Yonatan Striem-Amit at Cybereason describes how organisations can move beyond traditional SIEM solutions
It is no wonder then that Security Information and Event Management (SIEM) platforms have become part of the foundation of mature cyber-security programs.
By amassing log data created by an IT and security stack as well as identifying potential incidents, SIEM was intended to provide businesses with improved visibility to their environment. Should there be detection of suspicious activity, alerts and reports are fed back to the security lead to make a judgement call on next steps. In short, SIEMs have often been touted for enhancing an organisation’s ability to monitor threats and respond to incidents.
Yet, while aggregating log data provides some insight into potential attacks, most security teams simply can’t manually review and correlate all this information effectively as the number of network assets continues to grow, even with the aid of a SIEM solution. They need the context and correlations delivered in an automated manner that go beyond simple aggregation and additional alerting.
Which leads into a second intended benefit: faster detection and response. Manual analysis of logs can be a time-consuming process. SIEMs were intended to solve this problem by using automation to classify log data in real time with the promise to better enable analysts to detect and respond to potential security issues more quickly than they could on their own.
These professed benefits, among others, have driven the projected growth of the global SIEM market over the next few years to an estimated $3.94 billion between 2020 and 2024, as reported by Business Wire. If that comes to pass, such a progression will register a CAGR of over 12% during the forecast period. But have SIEM solutions really delivered on their promises?
The real limitations of SIEMs
The reality though is that SIEMs haven’t necessarily translated into more security confidence for organisations. In its 2021 SIEM Report, Core Security found that 65% of survey participants were using a SIEM platform. Just over half (57%) of those respondents reported a high level of confidence in their security postures. That’s not much more than the confidence rate for those without a SIEM at 49%.
So, why is this happening? SIEM tools vary in their value and effectiveness based upon the data sources to which they have access, as well the ways in which they’ve been tuned and maintained. These variables often result in SIEMs generating a lot of false positives and more uncorrelated alerts for security teams to manage.
Such a deluge of alerts can produce “alert fatigue” and a cultural shift in the organisation where SOC analysts and other personnel become numb to incoming security alerts to the point that they stop treating any of those alerts seriously. This is how significant security events get missed.
There are other issues that commonly plague SIEMs, as well. One of those is the fact that organisations are expanding their IT, devices, and applications at a rate with which most SIEMs just can’t keep up. That’s especially the case given many organisations’ recent shift to cloud computing and remote work—environments that are new to SIEMs.
SIEM solutions aren’t capable of correlating disparate events across hybrid cloud deployments, for instance. Even if they could, they can’t scale with organisations’ growing IT demands, as they lack the means to balance analysing event data in real time with storing that information in a cost-efficient way. Often, to compensate for the high cost of SIEM data storage needs, a good deal of event data is filtered out, thereby making the effectiveness of the SIEM investment severely diminished.
Extended detection and response (XDR) to the rescue
The challenges discussed above have helped to fuel the emergence of what’s known as XDR (Extended Detection and Response). An evolution of EDR (Endpoint Detection and Response), XDR leverages a new security paradigm that involves analysing event telemetry from systems beyond endpoints like laptops and mobile devices to include cloud-based assets, user identities, other network tools and other parts of the IT infrastructure.
This expanded visibility is amplified by the automated analysis required to enrich SIEM-style data to deliver context rich, correlated, and actionable intelligence that allows analysts to focus on understanding behaviours across every environment instead of triaging more alerts to figure out what’s happening on the network.
When paired with machine learning behavioural analytics, XDR empowers security personnel to identify threats more quickly, understand the full scope of the events more easily and how they are connected to one another, and implement mitigation in real-time consistently across the entire network regardless of its size or complexity.
In summary, with a strong XDR solution, we, the defenders, can regain the upper hand with the ability to detect, correlate and stop attacks in real-time, even across complex, ever-evolving enterprise environments. Unlike SIEM or log management tools, XDR promises an experience focused on security value — better detection, easier investigation, faster response.
In order to defeat an adversary that can weave between data silos and understands detection alerts, it requires an operation-centric approach. Implementing an XDR solution means faster detection, which means faster remediation, thereby ending attacks before they become breach events.
Yonatan Striem-Amit is CTO and Co-founder of Cybereason
Main image courtesy of iStockPhoto.com