SIEM products have been at the heart of many organizations security operations for over a decade. Whether they're being used mostly for centralized logging and compliance or for incident detection and response efforts, security information and event management products (SIEM products), provide a single interface to information from many security systems. Over the years, SIEM technologies have changed, and it's important that your own SIEM strategies evolve to incorporate these advances.
Here are a few recent advances you should be aware of when looking at new SIEM products or re-evaluating your existing SIEM's quality.
Big data adoption
One of the biggest trends in SIEM during the past few years has been the switch from relational databases to big data models. If your organization is using SIEM strictly as centralized logging, a switch to big data may be ill advised, because of its potentially lossy nature. (Big data doesn't use traditional relational databases, so it cannot be relied upon to comprehensively retrieve every bit of data originally stored in it.) But if your organization is using SIEM for incident detection and response, a switch to big data may improve your incident detection rates by being able to collect much more data and crunch it to find the patterns of attacks within it.
Threat intelligence feeds
SIEM products increasingly support the ingestion of threat intelligence feeds. These feeds contain information about threat indicators, such as the IP addresses, hostnames and URLs attackers use. Each feed typically includes a score for each threat indicator, rating relative confidence in its malicious nature, as well as additional metadata that provides context for the threat intelligence. When a threat intelligence feed is used in conjunction with SIEM data, it provides a wealth of intelligence and allows for the expedited identification of incidents and more confident responses. Make sure that your SIEM supports threat intelligence feeds.
Logging in multitenant clouds has long been a challenge for SIEM systems. Fortunately, there are now many cloud-based SIEM services and products that can collect audit logs and route those logs to an organization's regular (non-cloud) SIEM servers. Some of these cloud-based SIEM products are offered by the same vendors that offer regular SIEM products; integration may be trivial for these cases. In other cases, extensive planning and testing may be needed to determine if the data from the cloud can be collected, processed and transported to the enterprise SIEM system in a timely enough manner to support incident response.
Although SIEM products have traditionally been thought of as centralized log processing, enterprises can now ensure increased scalability by having individual data collection points do some of their own data analysis and processing. If your SIEM is currently struggling to keep up with its workload, you may benefit from switching to a distributed architecture.
In conclusion, consider your own organization's needs for a SIEM product in the context of these four recent advances. Odds are that if your organization is solely interested in SIEM for centralized logging, these advances aren't so important -- but be aware that your SIEM can do so much more than just log management. It can be an invaluable tool both for discovering incidents more quickly and by correlating data across systems and events with threat intelligence.
What problem does your SIEM system need to solve?
Before you choose a SIEM, consider these factors
Stay up to date on SIEM product developments