As more security managers embrace a proactive approach to security and prioritize real-time threat analysis, detection and response, spending on security information and event management (SIEM) solutions continues to increase. While Gartner has predicted 5 percent to 10 percent annual growth in the overall IT security market through 2020, sales of SIEM software rose by 15.8 percent in 2016.
SIEM combines security information management (SIM) and security event management (SEM) into a single solution, enabling organizations to take a more holistic, integrated approach to security. SIM technology was designed to collect security data in a central depository for analysis and automated compliance reporting. Logs were stored and interpreted in an SEM system so data could be analyzed in near real time and acted upon by security teams more quickly.
SIEM combines these functions, gathering data from devices, servers, single-purpose security tools and other sources to accelerate the identification and analysis of security events based on a system profile under normal conditions. Organizations can spot trends and detect anomalous activity by gaining visibility into all this data through a single interface.
The holistic nature of SIEM creates several advantages over single-purpose security solutions. SIEM doesn’t replace these tools, but instead allows you to use them more effectively. No individual system or tool — not firewalls, intrusion prevention systems, endpoint security solutions or service logs — can paint a full picture of network activity. SIEM brings together data from these disparate systems for analysis and correlation. This makes it possible for security personnel to make more-informed decisions and focus on the most serious threats instead of chasing false positives.
Of course, collecting and analyzing data from such a wide range of systems can create challenges when deploying and managing traditional SIEM systems. “Garbage in, garbage out” applies here, and getting an SIEM system to do exactly what you want can be a complex, lengthy undertaking. What does normal network behavior look like? What behavior qualifies as abnormal? What data must be collected to make these determinations? How can data be efficiently analyzed and cross-checked?
Coming up with concrete answers to these questions can take weeks or even months. When IT teams are under daily pressure to identify threats and attackers and prove regulatory compliance, the time required to properly deploy SIEM becomes a major obstacle. Once the system is up and running, it requires ongoing management and fine-tuning to optimize data feeds, customize event correlation rules, and reduce the noise caused by a deluge of nonthreatening alerts. This is necessary to make the system more intelligent. Because few IT teams have the necessary skills, high consulting fees for configuring, managing and tweaking SIEM are common.
AlienVault Unified Security Management overcomes the complexity of traditional SIEM by simplifying the integration of data from multiple security tools, providing a constant stream of threat intelligence and performing more granular analysis of security data. With the AlienVault solution, organizations can begin detecting threats on day one. In the next post, we’ll dig into AlienVault Unified Security Management in more detail.
