Big data propels SIEM into an era of security analytics

Opinion by Rashmi Knowles

In the past few years, a stunning range of government agencies and prominent corporations have succumbed to stealthy, tailored cyber attacks designed to exploit vulnerabilities, disrupt operations and steal valuable information.

In the past few years, a stunning range of government agencies and prominent corporations have succumbed to stealthy, tailored cyber attacks designed to exploit vulnerabilities, disrupt operations and steal valuable information.

Clearly, current security systems are not up to the task of thwarting these advanced threats, since many of their victims had what they considered to be state-of-the-art detection and prevention. These systems failed to stop or sense the presence of an attack on victims' networks until the damage was done.

Given today's threat environment and the increasing openness and connectivity of digital infrastructures, security teams now realise they must assume that their IT environments are subject to periodic compromise.

Gone are the days when preventive measures to secure the perimeter or trying to detect malware problems using signature-match technologies were enough. New practices based on an understanding of the phases of an attack, continuous threat monitoring, and rapid attack detection and remediation are required.

To develop the visibility, agility and speed to deal with advanced threats, traditional security strategies for monitoring, often based on security information and event management (SIEM) systems, need to evolve into a central nervous system for large-scale security analytics. SIEM establishes a good baseline for security management, but today's advanced threats call for advanced security.

Traditional log- and event-centric SIEM systems often provide an incomplete picture of the risks facing an organisation, because SIEM tools only collect information from portions of the IT infrastructure, leaving critical blind spots.

Four fundamental capabilities are required in addition to an SIEM to transform it into a platform for security analytics:

1. Pervasive visibility: Achieving the ability to know everything happening within IT environments requires fusing many data sources, including network packet capture and full session reconstruction, log files from network and host devices and external information such as threat indicators or other security intelligence. Centralised log collection is no longer enough.

2. Deeper analytics: Examining risks in context and comparing behaviour patterns over time across disparate data sets improves the signal-to-noise ratio in detecting advanced threats, thus speeding time to resolution.

3. Massive scalability: Platforms collecting security data must expand in scale and scope to handle the deluge of information that's increasingly needed for complete situational awareness.

4. Unified view: Consolidating security-related information in one place is crucial to investigating incidents in context and speeding decision making about prospective threats. The unified view should also enable compliance to be an outcome of a good security strategy, not a competitor to it.

Security operations centres (SOCs) need advanced analytical tools that can quickly collect and sift through security data to present the most pressing issues in context. New security analytics platforms are emerging to handle all the functions of traditional SIEM systems and far, far more – including speeding detection of advanced threats so organisations have a chance to stop covert attacks.

Successful security leaders know they must operate under the assumption that their IT environments have been infiltrated. The challenge lies in finding where the greatest dangers are hidden.

Traditional security tools are adept at following rules set by security personnel (‘look for this, not that'). By contrast, security analytics platforms find anomalies of which analysts weren't even aware. Human involvement will always be required, but security analytics systems expand the field of vision while narrowing the field of threats to drive fast and accurate decision-making.

Security analytics systems give organisations the situational awareness and decision-support capabilities required to keep advanced threats from doing harm and to confer significant business benefits besides just protection. By integrating these capabilities into one unified security solution, the total cost of ownership decreases while the usefulness of the platform goes up.

By investing in security analytics rather than traditional SIEM solutions, organisations ‘future-proof' their platforms for the escalating threat environment, while gaining a highly scalable information repository that can serve many disparate functions and business units.

By automating tasks and lending context, security analytics platforms make SOC analysts more productive. By focusing efforts on defending an organisation's most valuable assets, security becomes more strategic to the organisation.

Rashmi Knowles is chief security architect EMEA at RSA, the security division of EMC

EMC is exhibiting at Infosecurity Europe 2013, held on 23rd – 25th April 2013 at Earl's Court, London. The event provides an unrivalled free education programme, exhibitors showcasing new and emerging technologies and offering practical and professional expertise. For further information please visit


Find this article useful?

Get more great articles like this in your inbox every lunchtime

Upcoming Events