peshkova - Fotolia

Q
Get started Bring yourself up to speed with our introductory content.

The future of SIEM: What needs to change for it to stay relevant?

Compared to security orchestration, automation and response (SOAR) software, SIEM systems are dated. Expert Andrew Froehlich explains how SIEM needs to adapt to keep up.

At its core, a security information and event management (SIEM) system is a great way to collect various log and event information from disparate network, security and data center hardware and software. It's also useful for initial analysis and categorizing alerts. From those two standpoints, SIEM remains relevant. However, when this question of SIEM's relevancy is raised, it is often when comparing a SIEM to the newer, increasingly popular security orchestration, automation and response (SOAR) tools. SOAR has some useful features traditional SIEM products do not. Let's look at the future of SIEM and the changes that need to be made to catch up to SOAR.

First, SIEM products need to become more intelligent about providing alerts when action is required. The biggest complaint about a SIEM installed in a large IT infrastructure is that the security team becomes inundated with potential threats they should track down but can't due to lack of manpower. By comparison, newer SOAR platforms offer more advanced analysis and correlation engines that lessen the number of false positives.

Second, SIEM can't simply provide alerts about a potential security problem and be done. Instead, it needs to take SOAR's example and provide actionable steps a security administrator should take to quickly investigate and remediate the threat.

Lastly, the future of SIEM should provide two-way communication between the devices sourcing log and event data. Having a way to communicate back to the source device provides opportunities to use AI and automation to find a solution to a security issue, as well as remediate it without human intervention.

The logical conclusion is that SIEM and SOAR will soon evolve into a single tool for security departments to manage. Look for traditional SIEM products to take on the benefits of SOAR, but don't be surprised to see SOAR vendors respond by expanding their capabilities.

Dig Deeper on SIEM, log management and big data security analytics

Have a question for an expert?

Please add a title for your question

Get answers from a TechTarget expert on whatever's puzzling you.

You will be able to add details on the next page.

Join the conversation

2 comments

Send me notifications when other members comment.

Please create a username to comment.

What SIEM components are most in need of a tuneup?
Cancel
1 - The main thing that a SIEM has to do is to normalize the events in a single format, since it does not differ between uppercase, lowercase, accentuation, etc.

2 - The company must have knowledge of each of its IPs and its infrastructure, something like having a Shodan search engine in LAN, because most of the time an IP is not known to which dissipative it belongs.

3 - Enrichment lists should be automatic, user application examples and users of individuals, Servers, Workstation, Operating System, LDAP, vmware, hyper-V, network devices, printers. Because these lists will allow to exclude false positives in a simple way

4 - You must know that it is a norm and that it is not, because the amount of events does not always matter, but its meaning does not matter.
Cancel

-ADS BY GOOGLE

SearchCloudSecurity

SearchNetworking

SearchCIO

SearchEnterpriseDesktop

SearchCloudComputing

ComputerWeekly.com

Close