FINAL WORD
Next-generation SIEM
AI/ML-powered analytics is indeed
revolutionising the science of advanced
threat detection and will continue to do so
throughout the next decade. AI’s greatest
impact will be towards holistic threat
analytics, which is the ability to detect and
qualify threats with accuracy wherever
they might originate and with whatever
they might intersect – endpoint, server,
application, device or user. Next-generation
SIEM platforms should ultimately enable
an organisation to have visibility into both
known and unknown cyberthreats across
the holistic attack surface. This pervasive
centralised visibility serves as the foundation
for holistic threat detection, creating an
incredible analytics opportunity for AI-
powered technologies.
Pervasive visibility enables sophisticated
scenario analytics to continuously model
data – recognising the occurrence of complex
scenarios that exhibit the tactics, techniques
and procedures (TTPs) of known threats.
The same visibility also empowers deep
behaviour analytics, modelling a diverse
cross-section of behaviours across the IT
infrastructure and the users operating within,
allowing detection of subtle behavioural
shifts that might indicate a potential or
present threat.
NextGen SIEM should allow organisations to
optimise organisational false negative risk
verses false positive load.
The security industry’s journey with
AI-powered analytics is still relatively
nascent. It is up to security vendors to be
at the forefront of this journey, delivering
customers advanced and pragmatic
approaches that will best protect them from
ever-evolving threats. And there is no silver
bullet; organisations should view NextGen
SIEM as a platform and select a NextGen
SIEM vendor that can pragmatically realise
full NextGen SIEM capabilities across time,
against their practical resource constraints.
How has SIEM evolved over the
last decade, and where do the likes
of SOAR and SOAPA fit into the
security picture?
Just like the threats it was designed to
protect us from, SIEM is continuously
104
INTELLIGENTCIO
evolving. Cybersecurity technology that
is developed to solve a specific issue at a
given time and doesn’t change or evolve,
will soon become legacy as threats and
tactics grow in sophistication.
How is AI (or ML) changing the
SIEM model currently and will it
transform it completely in the next
couple of years?
As such, if SIEM had stayed as its initial
incarnation it would be extinct, but it has
evolved with the times and ‘NextGen SIEM’
now exists. Security teams are often restricted by
limited time, money and people-power,
so businesses simply cannot expect
their digital estates to be truly secure if
responsibilities are carried out manually in
this day and age.
NextGen SIEM has evolved to have Big Data
storage architecture at its foundation. This
enables it to cope with the increasing influx
of security information by facilitating a far
greater repository where data is analysed
with advanced capabilities – including
complex scenario detection and behavioural
modelling – which allows it to identify and
prioritise known and unknown threats. The time and effort it can take to investigate
the sheer quantity of alerts, identify new
attack trends, test networks to uncover
vulnerabilities, as well as manage a growing
number of cybersecurity tools, means that
security teams are under increasing pressure
as their resources are spread thinly.
Furthermore, advanced incident response
automates threat mitigation and
investigation with previously unparalleled
speed and accuracy.
SOAPA and SOAR technologies are still in
their infancy with the industry not yet fully
decided on how to truly define the terms.
Yet, what can be said is that both can
encompass SIEM. For instance, traditional
SIEM solutions typically focus on a few data
points, but SOAPA enables users to unify
SIEM alongside other vendors’ APIs into a
single platform.
This means other data from other tools,
such as network security analytics, incident
response platforms, endpoint detection
and anti-malware etc, are knitted together
to ensure a more comprehensive picture
which provides security teams with
greater oversight.
SOAR is a term created by Gartner and
refers to a more efficient and effective
response to threats, often through the use
of automation.
This only makes it more likely that
anomalous activity could go unnoticed
and cause real damage in the form of a
material breach.
The addition of ML to SIEM promises
to reduce the human effort needed to
secure networks. Expanding datasets can
be analysed quickly with red flags waved
so that security teams know where they
should focus.
Moreover, such technologies can move
beyond the typical rules-based approach so
that threats that are following new patterns
are highlighted and then learned. As tactics
evolve, so does NextGen SIEM.
That being said, organisations that view
ML as a silver bullet to their challenges will
soon come crashing back to reality. While
ML can analyse data quickly, it’s only as
good as the data it’s reviewing making
inaccurate or insufficient data sources a
cause of concern.
With the amount of inflowing cybersecurity
data ever-increasing, manually responding to
alerts is a tedious process and likely to result
in missed red flags. There may also be a lack of consistency in
how each ML solution reports its findings.
Furthermore, the business will need to
calculate a comfortable balance between
false positives and false negatives, with an
increase in the former affecting the latter in
the same way.
When automation is incorporated into a
firm’s SIEM setup and overall cybersecurity
posture, they are in a much better position
to respond sufficiently to potential threats. This means that each alert will still need
to be checked, even if just to confirm that
everything is OK rather than to deeply
investigate and analyse every threat. n
www.intelligentcio.com