Security incident and event management (SIEM) software is developing in exciting ways. Here we will talk about some of the most promising technologies available today with the ability to better detect cyberincidents and avoid costly consequences. Positive Technologies experts have identified five key trends, with an assessment of current market penetration and quality of implementation for each.
1. Deepening of expertise
Positive Technologies experts named deepening of expertise in system management as a technology trend driving development of SIEM systems. For the last 15 years, SIEM has been regarded as a way to collect logs from systems and correlation tools, with analysis limited to mapping correlation rules based on the MITRE ATT&CK matrix 1. However, this is not enough to take event monitoring to the next level. What is needed are normalization rules, methods for configuring event sources, packages with threat detection rules, instructions on how to activate sources, descriptions of detection rules, and guidance on what to do if a rule has been triggered.
Market penetration: 50–60%. Quality of implementation: average (3 points). 2
2. Automation of incident response
A survey conducted by Positive Technologies showed that 25% of security experts spend 2 to 4 hours each day working with SIEM. According to respondents, the most time-intensive tasks include dealing with false positives (adjusting correlation rules) and analyzing incidents. These two tasks were mentioned by 58 and 52% of respondents, respectively. Configuring data sources and verifying that they work is a substantial time burden for 30% of security experts. This trend nudges SIEM in the direction of security orchestration and automated response (SOAR) products.
Market penetration: 60–70%. Quality of implementation: average (3 points).
3. Convergence of traffic analysis (NTA), logs (SIEM), and endpoint detection and response (EDR)
Truly comprehensive monitoring requires both deep network analysis and EDR. In the next three years, traffic analysis will be regarded as a must-have capability of SIEM systems, and EDR will be viewed as a complementary function.
Market penetration: 60–70%. Quality of implementation: fair (2 points).
4. Behavioral analysis of users and entities (processes, network hosts, network activity)
The need to have a full picture of infrastructure on a single screen will inspire developers to enrich conventional SIEM capabilities with user and entity behavioral analytics (UEBA), in which an "entity" can be a process, network host, or network activity. The main difference between SIEM and UEBA is that SIEM is a constructor for collecting logs, whereas UEBA creates behavioral models. Algorithms for finding and processing anomalies can include statistical analysis, machine learning, and deep learning. These methods suggest which users and entities on the network are behaving unusually and why that behavior is unusual for them.
Market penetration: 70–80%. Quality of implementation: good (4 points).
5. Clouds
According to research conducted by Enterprise Strategy Group on behalf of Dell Technologies and Intel, in 2019 approximately two thirds (64%) of enterprises planned to increase spending on public cloud platforms compared to the previous year. On the one hand, this approach forces vendors to add popular cloud services (AWS, Google Cloud Platform, and Microsoft Azure) to the list of SIEM-supported sources by means of cloud connectors. At the same time, vendors may also learn to offer SIEM solutions as a service by adding cloud-specific SIEM deployment, configuration, and orchestration tools (virtual and cloud appliances 3).
Market penetration: 60–70%. Quality of implementation: average (3 points).
"Some of these trends are already visible, and the others will come to the fore in one to three years. These technologies will help to accomplish two main things: improve the results delivered by SIEM systems and decrease the amount of manual work involved with monitoring and incident response," says Alexey Andreev, Managing Director of Research and Development at Positive Technologies.
As rated by Positive Technologies experts
As rated by Positive Technologies experts. Implementation quality is rated on a scale from 1 ("poor") to 5 ("excellent").
- A publicly accessible knowledge base developed and supported by MITRE based on analysis of real APT attacks. MITRE ATT&CK contains a well-structured list of tactics, techniques, and procedures used by attackers. Constantly updated and expanded, this knowledge base provides common terminology to facilitate communication between security experts across the world.
- Implementation quality is rated by Positive Technologies experts on a scale from 1 ("poor") to 5 ("excellent").
- A virtual appliance is a ready-made virtual machine image intended for use in a virtualization environment (on a cloud platform).
