Security Operation Centers (SOC), across the globe started to yield benefit, when in the nineties the Concept of “Security Information and Event Management (SIEM) systems”, was introduced and got amalgamated into the Cyber/Information Security Office of an Enterprise. The SIEM was not only a motoring tool but is also used to to assist the organisation to take care of compliances aspects. Hence, the SIEM products are not only considered a solution for large enterprises worried about fulfilling their compliance reporting requirements, but also a tool within an enterprise to maintain logs (with retrieval enabled) and Threat Detection. In a conventional SIEM setup, these solutions also help security teams find and mitigate threats on both real-time basis and also as a post-incident management.
As the spectrum of threat vectors kept widening and for that matter as the domain of the enterprises kept expanding; the need for automation of the SIEM was felt. The first generations of SIEMs did require expert data analysis and a skilled team able to filter out the growing incidents of false positives to discover the real security threats; yet the need was felt to introduce AI/ML (AI: Artificial Intelligence, ML: Machine Learning) and Intelligent Automation that could avoid burden on the SOC Team and also to ensure that a True-Negative is also not missed out in the SIEM.
The Conventional SIEM Management, is a labour-intensive activity and also requires expert skills set, as breaches typically would take weeks or months to uncover, investigate, and mitigate. Modern SIEMs can now apply new solutions to your security domain that weren’t available with legacy SIEMs. But many SIEMs claim to be “next-generation,” and yet don’t have what’s needed to solve the problems most security teams and enterprises face today.
10 Features to look for in a Nex-Gen SIEM
1. Collect and manage data from all available sources and real time monitoring
Present-day threats typically span multiple data sources. To be effective, every data source must be available to your next-gen SIEM for it to analyse and correlate the data. This includes cloud service data, on-premise log data (security controls, databases, and application logs), and network data (flows, packets, etc.). With real-time security monitoring tools, enterprises can collect data from the different sources in their environment and illustrate that data with graphical reports.
2. Well-vetted, big data architecture
Many legacy SIEMs were conceptualised and rolled-out in the early 2000s and use proprietary technology. There is a significant technological difference between then and now. Platforms such as Hadoop, Mongo, Elasticsearch, and Spark simply weren’t available then.
Given the amount of data being collected, what’s now needed is a big data architecture that can scale data, pivot within it, and take advantage of advanced data science algorithms.
3. Enrichment of user and asset context
Look for a high level of enrichment that yields useful results from all the data you’re collecting. Advances in data science provide many insights that previously had to be correlated by experienced analysts, such as:
- Dynamic peer grouping
- Associating IP addresses with users, machines, and timelines
- Tracking asset ownership
- Associating user and machine types with activities
- Identifying service accounts
- Correlating personal email addresses with employees
- Associating badging station log activity with user accounts and timelines
By using a SIEM that understands context and intent, you can look up asset ownership, user login location, peer groups, and other information that can help you discover abnormal behaviours.
4. User and Entity Behavior Analytics (UEBA)
Tracking and monitoring user behaviour analytics is a great way to improve with in an enterprise when it comes to information security. Assigning of a risk scores to every user and entity in an organization is the practice in the conventional SIEM, but, identifying anomalies and corroborating the threats as an inherent function will add more value to the Nex-Gen SIEM, and also improving on the nuances of this scoring is also of value. These scores should be hence based on the weight of suspicious activity (i.e., the extent of deviation from a baseline, the frequency of the action, etc.).
5. Incident Management and Prioritization
The amount of data SOCs need to analyse is staggering. Incident management functionalities include detection, categorization, and analysis tools, which can help a enterprises reduce the time it takes to detect and resolve a breach. The logs so generated should always the source to help management of incident if (and when) it occurs. These features can also help protect networks from future attacks by enabling users to conduct a forensic analysis of an incident, analyse the tracks left behind, and use that data to ensure a similar incident won’t occur. Modern SIEMs are designed to reduce the signal-to-noise ratio to where you can regain domain control. The ability to eliminate false positives and focus only on events with abnormal behaviours is essential for robust security, efficient staff performance, and keeping down costs.
6. Threat Intelligence and Automated Tracking of Lateral Movement
When looking at different SIEM solutions, CISOs need to prioritize those equipped with threat detection and threat analytics add-ons. These tools combine open-source and commercial threat feeds to help enterprises streamline threat detection efforts, reduce false positives, triage threats when they occur, provide deeper visibility into network activity, and spotlight the most pressing alerts.
It is a known fact that over 60 percent of the threat is from insider actors and this can be termed as ‘attacks involving lateral movement’. This is where attackers attempt to evade detection or gain access to higher privileges by changing credentials, IP addresses, and assets. To effectively follow lateral movements from beginning to end, your SIEM must be able to tie such related events together.
7. Flat Costing for log ingestion and storage
Most legacy SIEMs come with volume-based pricing. The more data you collect, the more it costs your organization. This means that even without increasing the number of data sources, your costs will see a significant increase within just a few years of the initial implementation. Hence, a solution that provides the appropriate scalability, with the ability to add storage with minimal configuration and management and at minimal or nil cost, should be thought of.
8. Improved security information model and Cloud Readiness
Legacy SIEMs have a security model that’s mostly based on discrete events. Manually converting an event series into a structured behaviour timeline requires a huge amount of time. While a SIEM solution can’t eliminate the potential for human error, it can help lessen the risk by appropriate management of an Incident. For advanced analysis, security data must be stored in a useful form factor—for example, a timeline that contains the entire scope of each user and entity you’re monitoring. When all required information is organized in this way, expert systems immediately provide their complete context when surfacing abnormal events.
A Cloud data breach is also the Nex-Gen Attack Vector, and enterprises need to be sensitive of this requirement while selection of a SIEM. The Nex-Gen SIEM must have the capability to reports the routine including unusual log-ins, unauthorized data distribution, and changes to virtual networks, DNS zones, security groups, databases, virtual machines, and storage accounts.
9. Integrated Compliance Management
SIEM solutions play a significant role in helping organizations maintain compliance with regulatory mandates and pass security audits. When comparing solutions, do evaluate for those equipped with capabilities to monitor SOC, log network activities, and provide alerts when irregular movements occur. The selected SIEM should also be based on the criteria of the business and also the compliance components that have been set by your regulators/governing body.
10. Security Orchestration and Automation Response (SOAR)
SIEM vendors use different jargon and sell their product in the market. However, the CISO must look for these two key areas that should be part of the deliverables of the Nex-Gen SIEM:
- Deploying prebuilt connectors to your IT and security infrastructure, without having to script them yourself
- Easily pull/push data into/out of your access management systems, firewalls, email servers, network access controllers, and other management tools
- Using response playbooks to codify best responses to specific threat types
- Providing workflow automation on top of your orchestration plumbing
- Enabling threat response automation, while also reducing personnel tedium
- The ability to control all your tools from one place
An advanced SOAR solution can free up your highly skilled analysts to create playbooks, while enabling junior analysts to run them. You can realize a faster mean-time-to-resolution while using the efforts of fewer full-time employees.