Welcome to the KuppingerCole Analyst Chat. I'm your host. My name is Matthias Reinwarth. I'm an Advisor and Analyst with KuppingerCole Analysts. My guest today is Warwick Ashford. He's senior Analyst with KuppingerCole. Hi Warwick.
Hi, Matthias.
Great to have you. And we want to talk about a topic that is one of the basic infrastructures when it comes to cybersecurity. We want to talk about SIEM, an acronym for Security Information and Event Management. And that has been around for quite a while. You just finished some work on that topic and you realized that things have changed. So it's not your traditional SIEM anymore. So there has been an evolution of SIEM systems. When we look at what has happened in technology and cybersecurity, how is that reflected in SIEM systems? How have they evolved? What has happened to these once so brave collecting systems that just collected data?
Oh, yes, as you say, Matthias, they've had a bit of a checkered history, but let's kind of look at the technology for a start. Since then, since SIEM solutions were first introduced about like 20 years ago, data analytics has matured, big data has come along and also matured. And then in more recent times, of course, we've got machine learning and other kinds of AI. And then all kinds of innovation has been enabled by cloud-based services. Then in the cybersecurity realm, we've seen advances in threat intelligence and threat hunting. And we've seen the emergence of advanced security orchestration, automation and response capabilities also. But of course in the cyber threats arena, there's just more of them. I mean, we've seen in recent years, the industrialization of cyber crime and they're also turning to things like we are automation. They're also using AI. So there is an increase in data breach threats driven by things like state-sponsored cyber attacks. And there's an increase in things like cyber espionage, targeting personal information, credentials, and of course, intellectual property, IP. Then you mentioned the IT infrastructure. We've seen a rapidly expanding attack service surface. So again, since SIEM was first introduced, we've now become increasingly mobile. Organizations are using multi-clouds. And of course, since the COVID-19 epidemic, we've seen more people working from everywhere, not just from home. And so as a result, SIEM solutions, as you say, have evolved into what I think is a new generation of SIEM solutions, which we are calling intelligence SIEM platforms or iSIEMs, because these solutions are incorporating several of these new technologies and cybersecurity capabilities to improve the speed and efficiency of analysts and to support and improve security operations.
If I was an early adopter of SIEM systems and I have a traditional SIEM system well implemented, well working and well understood in my organizations, that sounds like I'm a bit in trouble when it comes to leveraging these new capabilities. So what are these limitations of traditional SIEM systems when it comes to today's challenges, when it comes to maybe you've mentioned multi-clouds, when it comes to scalability or data management?
Well, as I say, SIEMs have got a bit of a checkered history and I think, you know, they've gone up and down in popularity, but of the traditional, what we call in traditional SIEMs, the number one challenge is that they're expensive to run because they are labor and skills intensive. So most organizations don't have the people or skills required to get any useful value out of them because typically they generate a high number of false positives. Legacy SIEM tools also generally don't, as you mentioned now, scale easily or economically. It's expensive to scale them. And they can't deal with the volumes of logs and security alerts that are now being generated in modern enterprises, particularly across an expanding attack surface. And they could potentially be missing threats, so not that effective as they might once have been. They also can't easily manage and store large volumes of security data. You'll see in the more recent iterations, the storage is one area that there's been a lot of improvement. Traditional SIEMs also cannot prioritize alerts for investigation. They can just generate these alerts. And I think a lot of organizations have just battled to deal with that volume. And there are often challenges with integration with other security systems. They lack automation capabilities and two-way integration with security tools. So they can't support forensic investigations as organizations might want them to. So I think those are the main challenges associated with traditional SIEMs.
cannot be an episode of a podcast without mentioning A, digital transformation and B, COVID-19. But nevertheless, you've mentioned that already, at least the COVID part of it. How did that influence the changes or the changing requirements that SIEMs are now facing? How did that accelerate the challenges that there are and maybe reduce the effectiveness of these traditional SIEM systems?
Well, as I've already mentioned, I think the biggest impact on the effectiveness of SIEM systems was the rapid expansion of the attack surface. This has led to increased security risks. So instead of just having the contained enterprise, now people were working from home. So that increased the attack surface. But this has helped to drive the evolution of SIEM solutions. So as a result, SIEM solutions provide, I think more automation, there's more correlation, there's more proactive threat detection, there's more effective prioritization, and there's more integration with other cybersecurity tools.
And if we look at these more intelligent SIEM systems right now, you've mentioned already some of the key capabilities that are behind that. And that also reflects the changing role of the SOC when it comes to protecting organizations. Are there more sophisticated, more modern features to mention when it comes to these intelligent SIEM systems? What is in the box now that we have these I-SEAMs?
Well, I think at a high level, the critical features and capabilities would be performing real-time or near real-time detection and security threats without relying on predefined rules and policies, which was very much the way of the old way, the old systems. And then correlating in real-time or near real-time historical data across a wide range of sources using algorithms and machine learning to identify malicious operations rather than just raising separate alerts and filtering out statistical noise, eliminating false positives and providing clear risk scores for each detected incident, offering a high level of automation for typical analysis and remediation workflows and provisioning integrated forensic and incident management capabilities. So in summary, I-SIEM solutions have gained new capabilities by merging previously standalone tools like Behavior Analytics and SOAR. And they've put these into like a single integrated platform. And they use new technologies such as big data and machine learning that provides the functionality to enable organizations to filter, automate, prioritize, and respond to security threats more effectively with reduced false positives. These enhancements improve the work efficiency for security analysts and therefore SOCs because they reduce the number of alerts or investigations that analysts have to carry out. They improve the speed of analysis and the investigations themselves. They can automate things like threat triage and remediation tasks. And they improve the speed and quality of the incident response.
And I think we will make it this time to really win the bingo. I don't mention the first word. So we had COVID-19, digital transformation. We have AI and machine learning. So we have all the buzzwords that are relevant. And you've mentioned already that AI and machine learning are tools and are mechanisms or technologies that are built into these systems. You've mentioned response. Where else can we see intelligent SIEM systems, the power of AI and the support for the analysts in these more modern solutions?
Well, they're being integrated in a variety of ways to add functionality to, as I said, improve the accuracy of detections. So you're not getting, you're not getting things that are not clear is to say, right, you know, this is definitely something that's going on. These things are related. It is a malicious activity. They're able to detect patterns and anomalies much better. And overall, that means, you know, the elimination of false positives. And then, they've reduced the alerts by, as I said, by correlating the related events. So instead of each event firing off an alert, they can just look across using ML basically to say, well, look, these are all part of one event and then just raise it as a single alert rather than multiple things. So that helps the SOC teams and the analysts to deal with fewer issues that are related. And then they enable real time or near real time analysis of network traffic so they can do that monitoring. Because I think in today's world now, you you need constant monitoring because things happen all the time, 24 hours a day. Also these, these intelligent SIEMs can enrich the data with business related context information and they can bring threat intelligence to bear. So the, the basic information that's been fed to the analyst is, is so much more, uh, uh, developed than it might have been in the past. And then I think I mentioned also earlier, the automatic risk scoring. They can come up with a risk score and there doesn't have to be a lot of work manual work by the analyst because he can just, he or she can then just prioritize the ones with the highest scores or above a certain threshold. And then there's generally much more automation of other tasks in addition to the risk scoring. And then the most important thing I think, or one of the most important things is that, These new intelligent SIEMs can guide the decisions, they can guide investigations, they can help map the alerts to known tactics and techniques. A lot of the solutions that I've looked at map things to the MITRE framework. And they're also enabling easier search. So when analysts are needing to look for something, they don't have to, especially lower level analysts, they don't need to master a query language. They can just type in keywords and then the ML behind it, behind the search functionality in the platform can anticipate what they're looking for. And then it just enables the analyst just to click, build queries by just clicking, yes, that's what I'm looking for. And then it goes off and fetches the information they need.
That sounds really interesting. If I think back to cyberevolution last November, I held a presentation around NIS2. And some terms that you just mentioned really remind me of my presentation. It was constant risk assessment and it means constant monitoring of your threats or your security surface to the outside. So it's really understanding what is important. What is the risk imposed for potential threats here? And how can I continuously adapt to these changing threat landscapes? And that is what NIS2 demands for, and that SIEMs to be a proper tool for dealing with that and for assimilating to these changed requirements. If we look forward, and you've described that the SIEM platforms are expanding, and they are taking over functionality that were once in individual solutions. So it's getting broader. What role do you then see for these SIEM or I-SIEM platforms in the future when it comes to a broader cybersecurity ecosystem? Will they integrate more of the same? So XDR, you've mentioned SOAR, these were individual terms. Now it SIEMs to me just to be a huge conglomerate which works together and provides a... Yeah, an outside shield for an organization.
Yeah, I think you're absolutely right. The SIEMs I think will continue to play a crucial role in cybersecurity because they provide a central platform to collect and aggregate and analyze security data from a wide range of sources. And so you're getting a more complete picture and you're getting a more real time picture and which you've illustrated why it's so important nowadays. I think I-SIEMs enable security teams to detect, prioritize and respond to potential cyber threats effectively. They streamline the security workflows and they deliver operational capabilities such as compliance reporting and also incident management. And as mentioned earlier, in response to specialized monitoring solutions and XDRs, SIEMs have evolved to incorporate advanced technologies like ML and behavior analytics to make threat detection and incident response smarter and faster. And so SIEMs are essential, I think, to mitigating cyber risks. They offer benefits such as real-time threat identification and response, advanced threat intelligence, and then the regulatory compliance auditing and reporting, because I think a lot of organizations are struggling to be able to respond to compliance, regulatory compliance audits. And now, this is providing a way of just saying, okay, you know, just give me the report on this, and then they're able to give that to the auditor. So it makes it a lot simpler than it would have been in the past. And at the end of the day, I think, SIEMs remain a critical component of any organization's overall security capability. But that said, I think SIEMs will continue to play this role rather for MSSPs, rather than for non cybersecurity related companies. Right now I'm looking at the MSSP market. And I get the feeling that organizations will increasingly hand over cybersecurity to manage security service providers that have the systems and the resources to cope with cyber threats so that they can focus on their core business, not cybersecurity. If you're an auto manufacturer, you want to just focus on developing your product. You don't have to worry about the security as well.
Yeah, I fully agree. This is not your core business and the more cybersecurity becomes important, the less you want to invest too much into that by training people, having people on site, having systems on the site. But nevertheless, I've mentioned that earlier, there are still these organizations, of course, there are lots of them, that run their own SIEM system or consume it from somewhere. For those who read your research, for those who are looking on the market and looking at the developments that you just described. What would be your analyst advice when it comes for good advice for transitioning to modern SIEMs? If organizations want to upgrade, replace their systems, what would be their starting point?
Well, I think if outsourcing security operations, including SIEM management to a managed security service providers is not an option, then of course I'd recommend to have a look at the KuppingerCole Leadership Compass on I-SIEM platforms, because the Leadership Compass is designed to help organizations identify their requirements. So pay particular attention to the section on the required capabilities. It's fairly detailed. And then you can map your organization's requirements to those offered by vendors in this market. And you can find many of them listed in the report. Obviously I've done a detailed analysis of those who have participated in the report. And this will help narrow down the number of vendors to consider. Then to make a choice, take into consideration not only the requirements of your organizations, but also what your organization's size is, what your expected growth is. what skills you have and then of course at the end of the day, your budget.
Right, I think that's an important recommendation because you've made that work already. You've prepared the research. Even if you're not interested in detailed comparison of the individual vendors, the starting chapters of these documents, they are very well written introductions into the topic, the market segments, the capabilities. These are, from my perspective, and I use them on a daily basis, the entry point into understanding what has changed. what has changed for the system that you have deployed already and what you want to achieve in the future, especially when it comes to changing cybersecurity threats and requirements. So thank you very much, Warwick, for A, providing this great work of research. And I think I-SIEM is a really interesting topic and B, for being my guest today. Any final sentences that you want to share, final recommendations, maybe hinting at EIC?
Yeah, well, thanks very much for having me. And yes, I've been working on the agenda or helping to work on the agenda for EIC and we've got a lot of focus on identity security this year. And so anyone who's interested in how to secure identities and anything else to do with identity, in fact, please do make sure that you are in Berlin in June because everything you need to know about security and identity you will be finding in those tracks.
Great, nothing to add from my side. Thank you very much Warwick for being my guest today and looking forward to having you soon. Thanks.
