Threat Level: green Handler on Duty: Johannes Ullrich

SANS ISC: InfoSec Handlers Diary Blog - SANS Internet Storm Center InfoSec Handlers Diary Blog


Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!

SIEM In this Decade, Are They Better than the Last?

Published: 2022-01-29
Last Updated: 2022-01-29 18:14:37 UTC
by Guy Bruneau (Version: 1)
3 comment(s)

My first exposure to a SIEM in 2001 was netForensics followed by Intellitactics (2002) which was eventually purchase by Trustwave but since then, many new products have come to market.

Security Information and Event Management (SIEM) have been around for 20+ years now, where their evolution has gone from simply collecting and centralizing as a repository of logs. Today they have become more complex with the inclusion of Security, Orchestration, Automation and Response (SOAR) [1] with a large component of threat intel information. Some of my previous articles on SIEM [2][3] are dated but I think some of it still hold true, like being swamped by huge amount of structured and unstructured data, of this data, there is still a large amount left untouched and unanalyzed.

It is obviously a good thing to centralize logs but over time, it didn't always deliver on detecting and reacting in time against modern threats. What the legacy SIEM have in common is their inability to accurately identify incidents, they drown security teams by generating an overwhelming number of alerts that "logjam" both the SIEM and analysts.

One of the main issues is that each network behaves differently and it takes time to configure the SIEM to understand the local environment, collect the right telemetry & context and configure the use cases [2] to respond and alert for the events that matters the most. Even then, it is important to review them regularly to make sure the goals haven't changed over time.

Over time, the market has changed by incorporating new features such as SOAR that include the additional context needed to make accurate assessment on each alert and include machine learning like User and Entity Behavior Analytics (UEBA) to accelerate identification of suspicious activity. This kind of automation is helping analysts to execute preconfigure automation tasks (playbooks) between various groups and tools. 

If you have identified a SIEM that meet your goals, what is it that made it better in managing incidents? 
Do you prefer storing structured or unstructured data and why?

[1] https://isc.sans.edu/forums/diary/SOAR+or+not+to+SOAR/25808/
[2] https://isc.sans.edu/forums/diary/Mapping+Use+Cases+to+Logs+Which+Logs+are+the+Most+Important+to+Collect/22526/
[3] https://isc.sans.edu/forums/diary/Business+Value+in+Big+Data/19727/
[4] https://www.sans.org/white-papers/408/ (netForensics)
[5] https://www.trustwave.com/en-us/company/newsroom/news/trustwave-acquires-intellitactics/

-----------
Guy Bruneau IPSS Inc.
My Handler Page
Twitter: GuyBruneau
gbruneau at isc dot sans dot edu

3 comment(s)
Diary Archives