cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Caute_cautim
Community Champion

Is the SIEM a legacy item?

Hi All

 

Given the deluge of modern attacks, which attack organisations and originally it was the SIEM (Security Information Event Management) systems which took the brunt of these, to collate the different sources, and work out whether or not there were multiple attacks or whether an incident response was merited.

 

Is the latter day SIEM a legacy item these days?  Given that the same platform is expected to be an EDR, MDR, CDR and SOAR all in one to assist organisations to make head or tail of the incoming events coming in?

 

Especially as within 10 minutes an organisation can be attacked and compromised well before a human man based analyst can make head or tail of the situation?

 

Given the advent of Machine Learning, and AI are they now essential in the battle against the bad actors?

 

Your thoughts appreciated

 

 

Regards

 

Caute_Cautim

 

 

 

 

3 Replies
TribesmanJohn
Newcomer I

I think there's a certain level of understanding your organisation's risk profile and CMMI required when making such an assessment. I think a SIEM still has a place if you have a suitable logging maturity level and deep knowledge of your exposures.

 

The catch is that usually applies to orgs with a small digital footprint with security-aware staff. This does not scale very well 🙂 

 

The other issue is cost. SIEMs cost a lot of money. but a SIEM with ML, EDR, SOAR etc are going to cost a whole lot more and the vendors have the advantage in knowing that platform changes do not come easily or cheaply. Sunk cost fallacy.

 

I think with a TA dwell time now within single minutes, even with machine learning and attacks going to be well underway/all over by the time the first incident responder can identify the alert and react.

 

I would say the SIEM has far more value as a forensics tool these days rather than your EDR of choice.

 

Just my opinion though 🙂 

dcontesti
Community Champion

So my experience with SIEMs is that they were difficult to implement (increase manpower to monitor and adjust, the continued risk of devices being added/removed, automated responses that can cause more issues) Of course, I am talking from the point of view of a heavy manufacturer where sometime endpoints were added or removed by OT.

 

We all know that budget is difficult to come by at times, and justifying additional staff for the maintenance of SIEMs (while critical) can be a very hard sell to management (remember in a ICS environment, Security does not make money).

 

Hopefully, AI could be leveraged the number of false positives that we currently see.  I see other benefits coming from scalability, and  potentially the automation.

 

AI should be far superior at Threat Detection.

 

Having said that, I do not see AI being the answer in the near future.

 

d

 

Caute_cautim
Community Champion

@dcontesti @TribesmanJohn   Thanks for the responses, a lot of people have gone to the service providers like Azure, AWS, GCP or even a lot of other providers including Palo Alto XSIAM for instance.  If you look at the recent selling off of IBM QRadar to Palo Alto and partnership, it shows a motion towards service providers having a single pane of glass and combining a SIEM at its core with other technologies to increase the ability to react within minutes rather than hours as in yesterday year.

 

Which with AI and ML provide Analysts some breathing space to put their wits to the real threats rather than 1,000's of them at a time.  Plus the fact that human beings cannot remember patterns, or probably what happened 20 minutes ago, whereas AI can do this and definitely augment the human beings abilities to make decisions. 

 

I have seen acquisitions such Cisco purchasing Splunk, and augmenting their capabilities along with security intelligence feeds constantly reviewing the incoming events from many sources.  It is going to be an ongoing battle, no single technology has all the answers and increasingly so this will be case in the future. 

 

Or it is outsourced overseas to cheap labour and rooms of people stuck with multiple screens attempting to make sense of the noise in front of them.

 

Combining capabilities into a single platform, certainly makes it easier for a human to make decisions.

 

Regards

 

Caute_Cautim