01 logo

Five capabilities required for the next generation of SIEM

Information security

By Ron BurrowsPublished 2 years ago 5 min read
5

SIEM aims to facilitate threat detection, investigation, and response (TDIR) by helping enterprises collect and analyze network security-related log and telemetry data. This process usually produces too many alerts, but many of them are false positives and ultimately fail to achieve the desired results of TDIR.

Now a new segment is replacing SIEM: the next generation of SIEM (NG-SIEM). It is a cloud native solution that accepts a wider range of telemetry, including software and infrastructure-as-a-service logs, as well as threat intelligence, while providing built-in analysis for accurate and accurate detection and integrated response capabilities. faster and smoother features can be achieved.

In a detailed analysis of seven next-generation SIEM solutions, Omdia found that each solution has its own unique advantages, but there are also some shortcomings, many of which are worth considering. The following will focus on five features of the next-generation SIEM solution to better guide enterprise network security managers to purchase the solution.

1. Significant advantages of cloud-native next-generation SIEM

Omdia believes that the next-generation SIEM, which is completely cloud native, has obvious advantages. It can provide faster and easier deployment and system management capabilities, faster and transparent software upgrades, and more new features. The content of new detection and parsing tools is usually handled by vendors, similar to managed services. It can be dynamically expanded to automatically adapt to the increase of data sources or emergencies. By the end of 2022, Omdia expects these capabilities to become common among next-generation SIEM vendors, but before that, solutions that already include these cloud-native capabilities will provide customers with more operational benefits.

two。 Security data Science is a New differentiation Factor

The main reason why traditional SIEM fails to exert its real security capability is the challenge of data processing and standardization, that is, the basic ability to support the whole life cycle of TDIR in threat detection. The secure data fusion capability of the next generation SIEM can solve this problem very well. In this process, multi-source data (usually different) are gathered together and analyzed using new or alternative methods, which can not only estimate the current security situation of the user within a given range. it can also predict the possibility that certain events will occur within a specific range. In the long run, vendors who invest in improving secure data, including secure data fusion, will gain a competitive advantage.

3. Pricing model will change

Traditionally, SIEM is priced based on the amount or amount of data it receives. While this model is good for vendors, it inadvertently prevents users from maximizing the use of SIEM. In practice, in order to save costs, users often have to exclude important telemetry sources from data sources sent to SIEM, such as DNS logs or endpoint detection and response (EDR) logs, because the amount of data is too large and the cost is high. In response, many next-generation SIEM providers are improving their pricing models. An increasingly common model is based on employee pricing, which is usually layered according to the number of full-time employees among enterprise users, based on predictable annual or contract term costs, and includes other pricing models, such as fixed fees based on duration. Vendors are also increasingly introducing multi-tier storage, adding options such as cold data or infrequently accessed storage data, thereby reducing prices.

4. The difference between the next Generation SIEM and XDR

Compared with the next generation SIEM, another emerging and rapidly growing enterprise network security product is extended Detection and response (XDR). The definition of XDR is still changing, and 10 vendors may have 10 different answers. Many XDR vendors position their solutions as an alternative to the next-generation SIEM, providing better, faster, and cheaper integrated TDIR capabilities than the next-generation SIEM.

In fact, both products are in the early stages of their life cycle, so there are still a lot of things to be solved, but eventually both will flourish. Omdia expects that XDR will be defined as a TDIR solution that focuses on specific threat types and outcomes and uses data effectively and selectively. Perhaps the most important difference between the two is that, unlike the highly customizable next-generation SIEM, XDR will provide a guided experience that provides enterprise-class TDIR capabilities for enterprises with low security maturity. For this reason, XDR is usually provided to users as a managed service. The next-generation SIEM will be the first choice for large enterprises with a wide range of hybrid cloud environments, dedicated security operations center (SOC) teams, and detailed compliance requirements.

5. The best next-generation SIEM focuses on results

The next-generation SIEM overall solution with excellent capabilities assessed by Omdia includes two key capabilities: one is query and threat tracking, where users need natural language-based searches to enable SOC personnel and threat trackers to identify users and entities such as specific activities and values contained in the session; another area is event analysis. The most effective solution is to provide a chronological schedule of events through manual addition and systematic collection of data, providing SOC personnel with a quick, easy-to-understand mechanism to analyze events, identify causes, and form the best quick remedies. When purchasing products, users should look for the differentiation of results-driven functions, so that SOC personnel can complete their work with higher efficiency and effectiveness.

To be sure, the next generation of SIEM is still in its early stages of development and the solution is not yet mature. More important next-generation SIEM features, such as adaptive log normalization and predictive threat detection, may take years to land. Performance is poor in terms of basic functions, such as integrated response orchestration and automation, system management, and compliance.

Despite many challenges, next-generation SIEM solutions provide users with a much-needed new-generation core platform, providing enterprises with the capabilities they need to mature and advance the TDIR lifecycle. The next generation SIEM not only has great development potential now, it can help enterprises improve TDIR results, but also in the next few years, the next generation SIEM will eventually help users to take the lead in offensive and defensive confrontation.

Come and click and follow us.

cybersecurity
5

About the Creator

Ron Burrows

Reader insights

Be the first to share your insights about this piece.

How does it work?

Add your insights

Comments

There are no comments for this story

Be the first to respond and start the conversation.

Sign in to comment

    Find us on social media

    Miscellaneous links

    • Explore
    • Contact
    • Privacy Policy
    • Terms of Use
    • Support

    © 2024 Creatd, Inc. All Rights Reserved.