Legacy SIEM today is far less useful than it was a decade ago. But that says more about the changing attack landscape than anything about the SIEM software itself. Also, despite vendor marketing claims, SIEM—even 10 years ago—was never designed to be a standalone system.
SIEM software has always needed to integrate with analytics—that currently means machine learning (ML) working with user and entity behavior analytics (UEBA)—along with data from everywhere in the enterprise. That brings us to legacy SIEM problem two: A lot of today’s most critical enterprise data (financial apps, ERP, vertical-specific data sources such as electronic health records for healthcare, etc.) can’t work with legacy SIEMs because it was never designed to handle such data.
SIEM also needs common SSH and SSL termination to decrypt that which is mostly encrypted traffic now. And ideally, the software needs the ability to properly recognize and interpret both structured and unstructured data. Can enterprise legacy SIEM communicate in standard protocols to other security program components?
Is There a Better Way Today To Leverage SIEM?
Then there is the question of whether Security and IT are using legacy SIEM properly today. Given the speed and massive volume of attacks, coupled with incidents that initially look like attacks, the typical legacy SIEM can’t respond and analyze data quickly enough to help SOC security analysts fight off an active attack. That said, it performs much better in post-attack analysis to complement what forensic teams learn. Until the legacy SIEM can be replaced, use it where it can still do the most good.
Another good stopgap measure is to completely re-evaluate all triggers—especially how they’re weighted. For example, much has changed since the onset of COVID-19. It was popular pre-pandemic for SIEMs to treat any remote access attempts as highly suspicious. SIEMs today need to sharply de-weight remote access to minimize remote-related false positives.
No CISO would dispute that a legacy SIEM is only as good as its customization. That leads us to two more distinct legacy SIEM hurdles:
- Does the enterprise have the budget to dedicate sufficient security talent to properly deploy, tune and extend the legacy SIEM? This includes someone dedicated to constantly tweaking the software, training it, teaching it, and feeding it.
- Does that legacy SIEM even permit extensive customization to the level that’s needed today? Does its use of proprietary code make the integration of ML analysis difficult if not impossible? Vendor lock-in doesn’t only impact pricing.
Of all these issues, arguably the most problematic is that standalone legacy SIEM hasn’t moved beyond its log-aggregation/infrastructure log roots. It never included core business applications, which is where the bulk of an enterprise’s most sensitive data exists today. That worked well a decade ago, but it doesn’t come close to meeting the needs of today’s enterprise.
Security needs to protect the integrity of all data—also known as the business’s intellectual property. That means protection from outside attackers, internal threats, accidental data leaks and non-compliant actions, as well as a wide range of other issues. Without the SIEM software having deep access to all important enterprise data, its ability to do its job is highly limited. Is legacy SIEM in 2021 worthless? Not yet, but it’s getting close.
Attack Speed and Volume Is Far Beyond How Legacy SIEM Was Designed
The ferocity of attacks—both in terms of speed and aggressiveness—has intensified sharply over the last few years, potentially worsened by the different definitions enterprises give incidents. A couple years ago, $150-billion AmerisourceBergen reported more than one billion events a week, a number that has climbed sharply. With ML fully activated, the company was able to bring that number down to 1,000 events meriting human investigation.
At the same time, Visa reported a far-more-staggering 115 million events per second. It’s important to note that where AmerisourceBergen considers an event to be any anomalous suspicious incident—or at least one where the SIEM software noted some aberrant pattern—Visa considers every transaction an event. That said, regardless of the definition, the SIEM tool must keep up, and few if any legacy SIEMs today can. MTTD (meantime to detect or discover) is crucial.
The COVID-forced change in enterprise environments in 2020 not only pushed users overwhelmingly into the land of remote, but also wildly accelerated the already rapid move to cloud data—both authorized and shadow IT. Some have opted for cloud-based SIEM that leverages infrastructure as a service. This shift in environment has changed the nature of on-prem into something barely resembling its 2019 definition. In this reality, it’s critical to maintain strict control over SIEM operations and data, and that means keeping the SIEM’s universe local.
Does that mean it has to conform to the old on-prem definition of enterprise-salaried employees working on servers owned by the enterprise and doing that work in company-owned or company-leased buildings? Not necessarily. But it does mean that Security needs to have visibility into all SIEM activity, going to and from the system and especially inside the system.
An Entirely New SIEM is Needed
The more enterprises offload to the cloud, the more they offload everything to the cloud, including security awareness, especially in a SaaS (software-as-a-service) environment. CISOs today need to have full visibility and control over all cloud infrastructure. That involves either a private cloud or negotiating a very friendly agreement with the cloud vendor. The biggest advantage a CISO can have is full control of all data and, critically, all traffic. IoT devices with independent communication abilities, for example, barely registered when most legacy SIEMs were designed.
As another temporary measure, there are some excellent open-source options to supplement a legacy SIEM, assuming the enterprise’s legacy SIEM will permit it. And if it can run in that enterprise’s data lake, all the better.
What the industry needs is an entirely new SIEM, one designed to handle all data and to support Security, Compliance, IT and Risk, to handle the environment we all actually work in today. It needs to be priced in a manner that makes sense for current enterprises. Today’s legacy SIEMs were created when businesses faced a threat environment orders of magnitude less complex and dangerous than today’s ecosystem.
Interested in what a 2021 SIEM would look like? Here’s a peek at what we have crafted.