Advertisment

Optimizing investment in SIEM solutions for next generation defense

author-image
DQI Bureau
New Update

SIEM capability is increasingly becoming an integral component of an enterprise security strategy. Existing SIEM capabilities are able to do real time monitoring, data and user monitoring, application monitoring, provide information on threat intelligence, behaviour profiling for a specific set of conditions, log management and reporting. SIEM has improved the maturity of security operations significantly as it is able to provide the confidence to the security team regarding detection of possible discrepancies that could lead to the security issues. SIEM solutions have been able to match the scalability and complexity while providing this capability.

Advertisment

The evolution of security threat landscape, has witnessed different characters of the attack, where intrusions are followed up with cover-ups for stealthy operations making identification of attack difficult. In such a scenario the existing capabilities of the SIEM solution may not be adequate. Advanced threats are launched with specific objective, they are primarily slow in operations and activities are very low profile.

They try to involve human in the operations. SIEM solutions typically try to correlate the instances to identify the patterns in real or near real time. They have to deal with huge set of contextual data, which may generate noise if not properly handled. The slow operations of the threats in many instances escape detection. Low profile operations may not generate enough signals which can be detected and correlated with other instances. Instances that could lead to security issue are so discrete, isolated and low profile that the current configuration rule set, typically used in the SIEM implementation, fails to comprehend.

Additionally, attacks are continually varying, changing their nature during the course of the attacks. The rule sets, currently in practice, may not scale beyond a point.

What the SIEM solutions need is contextual intelligence, working on environmental data and traversing all possible dimensions of complexities. It has to deal with a complex set of historical data, and correlate with the current context. It has to deal with various sources of information, structured and unstructured that too in large sets. All devices, applications and solutions now come up with policy governed techniques; they are becoming more aware of context and content they are operating, generating terabytes of information useful for security. SIEM solutions may not be effective unless they learn to deal with this information. They have to be transformed to deliver intelligence driven security. Technology evolutions such as Big Data are paving the ways for building security analytics. The next generation defence will be critically dependent on these components.

 

Advertisment