It was way back in 2000 that Security information and event management (SIEM) approach to security management systems first appeared from vendors. The original SIEM functionality centred on event correlation from perimeter security devices such as IDS/IPS and firewalls and the demand came from vendors like Intellitactics, eSecurity and NetForensics.
Over the last 19 years, SIEM market has evolved with different vendors, use cases and functionalities. SIEM has also increased its market size growing into a $2.5 billion market, dominated by giant vendors such as LogRhythm, AT&T (AlienVault), Splunk and IBM.
The underlying principle of every SIEM system is to aggregate relevant data from multiple sources identifying deviations from the norm to take appropriate action. For example, at the event of potential issue detection, a SIEM might log additional information, generate an alert and instruct other security controls to stop an activity’s progress. A SIEM system can be rules-based or employ statistical correlation engine to establish the relationship between event log entries. Advanced SIEMs have developed to include security orchestration and automated response (SOAR) and user and entity behaviour analytics (UEBA).
The Evolution of SIEM
Despite the evolution of SIEM, today’s products can be seen as super-sized versions when compared to yesteryears. Over the years, SIEM products have been based upon a tiered architecture of distributed data collectors, processors and indexers where a central database was used for data analytics, reporting and visualization. This has led to a situation where SOC personnel focused on activities such as threat detection, incident response, and forensic investigations that are dependent upon SIEM infrastructure teams who upgrade hardware, load balancing servers, adding storage capacity, etc.
The Shift from the On-Premises Servers to the Public Cloud
The next few years will witness the migration of the SIEM backend from on-premises servers to public cloud infrastructure. By the end of 2020, even organizations with opinionated on-premises biases in industries like military equipment manufacturing, financial services and government agencies will eschew on-premises SIEM in favour of cloud-based alternatives.
This is a slow move that has already started and will eventually progress rapidly due to changes in the demand and supply side. CISOs will be looking out for cloud-based SIEM solutions because:
• Unacceptable trade-offs which happen given the capacity-based pricing of SIEM software forcing many organizations to ignore or purge valuable security data that they would otherwise collect and analyze. Another common cost avoidance strategy being adopted is to supplement SIEM with open sourced-based data lake for longer-term investigations. While this can reduce SIEM software costs, it may create interoperability and basic operations challenges as the security staff pivots back and forth from SIEM to the data-lake while managing two sets of security technology infrastructures.
• The security data has been growing massively. According to ESG research, 28 percent of organizations collect analyse and process substantially more security data than they did two years ago. The security data pertains to network packet capture, cloud logs, cyber threat intelligence (CTI), business application logs and so on. Continuous security data growth equates to more personnel, operational tasks and infrastructure capabilities.
• Higher software costs that arise from infrastructure and staffing costs. Some SIEM vendor’s base their pricing on the amount of data under management, making CIOs complain that it is not unusual for them to blow through a three-year SIEM budget in a year.
• With an acute shortage of skilled personnel, CIOs and CISOs must ask themselves whether they really wish to hire and retain dedicated personnel answering to servers, storage devices and network calls.
The Role of the Vendors
Traditional SIEM vendors see huge possibility pushing cloud-based SIEM.
SIEM leaders at IBM and Splunk are already seeing much faster growth rates for cloud-based deployments of their products; a trend which is all set to continue.
New startups will be all about the cloud as they will embrace a cloud-based backend designed for processor-intensive machine learning algorithms, at a massive scale. Sensing opportunity, the cloud service providers are jumping in. Microsoft, Amazon, Google own globally distributed, cloud-based infrastructure and are investing heavily in artificial intelligence/machine learning.
These changes enable cybersecurity analytics to use case representing a perfect opportunity that aligns with their technology investments. These firms have been already on the growth trajectory with Google/Alphabet announcing their security analytics intentions with Chronicle. Amazon is not left behind as it acquired Sqrll hinting at a bigger security analytics/operations play at Re:Invent. Microsoft remains quiet about its security analytics/operations plans but some of its recent announcements suggest that it will join the fray in 2019. SIEM is the new age solution for tomorrow and with giants showing interest this space that has just got more exciting.