The following is an excerpt from our recently published whitepaper, “The Failed Promises of SIEM: How Next-Generation Cybersecurity Platforms are Solving the Problems Created by Outdated Tools,” in which we discuss the ways in which SIEM has failed to deliver on promises made to the cybersecurity industry and why cyber teams must instead turn to a next generation platform powered by unsupervised AI to navigate the ever evolving threatscape of 2020 and effectively defend against modern threats and bad actors.
The Evolution of SIEM
It should be noted that SIEM platforms are exceptionally effective at what they initially were intended for: providing enterprise teams with a central repository of log information that would allow them to conduct search and investigation activities against machine-generated data. If this was all an enterprise cybersecurity team needed in 2020 to thwart attacks and stop bad actors from infiltrating their systems, SIEM would truly be the cybersecurity silver bullet that it claims to be.
The functionality of SIEMs does allow organizations to benefit from several significant features:
- The ability to access historical data made it possible to comply with rapidly changing compliance requirements in an efficient, effective way.
- Aggregating and analyzing network events captured by endpoints and machine-generated data sources to provide greater visibility into network infrastructure challenges.
- Providing search and investigative capabilities.
- Serving as a log collection point.
Over time, SOC teams recognized additional potential uses for the SIEM framework. But one of the fundamental foundations for the establishment and rise of the SIEM market was the compliance factor. The question now is whether these compliance platforms were built for modern cybersecurity challenges.
Join our free webinar, “The Failed Promises of SIEM: Solving the Problems Created by Outdated Cybersecurity Tools,” this Wednesday, October 14th at 11am PST
Gartner Defines SIEM
While SIEM-like processes were not entirely new among security operation centers (SOCs) in the early 2000s, the industry didn’t recognize SIEM as a term until it was coined in 2005 by two Gartner security analysts, Mark Nicolett and Amrit Williams. Gartner’s SIEM report, Improve IT Security with Vulnerability Management, proposed a new kind of security information platform based on two previous generations:
First-generation Security Information Management (SIM) approaches were built on top of traditional log collection and management systems. These systems benefitted from game-changing features like long-term storage and analysis capabilities. SIM also introduced the ability to evaluate combined logs with threat intelligence.
Security Event Management (SEM) second-generation platforms addressed security events. These systems could aggregate, correlate, and notify analysts about security events based on triggers from antivirus programs, firewalls, and intrusion detection systems (IDS). They could also handle events reported directly by authentication, SNMP traps, servers and network databases.
Over time, SOC teams recognized additional potential uses for the SIEM framework. Additional collections of queries, dashboards, and recording capabilities layered on top of the SIEM system allowed them to address specific user requirements.
NIST Identifies Benefits of SIEM Software
Later in 2006, NIST described SIEM in its Guide to Computer Security Log Management. The standards agency identified two main types of SIEM: agentless and agent-based.
Agentless SIEM, according to NIST, “receives data from the individual log generating hosts without needing to have any special software installed on those hosts.” Then, the server “performs event filtering and aggregation and log normalization and analysis on the collected logs.”
NIST concluded that the primary advantage of the agentless approach is that agents do not need to be installed, configured, and maintained on each logging host. However, NIST recognized that a “lack of filtering and aggregation at the individual host level could cause significantly larger amounts of data to be transferred over networks and increase the amount of time it takes to filter and analyze the logs.”
Authentication, NIST, wrote, was another concern. If the agentless SIEM software needed to obtain authentication credentials for each logging host, an agent would likely need to be installed to remotely collect logs.
In the guide, NIST described Agent-Based SIEM as a program installed on the log generating host to “perform event filtering and aggregation and log normalization for a particular type of log, then transmit the normalized log data to a SIEM server, usually on a real-time or near-real-time basis for analysis and storage.”
NIST explained that a SIEM server analyzes data from the various log sources, correlates events among the log entries, identifies and prioritizes significant events and can initiate responses to events.