Security information and event management (SIEM) systems are designed to collect log information and perform fixed correlation functions. As enterprises strive to rapidly detect and respond to breaches and potential threats, interest in advancing the analytics capabilities of SIEM deployments is on the rise. Are SIEM deployments capable of handling data analysis in an era of big data?
While SIEM systems promise visibility into network events and potential threats, their ability to identify true threats remains uneven, reports technology journalist Robert Lemos. Traditionally, these systems have automated the collection and management of log files but that has resulted in a large number of false positives. SIEM systems also continue to be expensive and have significant staffing requirements. Information overload from the high number of false positives and the continued failure to detect signs of advanced attacks remain major problems for security teams.
Big data and advanced analytics may deliver better threat detection. When combined with SIEM, analytics tools can help security analysts with event correlation and investigation of broader datasets. SIEM systems typically do not allow investigation into events, although case management functionality is being added by some vendors.
Data analytics also offers a way to interactively search through security and business data sets for evidence of compromise. Revealed patterns can be automated for future detection of threats, Lemos says. But the market is still immature: Splunk Inc., RSA, The Security Division of EMC Corp. and Blue Coat Systems Inc. offer analytics-focused products, while other vendors such as AlienVault Inc. and LogRhythm Inc. incorporate analytics capabilities. In this video, Lemos talks about where SIEM and analytics tools are today. He also reports on strategies that may help organizations incorporate better analytics into their current deployments, in an effort to improve threat detection as well as time management for security teams moving forward.