It’s the most wonderful time of the year. The trees on my street have almost completely shed their leaves. My neighbors are stringing multicolored lights on their houses. My local shopping mall has started to play various versions of “Jingle Bell Rock,” recorded by many of the stars of top 40 on radio from the past few decades. My friends are coming to me with malware-infected smartphones, eager for my wizardry. That’s right; Computer Security Day is upon us!
I plan on making a trip to my nearby gift shop and while feeling certain about finding an old-fashioned greeting card and enclosing a voucher for antivirus software to acknowledge this special day, we ought to appreciate how cybersecurity has advanced in recent years. Security Event and Information Management is something that didn’t exist until the 21st century, it’s evolved over the past few decades and it illustrates how far we have come.
Before there was SIEM, there was SEM
Anyone who has ever had an administrative role in a network knows that IDS and IPS generate a lot of logs and event information. Security related logs usually are full of false positive alerts, and security practitioners need to find the alerts that they should actually pay attention to in order to prevent and respond to security problems. By the late 1990s, IDS and IPS output started to become overwhelming for human beings. Security Event Management arose to tackle the problem. Necessity is the mother of invention, eh?
SEM handles events to provide real-time monitoring, console views, event correlation, and notifications. When properly configured and used, SEM provides administrators with a central interface for all of the security events that computers and network appliances in a network record. If event data from another device is accidentally lost after being sent to a SEM system, the SEM will still retain it. Events can be sorted by significance according to configurable criteria. Another important benefit is that with the help of a SEM’s reporting tools and other features, SEM can help organizations comply with regulatory frameworks which may be applicable to their industry, such as HIPAA, GLBA, PCI-DSS, and Sarbanes-Oxley.
There's no "I" in SEM. If there were, it'd be SIEM
When SEM was invented in 1999, the technology had weaknesses, so Security Information Management (SIM) systems appeared on the market around the same time. One of the main weaknesses of only processing security data through log management and SEM is analysis. SIM was invented to fill that void.
SIM focuses on logs while SEM focuses on events. SIM can send logs to a console which generates charts, graphs, and reports which can help human beings make sense of network security trends. I don’t know about you, but I totally geek out when I see graphs so I really appreciate what a lot of SIM software can do. SIM can also store security related information over a long period of time which can also aid in regulatory compliance and forensics when used the right way.
Some combinations are terrible. I believe putting shampoo and conditioner in the same bottle is as misguided as putting ketchup and mustard in the same bottle. But other combinations are fantastic, such as putting mint in chocolate and putting anime scenes in Japanese RPGs. Combining SEM and SIM falls into the latter group, and it makes perfect sense. When SEM and SIM combine their extraordinary powers, you get Security Information and Event Management.
Mike Rothman estimates that the first SIEM products emerged around 2001, which is a mere couple of years after SEM’s emergence. Mark Nicolett and Amrit T. Williams were the first to call it “SIEM”, back in 2005. As if the cybersecurity field needed more acronyms! But the thing the acronym represents is a lifesaver for anyone who has to manage the everyday cybersecurity in their network.
I can see why SIEM appeared so soon after SEM and SIM hit the market. Integrating these systems came with the promise of alerts, dashboards, consoles, correlation tools, log analysis, log retention, forensic analysis, and data aggregation all in one system. You get the best of how SEM processes events with how SIM can process logs. Anything that can be done to simplify a security practitioner’s work without compromising any necessary functions is a vital thing for a network to have. As time goes on, cyber threats will only become more complex.
SIEM in 2017 and beyond
About a decade ago, SIEM started to become commonplace in corporate networks, especially larger ones. That was a very positive thing to see, and it certainly reduced security practitioner headaches while aiding in compliance. But some of the earlier SIEM systems missed too many cyber-attacks due to being too complex and resource intensive.
Many systems focused too much on IP addresses and too little on users. Remote and mobile users started to appear more often, and not all IP addresses are static.
Rule-based event correlation often results in hundreds of rules which can be a challenge for administrators to handle. Rule-based event correlation can also generate many false positives of its own, a problem that SIEM is supposed to help manage.
Some newer SIEM systems to hit the market aren’t purely just SIEMs. Today’s SIEMs are far more than SIM and SEM. They implement other technologies, which are often pre-integrated. IDS, asset discovery and vulnerability management can be included with the SIEM to make it more than just a SIEM. Incident response can be orchestrated for time savings for resource-strapped InfoSec departments at companies. SIEM vendors are even acquiring or partnering with User Behavioral Analytics (UBA) vendors in order to create better security products and services.
Another problem with traditional SIEM systems is that they completely depend on infrastructure which is on premises, and they also rely on signatures, fixed perimeters and other criteria based on what is already known about cyber-attack indications. Newer SIEM products can integrate with cloud-based security analytics to leverage machine learning and data science to find anomalies, trends, and abstract relationships. Some of the newer SIEMs are cloud-based and offered as Software as a Service (SaaS), which makes them more accessible to even small security departments.
In 2017 and beyond, SIEM will retain its relevance and usefulness as it evolves to reflect how cybersecurity phenomena will change over time. It will morph to deal with changing business needs, such as the SaaS phenomenon.
So, let me bring out a four pack of the finest energy drinks, and let’s give a hearty toast to the glory of the evolution of SIEM! Or more importantly, “new-wave” SIEM that is far more than the SIEMs of olden times. On this Computer Security Day, let’s celebrate one of the most important technologies in cybersecurity, moving to the next level.