SIEM and UTM
In this issue's reviews, we have a pretty good mix of pure-play, hybrid SIEM/UTM and next-generation tools, says technology editor Peter Stephenson
It's interesting that we would see a parallel evolution of SIEM and UTM culminating in a convergence. It's interesting because historically there is a major difference between the two: SIEMs aggregate log data and don't create any of their own, and UTMs create data and analyse what it sees. So SIEMs have security devices of just about every kind feeding them data while UTMs have sensors feeding them. So why do we tend to think about them – sometimes – as birds of a feather? The answer to that has not really been clear until the recent dramatic change in the threatscape.
Over the past couple of years, something else that likely will be a catalyst has been evolving: The incursion of next-generation devices on the cyber-security landscape. These tools bring in logs, they talk to sensors and they mix it together with threat feeds from threat intelligence sources. True, there still are pure-play SIEMs – and we saw that this issue's – but if we polish up our crystal balls we can see where the future is leading us. In this month's reviews, we have a pretty good mix of pure-play, hybrid SIEM/UTM and next-generation tools.
Industry analysts at Forrester, back in 2015, took a close look at SIEM and drew some conclusions. First, they said that SIEM was inadequate for today's threatscape for three main reasons: they cannot detect unknown threats, they cannot detect and understand data exfiltration, and they cannot detect threats that already are inside the enterprise. Forrester also opined that the future lies in security analytics. That – whether the firm intended it or not – set the stage for the next-generation of SIEM.
So, what about the UTM side of the picture? UTMs generally develop their own data in some fashion. Historically, UTMs provided firewall, intrusion detection, anti-malware, anti-spam and content filtering. In that regard, they functioned at the perimeter much like a security gateway. Today, they offer lots of other functionality, such as SSL VPN, access control and communicating with endpoint security tools. That means that the UTM is dealing in original data: a login, a denial by a firewall and so on. In fact, it is not unreasonable that the log output of a UTM might feed a SIEM. Now comes the next generation to pull all of the pieces together.
To be sure, the next-generation SIEM consumes logs. But it also performs a lot of analysis that we did not see in SIEMs in the early days. Today, the SIEM looks at every log source on the enterprise – from the perimeter to the endpoints and everything in between. It also consumes threat data from various threat and intelligence feeds. The idea is to move toward being proactive instead of simply responsive after the fact. Also, this richer collection of input brings the SIEM into the interior of the enterprise and also lets it recognise data exfiltration.
In fact, some SIEMs today constantly inventory the enterprise and add assets as they find them. The administrator can group these and weigh them for analytical purposes. So what of the UTM? UTM functionality may be trying to seek its appropriate level.
If you are looking at a SIEM would you likely ask, “Why buy that? My UTM does everything the SIEM does.” In fact, some SIEMs we looked at this month are so close to being a mix that we have to wonder where the next couple of years are going to take this product group.
The game changer with next-generation SIEM – as with all next-generation tools – is threat intelligence coupled with powerful analytics and machine learning. When you bring these two pieces to bear on a very powerful traditional SIEM, with some of the properties of a UTM, you have the next step in fighting the bad guys. It's interesting, perhaps, that we are an industry that exists because hacking has become such a sophisticated enterprise that we are hard-pressed to keep up. The traditional game of Leapfrog is still with us, but the stakes are higher, the bad guys are more business-like and they are often well funded, professional cyber-criminals. The tools in this issue's group are made to order for that sort of threatscape.
– Peter Stephenson