We often think of the SIEM of the “brain” of the IT network environment, but with news around “next-generation” SIEM, how can a next-gen SIEM improve the benefits and results for your IT security strategy?
How do you define the traditional SIEM solution?
What is a SIEM?
Security Information and Event Management (SIEM) – A SIEM platform centrally collects data from multiple devices on your network, including your existing security appliances. Through an advanced correlation engine, it is able to proactively identify security events not otherwise detected by standalone security technology.
A SIEM system centralizes logging capabilities on security events for enterprises and is principally used to analyze and/or report on the log entries received. The analysis capabilities of SIEM systems can detect attacks not discovered through other means and can direct the reconfiguration of other enterprise security controls to plug holes in enterprise security. Some of the top SIEM products — assuming an attack is still in progress — can even stop detected security breaches.
Traditional SIEM Solutions
Traditional SIEM solutions focus on collecting and indexing log outputs from applications and devices. These are used to search and find particular log details. Such as for this device search and display all logs for this particular day. Often generating 10s to 100s of pages of information, more (1000 pages) if there is something amiss with the device. SIEMs, therefore, allow additional filter parameters to help refine searches – such as this device at this precise time, or for these types of log event outputs. Typically requires high levels of expertise from the end-user to get filters correct.
SIEMs can correlate the logs from many sources when searching on a device- say by IP address. Great for forensic deep dives for auditing compliance event reporting for instance.
Some SIEMs will also take in-network data- but tend to have difficulty using such information effectively- it can generate a tidal wave of flow data for a device adding 1000s more line items in addition to the log data in a search. Therefore it is seldom used. This is a problem, as the network provides the other half of the needed data to detect the most active threats.
By contrast, what is Next-Gen SIEM?
What features or capabilities do these solutions have in contrast to traditional SIEM?
Traditional SIEM solutions find information and some provide some analysis helping provide additional info indicating what might be happening. Such as “credential change logged for this user”, or “this user logged in from multiple devices simultaneously”. However they tend to provide such info with every bit of collected data around that user, or the device in question – so you may see hundreds to thousands of lines of info to sort through to figure out what exactly is happening.