SIEM In this Decade, Are They Better than the Last?
My first exposure to a SIEM in 2001 was netForensics followed by Intellitactics (2002) which was eventually purchase by Trustwave but since then, many new products have come to market.
Security Information and Event Management (SIEM) have been around for 20+ years now, where their evolution has gone from simply collecting and centralizing as a repository of logs. Today they have become more complex with the inclusion of Security, Orchestration, Automation and Response (SOAR) [1] with a large component of threat intel information. Some of my previous articles on SIEM [2][3] are dated but I think some of it still hold true, like being swamped by huge amount of structured and unstructured data, of this data, there is still a large amount left untouched and unanalyzed.
It is obviously a good thing to centralize logs but over time, it didn't always deliver on detecting and reacting in time against modern threats. What the legacy SIEM have in common is their inability to accurately identify incidents, they drown security teams by generating an overwhelming number of alerts that "logjam" both the SIEM and analysts.
One of the main issues is that each network behaves differently and it takes time to configure the SIEM to understand the local environment, collect the right telemetry & context and configure the use cases [2] to respond and alert for the events that matters the most. Even then, it is important to review them regularly to make sure the goals haven't changed over time.
Over time, the market has changed by incorporating new features such as SOAR that include the additional context needed to make accurate assessment on each alert and include machine learning like User and Entity Behavior Analytics (UEBA) to accelerate identification of suspicious activity. This kind of automation is helping analysts to execute preconfigure automation tasks (playbooks) between various groups and tools.
If you have identified a SIEM that meet your goals, what is it that made it better in managing incidents?
Do you prefer storing structured or unstructured data and why?
[1] https://isc.sans.edu/forums/diary/SOAR+or+not+to+SOAR/25808/
[2] https://isc.sans.edu/forums/diary/Mapping+Use+Cases+to+Logs+Which+Logs+are+the+Most+Important+to+Collect/22526/
[3] https://isc.sans.edu/forums/diary/Business+Value+in+Big+Data/19727/
[4] https://www.sans.org/white-papers/408/ (netForensics)
[5] https://www.trustwave.com/en-us/company/newsroom/news/trustwave-acquires-intellitactics/
-----------
Guy Bruneau IPSS Inc.
My Handler Page
Twitter: GuyBruneau
gbruneau at isc dot sans dot edu
Comments
www
Nov 17th 2022
6 months ago
EEW
Nov 17th 2022
6 months ago
qwq
Nov 17th 2022
6 months ago
mashood
Nov 17th 2022
6 months ago
isc.sans.edu
Nov 23rd 2022
6 months ago
isc.sans.edu
Nov 23rd 2022
6 months ago
isc.sans.edu
Dec 3rd 2022
6 months ago
isc.sans.edu
Dec 3rd 2022
6 months ago
<a hreaf="https://technolytical.com/">the social network</a> is described as follows because they respect your privacy and keep your data secure. The social networks are not interested in collecting data about you. They don't care about what you're doing, or what you like. They don't want to know who you talk to, or where you go.
<a hreaf="https://technolytical.com/">the social network</a> is not interested in collecting data about you. They don't care about what you're doing, or what you like. They don't want to know who you talk to, or where you go. The social networks only collect the minimum amount of information required for the service that they provide. Your personal information is kept private, and is never shared with other companies without your permission
isc.sans.edu
Dec 26th 2022
5 months ago
isc.sans.edu
Dec 26th 2022
5 months ago