According to Gartner’s recent Magic Quadrant for Security Incident & Event Management (August 2016), the SIEM market grew from $1.67 billion in 2014 to $1.73 billion in 2015. The major driver for SIEM investments is security. “Even though compliance continues to be a secondary driver, the primary focus continues to be targeted attack and breach detection. The security organization often wants to employ SIEM to improve capabilities for external and internal threat discovery and incident management.”
Over the years, a SIEM system has become the centerpiece of the Security Operations Center (SOC), the most important step toward bringing all the products and people involved in IT security together into a coherent operation. The goal of the SOC is of course to detect and prevent breaches as quickly as possible, while continuously managing and improving the security posture of the organization to prevent future incidents.
According to Securosis analyst Mike Rothman, SIEM systems were originally designed to aggregate the flood of alerts from systems like IPS and IDS that were overwhelming the IT department, and, over time, became an information platform, aggregating logs from firewalls and other devices. Since it was so difficult to find the needle in the haystack, SIEM platforms further evolved to provide usability tools such as correlation rules and dashboards.
So a SIEM clearly plays an important role in a SOC. But is it enough? If, as the Gartner respondents said, the main goal is targeted attack and breach detection, is SIEM the best platform for the job? Let’s take a look at a few of the key requirements for a successful SOC.
1. Detect threats at every point in the attack chain
To deal with the growing number and complexity of cyber threats, organizations have deployed multiple security solutions to address specific attack vectors or vulnerabilities. In response, attackers have developed more sophisticated methods that use multiple techniques and stages. Point solutions working alone cannot see the connections between a series of events. To ensure that attackers do not sneak through, security operations must address two key requirements:
- Deploy prevention and detection technologies across the full attack chain, over every attack vector, and the entire IT environment.
- Architect so that all the technologies are working together holistically, sharing information to ensure that attackers are unable to sneak through.
2. Investigate every alert so that nothing is missed
The large number of alerts was one of the earliest drivers for SIEM. To help teams address the tens of thousands of events collected each day, SIEM system introduced correlation rules to group related events into alerts. But today, most organizations report that even after correlation, the number of alerts that arrive each day is too numerous to investigate, resulting an unacceptable level of risk.
When creating a SOC, organizations need to look for solutions that do not merely aggregate alerts, but automatically validate and investigate them, reducing the final number of cases that must be reviewed by human analysts to a manageable number.
3. Obtain forensic evidence for investigation and remediation
To investigate alerts, security teams need the kind of detailed network and endpoint activity data that is provided by forensics solutions. Throughout the industry, forensics tools – particularly on the network – are infamous for being extremely difficult and time-consuming to use, and forensics is often one of the major stumbling blocks on the road to an effective SOC.
When it comes to forensics, organizations should look for solutions that are automated and easy to use. The key is to adopt solutions that proactively integrate the collection of forensic evidence into the investigation process and present the results in the context of the alert or lead that the data is intended to confirm. When the forensic evidence is analyzed and presented in this way, it arrives on time and in a format analysts at different skill levels can understand.
4. Rapidly stop, eradicate and remediate threats
Of course the main goal of the SOC is to stop and remove whatever threats cannot be prevented. Effectively addressing the first three requirements – combining thorough detection with automated investigation that covers every alert and integrates forensics – will already have a tremendous impact on dwell time.
The next step is to turn that investigation into actionable intelligence and a response. Organizations should choose solutions that provide clear, fully documented attack story lines, detailed recommendations for remediation, and built-in tools for containing threats fast.
5. Manage incidents for visibility, transparency and communication
Sharing information is fundamental to any team’s ability to respond. Organizations should insist on solutions that make information accessible and understandable to a wide variety of stakeholders. The SOC is a 24/7 operation so information sharing and knowledge transfer is crucial. Look for solutions that turn alerts and data into intelligence that is self-explanatory and can be shared between job roles and shifts. Increase transparency by adopting paradigms that make intuitive sense – like incidents, risks and recommendations – rather than alerts, logs and reports.
6. Continuously automate and improve processes to optimize the operation
More than any technology or solution, the SOC is the people and processes that protect your organization. The cyber security labor shortage is large and growing, and the skills required to handle today’s threats and technologies keeps climbing. SOC managers should constantly be on the lookout for ways to automate routine analysis, orchestrate manual processes, and provide teams with actionable intelligence rather than logs.
So, does a SOC need a SIEM? For most organizations, the answer is yes. Over the years, SIEM has proven highly effective at collecting and managing data that is vital to IT, security, and the business.
However, for organizations that face the possibility of complex, targeted attacks and need to know that they are prepared to face them early and aggressively, SIEM alone is not enough. The sheer volume of information collected by the SIEM, combined with the inefficient methods of investigation and analysis, mean that attackers can stay one step ahead.
To handle advanced threats, SOCs need a solution for threat detection and response that is designed and built from the ground up, to meet the requirements described above.
Noam Rosenfeld is Senior VP Research & Development, Cyber Intelligence Solutions, Verint Systems Inc. and Former Head of Cyber Defense Department in the IDF.