Cyber Defense eMagazine March Edition for 2022

A very small set of next-gen SIEM solutions are innovating through more unified security and risk
analytics capabilities that are crucial for success today. In this article, I’d like to explore why the future of
threat detection and response is stemming from these new advancements.
SIEM was initially designed primarily for log collection and storage for compliance, then evolved to include
the correlation of more log data sources for threat detection. Over time that functionality increased to
integrate log, network, and endpoint data into a single location and match it up with security events. This
helped analysts investigate commonalities or groups of related events. And as rules were developed
around these related events, the SIEM could help to detect known threats.
Then came the rise of the terms like Machine Learning and Artificial Intelligence (ML/AI) – offering the
promise of a silver bullet to solve threat detection and response. However, these terms were commonly
misused and in reality were just rule-based analytics engines that would conditionally gather more data
for greater context. However, as attackers stayed hidden inside the network longer, rule-based analytics
often failed to correlate seemingly disparate events across time and continued to focus on known attacks.
As a result, new, unknown, and emerging attacks and variants were easily able to avoid detection.
Furthermore, SIEM were also traditionally plagued by the lack of cloud-native offerings that were built to
handle both cloud and hybrid infrastructures equally.
Today, newer advancements in SIEM are focused in several areas designed to make it the primary
platform for the security operations center (SOC). This includes security monitoring, improved threat
detection, and playbooks to drive faster response. Many EDR, XDR and SIEM solutions that claim to use
ML/AI continue to use rule-based engines with finite models, patterns and signatures that are not updated
fast enough when new attacks are discovered.
However, there are next-gen SIEM solutions incorporating unified security and risk analytics that are
taking the extra step to deliver out-of-the-box advanced data modeling across cloud, user, network, asset,
endpoint, and log telemetry. The few that offer true ML/AI can automatically detect new, unknown, and
emerging attacks, including subtle variants. Along with an understanding of user access and entitlements,
behavioral modeling, and risk metrics, the end goal of next generation SIEM is to streamline every facet
of the SOC. This includes reducing noise and false positives, prioritizing which IoCs need to be
investigated, consolidating data for easier investigations, and providing a high confidence, low-risk
automated response to prevent a successful attack.
What does that mean? Let’s look at the key elements of unified security and risk analytics in a nextgeneration
SIEM.
• Unified Correlation, Continuous Risk Profiling and Behavioral Anomaly Detection – A Nextgeneration
SIEM must unify data collection across the entire infrastructure, on-prem, cloud and
remote, by gathering endpoint, log, user, access, entity/asset, network, and other data to provide
greater context. With risk profiling applied to abnormal behaviors, a behavior-based risk can be
calculated to elevate which events are truly relevant for investigation, or can even be used to
determine an immediate threat with conviction. This shrinks the noise created by false positives
and provides more context to enable a much more targeted response, ideally before an attack
campaign starts to establish itself.
Cyber Defense eMagazine – March 2022 Edition 57
Copyright © 2022, Cyber Defense Magazine. All rights reserved worldwide.