One of the mainstays of organizations’ digital security postures is a Security Information and Event Management (SIEM) platform. According to CSO Online, SIEMs augment threat monitoring and incident response with log analysis.
They do this by collecting and aggregating log data generated throughout an organization’s IT and security stack, categorizing potential incidents. Using these evaluations, the SIEM platform issues reports about potential security incidents and creates alerts if what it’s seeing corresponds with the predetermined rules set by the organization.
These functions are intended to bring several benefits to organizations - one of them being improved visibility. Organizations’ environments are increasingly evolving with the introduction of different types of assets. These devices expand the attack surface by creating additional ingress points through which an attacker could establish a foothold on an organization’s network.
While aggregating log data provides some insight into potential attacks, even with the aid of a SIEM solution most security teams simply can’t manually review and correlate all this information effectively as the number of network assets continues to grow. They need the context and correlations delivered in an automated manner that go beyond simple aggregation and additional alerting.
Which leads into a second intended benefit: faster detection and response. Manual analysis of logs can be a time-consuming process. SIEMs were intended to solve this problem by using automation to classify log data in real time with the promise to better enable analysts to detect and respond to potential security issues more quickly than they could on their own.
These professed benefits, among others, have driven the projected growth of the global SIEM market over the next few years to an estimated $3.94 billion between 2020 and 2024, as reported by Business Wire. If that comes to pass, such a progression will register a CAGR of over 12% during the forecast period. But have SIEM solutions really delivered on their promises?
The Real Limitations of SIEMs
The reality though is that SIEMs haven’t necessarily translated into more security confidence for organizations. In its 2021 SIEM Report, Core Security found that 65% of survey participants were using a SIEM platform. Just over half (57%) of those respondents reported a high level of confidence in their security postures. That’s not much more than the confidence rate for those without a SIEM at 49%.
So, why is this happening?
As we recently noted in another article, SIEM tools vary in their value and effectiveness based upon the data sources to which they have access, as well the ways in which they’ve been tuned and maintained. These variables often result in SIEMs generating a lot of false positives and more uncorrelated alerts for security teams to manage.
Such a deluge of alerts can produce “alert fatigue” and a cultural shift in the organization where SOC analysts and other personnel become numb to incoming security alerts to the point that they stop treating any of those alerts seriously. This is how significant security events get missed.
There are other issues that commonly plague SIEMs, as well. One of those is the fact that organizations are expanding their IT, devices, and applications at a rate with which most SIEMs just can’t keep up. That’s especially the case given many organizations’ recent shift to cloud computing and remote work—environments that are new to SIEMs.
SIEM solutions aren’t capable of correlating disparate events across hybrid cloud deployments, for instance. Even if they could, they can’t scale with organizations’ growing IT demands, as they lack the means to balance analyzing event data in real time with storing that information in a cost-efficient way. Often, to compensate for the high cost of SIEM data storage needs, a good deal of event data is filtered out, thereby making the effectiveness of the SIEM investment severely diminished.
Extended Threat Detection and Response to the Rescue
The challenges discussed above have helped to fuel the emergence of what’s known as Extended Detection and Response (XDR). An evolution of EDR (Endpoint Detection and Response), XDR leverages a new security paradigm that involves analyzing event telemetry from systems beyond endpoints like laptops and mobile devices to include cloud-based assets, user identities, other network tools and other parts of the IT infrastructure.
This expanded visibility is amplified by the automated analysis required to enrich SIEM-style data to deliver context rich, correlated, and actionable intelligence that allows analysts to focus on understanding behaviors across every environment instead of triaging more alerts to figure out what’s happening on the network.
When paired with machine learning behavioral analytics, XDR empowers security personnel to identify threats more quickly, understand the full scope of the events more easily and how they are connected to one another, and implement mitigation in real-time consistently across the entire network regardless of its size or complexity.
Cybereason XDR is designed to go even a step further with automated responses to attack progressions, eliminating the need for Security Orchestration, Automation and Response (SOAR) products as well. Organizations can enjoy these benefits whether they drop their SIEM and SOAR entirely or augment it with Cybereason XDR.
Cybereason is dedicated to teaming with defenders to end attacks on the endpoint, across enterprise, to everywhere the battle is taking place. Learn more about AI-driven Cybereason XDR here or schedule a demo today to learn how your organization can benefit from an operation-centric approach to security.