Is SIEM Losing Steam?

SEIM

Just a year ago, the outlook was very optimistic, with 11% growth during 2014 and predictions of 12.4% growth in 2015, according to the 2015 Gartner Magic Quadrant for Security Information and Event Management (SIEM). However, things have changed. The recently published 2016 Gartner Magic Quadrant for SIEM estimates actual recent growth to be only 3.5%, from $1.67 billion in 2014 to $1.73 billion in 2015.

SIEM looked promising back in the day, but it simply didn’t prove to be effective when it came to real cyber threats. Complex IT infrastructures and hundreds of users generate huge logs. SIEM aggregates these logs, but is unable to provide actionable information, such as simple and understandable reports and contextual information, to enable organisations to identify links in the kill chain. This leads to critical visibility gaps. The Netwrix 2016 SIEM Efficiency Survey Report reveals that 81% of SIEM users complain about too much noise in SIEM reports; 68% state that the reports are incomplete; and 63% of respondents say the reports are hard to understand.

Often, it goes like this: The SIEM issues numerous alerts, which gives you the illusion that your data is secure. But then you get a call from law enforcement or another third party, and you discover that you were spending hours and hours investigating false alarms while the real threats went unnoticed, and now you have been breached.

According to Verizon’s 2016 Data Breach Investigations Report, most breaches take several days to complete. Therefore, the key factor in minimising or preventing damage is smart security analytics that enable IT staff to focus on the real threats. But the effort required to make sense out of SIEM data and alerts can exhaust any IT professional.

Respondents in the Netwrix survey complained that they repeatedly had issues with finding necessary audit data (65%) and that they had to adapt SIEM reports for their non-technical colleagues (57%). Given the fact that IT departments are flooded with false positive alerts and have to dig through numerous logs, it is no surprise that only about 10% of all breaches get discovered internally, as noted in the Verizon report. All the rest are reported by customers, law enforcement or auditors.

In short, SIEM simply doesn’t meet today’s cyber security challenges. SIEM solutions also do not scale easily, and they require extensive tuning and management efforts. More and more organisations are realising that the results do not justify the investment. So what’s the future of cyber security?

When planning your investments in cyber security, it’s critical to find technology that can deliver real value now — and also as both your IT environment and the cyber threat landscape rapidly evolve. Look for a cyber security solution with the following functionality:

  • Built-in advanced analytics that can spot a variety of sophisticated attacks in the early stages, including those disguised as authorised user activity.
  • Actionable intelligence that simplifies the decision-making process and enables you to leverage your analytics data to improve security policy.
  • Support for APIs, IaaS and SaaS in order to extend visibility into user behaviour to all IT systems across your hybrid cloud IT environment.
  • A single point of access for the data that enables discovery of dependencies among events taking place in various parts of the IT infrastructure.

You can get all these features with User and Entity Behaviour Analytics (UEBA). UEBA has emerged only recently, but it has already shown much better results than SIEM in detecting threats and providing refined insight, according to Gartner customers.

Unlike SIEM, UEBA solutions analyse entity, user and privileged user behaviour to proactively spot anomalous activity. This enables UEBA to address one of the most challenging security issues: identifying malware, compromised accounts, malicious insiders and other threats that are disguised as authorised activity. In addition, advanced UEBA has a critical capability for defending against rapidly evolving cyber threats: instead of relying only on predefined rules, UEBA can learn, which gives it the flexibility to respond to the ever-changing threat landscape. Together, these two capabilities address every stage of the kill chain, enabling early detection of security incidents.

The best part is, if you already have a SIEM in place, there’s no need to rip and replace. Rather, you can integrate UEBA technology with your SIEM and get the best of both worlds: full system coverage and actionable intelligence. Although some SIEM vendors are looking to acquire UEBA solutions and integrate the functionality into their products, it’s not clear how well they will support and extend the UEBA technology to combat future threats.

In summary, it’s a good idea to supplement your SIEM with a best-in-class UEBA solution from a vendor focused exclusively on providing deep visibility into user behaviour and the governance needed to reduce your attack surface. With that integration, you can protect your organisation against today’s and tomorrow’s cyber threats while maximising the value of your SIEM investment.

Michael Fimin

Michael Fimin, an expert in information security, is CEO and co-founder of Netwrix, the first company to introduce a visibility and governance platform that supports hybrid cloud IT environments.

  • Michael – great overview of the space. Certainly, in order to adapt to stealthy attacker behavior, SIEMs are scrambling to buy/build UBA technology in their offering. However, choose wisely — Gartner reports in their UEBA guide (that covers 29 vendors), “By 2020, less than five stand-alone UEBA solutions will remain in the market…”

    Until UBA solutions also provide a comfortable log search & data visualization experience, SIEM capabilities are still a necessity. I wrote about this in a more sweaty light here: https://community.rapid7.com/community/infosec/blog/2016/12/19/siem-isn-t-dead-it-s-just-shedding-some-extra-pounds