The technological environment where the elements that feed the SIEM are implemented has changed enormously. These are: volume, variety and speed. In other words, the volume of information we have to handle, the diversity of attacks that security teams have to deal with and the speed with which they have to respond to these attacks.
Certainly, over time these elements have evolved and will continue to evolve according to their technological environment. Today's SIEMs handle and manage increasing volumes of information, with the ability to perform more efficient analysis and the possibility of applying different mathematical formulas to create projections. This has led to the integration of machine learning processes and integration with more accessible file formats in order to connect with other technologies.
More IOT elements will be included that will need to be monitored and will be part of the visibility strategy of organizations. The SIEM should help to organize information where the technological inventory is updated and the assets, users and actions surrounding them are visible. SIEMs should maintain their relevance and adapt very well to the technological diversity of the organizations and not the other way around.
What must a SIEM have in order to remain relevant?
Below, we will share with you some fundamental points for a SIEM in order to remain relevant in the market:
- Updating: the SIEM must be able to communicate with existing legacy technologies, those that have arrived in recent years and those that will be launched in the coming years.
- Data analysis: the data obtained must be processed to convert them into relevant information that can be an intelligence factor in order to improve the decision-making process. A data by itself does not mean anything, because we must give it a context with a transforming objective. Decisions based on Intelligence achieve clear and efficient objectives.
- Anticipation: if we want to achieve efficient detection of attacks on the technological infrastructure of organizations, it is necessary to make quick decisions based on intelligence. That is where SIEM must be and where it will continue to work.
- Monitoring: malicious actors are testing their attacks, and monitoring must be present to identify and alert about these attacks. For example: the endpoint was compromised and the EDR identifies it; a network element was compromised and the NDR notifies; and finally, applications are infected and the XDR takes action.
The SIEM is the one that must be constantly in touch with all the technologies in order to have the necessary contexts and make the best decisions.
A look into the future
The future of SIEM lies in the ability of organizations to better structure their information. With the advent of digital transformation, hybrid infrastructures (cloud-onsite) are coming, and SIEM must be prepared for upgrades and new tools
It is projected that the SIEM will be multilingual, with a user-friendly interface, easier to use, and with a more robust automation tool.
A3Sec has conducted several analyses on SIEM based on Gartner. We identified the elements most valued by the author: the service or deployment model, integration with multiple platforms, threat intelligence both in-house and the ability to integrate with others, support for compliance and improvement in the interpretation of information.
A SIEM must integrate all these concepts and adapt to trends such as mapping threats with the MITTRE ATTACK matrix and Cloud deployment models such as OnPremise and Hybrids.
The future of the tool will be based on BigData support, horizontal growth (IaaS-SaaS) and two-way interaction, both for receiving and sending information. It is expected that the SIEM will become a homogeneous model of logical creation of correlations, which will also allow transforming them to the SIEM that has been deployed.
The market is asking for better representations of information, visualizations that contribute to companies' KPIs, that help to understand what is happening and to answer questions about the state of organizations' cybersecurity.
In 2017, I was reading a blog by Dr. Chuvakin where he joked about whether SIEM was dead when the answer was "No!". SIEM is not dead, but should become increasingly relevant. It has been and will continue to be a core technology for organizations' cybersecurity strategy, although it may require some time to show its value, but that' s where organizations like ours, with extensive experience in SIEM management, deployment and maturity can bring a great value edge.