio to identify overlap and gaps within your technology environment.

Technologies