Buyer's Handbook:

How to make a SIEM system comparison before you buy

BACKGROUND IMAGE: matejmo/iStock

A SIEM system with machine learning theoretically can improve itself

Organizations can gain several kinds of benefits from using a SIEM system, but one that's particularly intriguing is the ability to significantly improve the accuracy and speed of incident detection. To be effective, SIEM must use a combination of several analysis and detection techniques, each of which is best suited to finding certain types of incidents. Examples of technique categories include signature-based, anomaly-based, behavior-based and statistical-based.

Understandably,  security information and event management (SIEM) vendors don't want to reveal the details of their data analysis and incident detection techniques; thus, there's no easy way to compare how well each system works and quickly identify the best SIEM system for a given company. The current trend is to promote machine learning as the answer to improving analysis and detection accuracy and speed. Machine learning involves computers being capable of making decisions without people specifically instructing them on how to do that. A SIEM system using machine learning should, theoretically, be able to improve itself over time as it receives and analyzes more data.

Unfortunately, machine learning principles are extremely hard for security technologies to adopt. Machine learning flourishes in many other areas of our lives because, in those, it's clear what is "good" and what is "bad." That's not true for security data analysis and incident detection; even the best human experts may not be sure if a particular event or series of events is benign or malicious.

In order for a SIEM tool to improve itself using machine learning, humans must be involved on an ongoing basis. They must take the time to educate the SIEM system on which events are good and which are bad, correcting any mistakes the system initially makes. Even with that, current machine learning capabilities aren't highly effective because of the dynamic nature of technologies, threats, vulnerabilities and attacks. That doesn't mean you shouldn't look for SIEM systems that use machine learning, but rather that you shouldn't assume the use of machine learning necessarily means a significant improvement in analysis and detection capabilities.






  • CIO Trends #6: Nordics

    In this e-guide, read how the High North and Baltic Sea collaboration is about to undergo a serious and redefining makeover to ...

  • CIO Trends #6: Middle East

    In this e-guide we look at the role of information technology as the Arabian Gulf commits billions of dollars to building more ...

  • CIO Trends #6: Benelux

    In this e-guide, read about the Netherlands' coalition government's four year plan which includes the term 'cyber' no fewer than ...