An IDC study reveals that most organizations regard security information and event management (SIEM) as sacred. There appears to be a consensus that SIEM is a crucial part of cybersecurity. However, with the rapidly evolving nature of cyber threats, there are those who say that SIEM is an inadequate solution.

Tech entrepreneur and CTI John Gray, for one, says that SIEM is “good but not enough.” He argues that conventional SIEM is insufficient in addressing sophisticated attacks like ransomware because it is weak when it comes to data protection, failover, and data recovery. Additionally, SIEM is known for being a “noisy” tool. It generates tons of security alerts and information, which include false positives, irrelevant details, and security data that lack context, which makes it difficult to prioritize them for prompt action.

SIEM needs to evolve into an enhanced and more effective solution to meet the needs of modern organizations in dealing with sophisticated and more aggressive. Next-generation SIEM may not necessarily come as a standalone solution that organizations would have to transition into. It may already be available, bearing the following features or functions.

Consolidated data and response under a comprehensive security platform

SIEM, even in its base form, is already about consolidating security information and the management of security incidents. However, in the modern setting, SIEM may just be a part of a comprehensive cybersecurity platform. A NextGen SIEM may just be an out-of-the-box native capability of a bigger security solution (not marketed primarily as SIEM) such as an open XDR platform.

This may sound trivial, but organizations need to be aware that some cybersecurity platforms may already include NextGen SIEM functions. These functions enable organizations to accelerate threat hunting and investigations, obtain security data quickly, simplify security operations, and reduce costs. It is particularly suitable for lean security teams that need to maximize their limited resources while still ensuring effective protection for their systems.

Putting NextGen SIEM together with an established cybersecurity platform does not downplay its importance. Instead, it shows ingenuity in adapting to changing infrastructure, environments, and ecosystems. NextGen SIEM does not have to be a separate solution that requires a separate set of resources to deploy and maintain.

Efficient data handling in line with Big Data dynamics

Base SIEM entails the collection of vast amounts of data. Its next-generation ups the ante by becoming highly suitable for Big Data collection and processing, providing effective data normalization and enrichment, and enabling data contextualization.

NextGen SIEM’s data collection and handling should be built around Big Data. Data storage has to be practically limitless. This is possible with a microservice-based cloud-native architecture that can scale according to demand. Also, data search and retrieval must be undertaken rapidly to ensure speedy data analysis. Otherwise, the handling of data becomes a bottleneck in SIEM operations. Conventional data storage and processing do not work well with Big Data and will likely face hiccups even in simple tasks like data search.

Data normalization and enrichment are about making the data ready for processing. Even with a limitless and efficient Big Data infrastructure, it would be difficult to work with data if they are dissimilar and disjointed. Data normalization ensures that data obtained from various sources are similar or compatible with each other. Meanwhile, enrichment refers to obtaining additional information to complete incomplete data and clarify ambiguous scenarios.

Contextualization, on the other hand, is aimed at making security data more usable by establishing a broader picture of everything that is happening in an organization to perceive the specific information provided by one security control in conjunction with the data obtained by other security controls. Doing this makes it possible to identify critical data, alerts in particular, for priority action. It also helps eliminate irrelevant data, enables automated actions, and ensures that important notifications and other information are not drowned by data overload.

The melding of human and artificial intelligence

NextGen SIEM leverages artificial intelligence to accelerate SIEM processes and automate various tasks. AI significantly shortens the time it takes to detect, probe, and respond to threats–from days and weeks to a few hours. With the support of contextualization and Big Data architecture, artificial intelligence speeds up processes and makes SIEM way more efficient.

However, next-generation SIEM does not do away with human involvement. It still relies on manual security analysis at different points of the security information and event management operations. Nevertheless, it ensures that AI and human intelligence seamlessly work together to achieve outcomes that are unlikely attainable with conventional SIEM. 

People still play a crucial role in NextGen SIEM, but the setup ensures that people make the most out of the available technologies to maximize productivity. Both supervised and unsupervised machine learning techniques are employed across the full kill chain to attain the best possible contextualization and automated actions

Rapid deployment and seamless integration

NextGen SIEM is aligned with rapid deployment goals. It makes it possible to deploy anywhere and anytime as needed. This is achieved through multi-tier, multi-tenant, and multi-site functionality. 

A multi-tier architecture enables the efficient sharing of resources to support scaling based on changing operational requirements. Multi-tenancy allows different teams or business units to coexist and do what they need to do without getting in each other’s way. The multi-site functionality, on the other hand, supports full visibility and flexibility while ensuring that sensitive data is properly secured.

Another important factor that contributes to rapid development is the ability of a NextGen SIEM application to seamlessly integrate other tools, security controls, methods, and solutions. This makes it unnecessary to abandon existing tools and resources to familiarize with and use newer ones. It takes advantage of available and compatible resources and functions including user entity and behavior analytics (UEBA), security orchestration and automation response (SOAR), network detection and response (NDR), endpoint detection and response (EDR), and threat intelligence platform (TIP).

Seamless integration makes next-generation SIEM more efficient, less costly, and faster to deploy and operate. More importantly, it boosts the effectiveness of the system in dealing with various kinds of cyber threats.

Toward a better SIEM

The SIEM market is set to grow at a CAGR of 10.4 percent for the period 2019 through 2027 according to projections by The Insight Partners. Compared to other cybersecurity sectors, this growth is somewhat tame, which is not surprising given the rise of competing solutions. Open XDR, for example, offers features that are more suitable for certain organizations.

However, this does not mean that NextGen SIEM has too few or negligible merits. Organizations can greatly benefit from SIEM as it advances with improvements brought about by comprehensiveness, consolidation, bolstered data handling efficiency, human-AI collaboration, rapid deployment, and seamless integration.