Security Information and Event Management (SIEM) software burst upon the scene 20 years ago with the appealing proposition of combining security information management and security event management in a real-time bundle that helps stop attacks before they disrupt the business. Organizations could finally get a holistic view of their information security posture.
That worked until data volumes began to spiral out of control. Early SIEMs had limited capacity and were mostly based on structured relational data. Scaling them requires expensive hardware and storage upgrades. Even then, growing data volumes drag down query performance and cancel out many of the promised speed benefits. The processing overhead needed to index incoming data can stretch search times to minutes against adversaries moving at real-time speed.
Attackers haven’t stood still. Breakout times, or the interval between a breach and the time an intruder begins to move laterally within a network, have fallen to as little as seven minutes. The manual analysis and response that legacy SIEMs require are no match for such nimble foes.
Slow and costly
Implementing traditional SIEM has historically been a slow and expensive process, with installation, configuration and integration work often stretching out for months. Initial investments can run into hundreds of thousands of dollars, not including the operational costs of personnel to manage and monitor the SIEM, subscription fees to threat alert services, and annual support costs. Considerable resources are required to maintain and update them, including the costly specialized skills needed to create and modify rules and parse new log sources.
Many older SIEMs have Byzantine user interfaces that make it difficult for security analysts to monitor and investigate alerts effectively. They also lack the advanced analytics and machine learning capabilities to identify sophisticated threats, relying instead on signatures and rule-based detection. Those measures are fine when attack patterns are well understood, but they are useless against the novel zero-day exploits that now account for about 80% of successful data breaches. Predefined rules also tend to generate many false positives, wasting time and causing teams to overlook real threats.
SIEM was supposed to reduce security alert frequency, but the opposite has happened. Security teams deal with thousands of alerts every day — a deluge that causes burnout and contributes to turnover at a time when cybersecurity skills are in painfully short supply.
Despite all these shortcomings, many organizations continue to limp along on older systems because upgrades are so resource consumptive. They throw good money after bad by continuing to invest in products that are increasingly irrelevant to the problem.
New horizons in SIEM
Modern SIEMs look little like their legacy ancestors. They’re built from the ground up to deliver better, faster, and more cost-effective outcomes enabled by artificial intelligence (AI)) and automation. Cloud-native deployment dramatically reduces installation time and costs. Today’s most sophisticated products unify SIEM, endpoint detection and response (EDR) and extended detection and response (XDR) in a single platform. Scale-out architectures based on commodity servers and storage replace the costly scale-up approaches that legacy SIEM required.
Using agents that track endpoints, cloud workloads, identities, and data protection platforms, next-generation SIEM systems are built on flexible architectures that easily integrate third-party extensions. AI-powered context-aware incident reports stitch together all related alerts and context in a summary powered by generative AI and presented in a single, visually compelling graph. Sophisticated query languages support rich syntax, aggregation, statistical functions, and data manipulation for joining datasets. AI also offers advanced filtering and pattern matching.
Detection, investigation, and response workflows are integrated and are automatically orchestrated. Index-free search delivers instantaneous results. Data lake technology promises to let teams store vast amounts of data at low cost with flexible access while eliminating information silos. All relevant information about adversaries and their tradecrafts becomes instantly available through a single query. Even junior security personnel can gain insights by using plain language prompts with a generative AI interface.
Bottom line: Modern SIEMs empower security personnel to stop attacks in seconds instead of days.
For those considering whether to migrate to next-generation SIEM, take the simple “1-10-60” test. Can the company’s existing system rapidly detect, investigate and facilitate a response to an event? Or does the team sit there waiting for the results? If so, then the SIEM isn’t keeping pace with today’s sophisticated adversaries. It’s time to consider an alternative.
Braden Russell, chief technology officer, platform, CrowdStrike
