Why SIEM is no longer enough for today's threats
Why SIEM is no longer enough for today's threats

The serious fight against cyber-threats may well have started with the Security Information and Event Management (SIEM). The SIEM approach was developed to provide security teams with real-time analysis of threat alerts from applications and network hardware. Organisations use SIEM, which comes as software or managed services, to monitor and log security data; correlate events; and provide notifications, analysis, and reporting of such information. But the security landscape is anything but stable, and security needs are constantly changing.


Despite the good intentions behind the development of SIEM, as the volume and sophistication of cyber-attacks continue to grow, many enterprises with a SIEM-driven SOC find they cannot cope. Security teams point to various challenges - too complex, too costly, too long to deploy and maintain - as reasons why SIEM may have made life more burdensome, rather than easier, for security professionals.


What do modern SOCs need that a SIEM alone can't provide?


Modern SOCs must detect threats at every point in the attack chain.Traditional SOCs consist of up to dozens of signature-based perimeter and access control tools, together with a SIEM system for log monitoring. These tools look only for known attacks at the point of entry and become increasingly ineffective as attacks become more complex and sophisticated. The systems lack the tools and technologies to discover advanced threats across the entire attack chain and cannot provide organisations with the full visibility needed to detect advanced threats without relying on signatures alone. Modern SOCs need to add in external sources like the open and deep, dark web, social media, open and closed forums to provide organisations with valuable information about threats in progress or the show threats that have already been carried out that their systems did not detect. This essential data includes analysis and investigation of ongoing cyber-crime and hacktivism campaigns, discussions on the latest vulnerabilities and exploits, and evidence of leaked organisational data.


Modern SOCs must obtain forensic evidence for investigation and remediation

In SIEM-based SOCs, forensic capabilities require separate tools to be purchased and deployed, extensive manual handling, and reliance on third parties to investigate a breach. In an intelligence-driven SOC, forensic capabilities and instrumentation are built into the infrastructure and work processes. Forensic data is proactively gathered from the network and endpoints and referenced as part of automated investigations to confirm or refute attacks and facilitate collaboration among users in different tiers.


Modern SOCs must use automation for 24/7 alert investigation and response

Cyber-attackers never sleep. Couple this with the growing shortage of skilled cyber-analysts, and it becomes obvious that traditional SIEM-based SOCs, with their reactive, after-the-fact responses are inadequate. Automation enables “virtual analysts” to provide 24/7, real-time alert investigation and response. It can also take security efforts to a higher level using machine learning and calculating models that the human brain simply cannot do – but then delivering that information to the human analysts to accelerate remediation and prevention.


Modern SOCs must use a comprehensive and pre-integrated platform

Traditional SOCs, even when beefed up with specialised products to address advanced cyber-threats, continue to manage security components separately, do not work in an integrated manner, and cannot share information with a wide variety of stakeholders. Modern, intelligence-driven SOCs use a unified approach that combines network and endpoint monitoring and forensics, deception mechanisms like putting decoy servers within the network or click-bait to monitor traffic, specialised engines for threat detection across the attack chain, automated and manual investigations and remediation measures. Analysts can make better and faster decisions because an intelligence-driven SOC has all the information in a single dashboard.


A pre-integrated platform enables knowledge-sharing with continuous sharpening of the threat picture as incidents are updated in real time. Automation of the investigation allows the process to mimic the human analyst, reduce false positives, plot the full organisation attack storyline, and build the incident case file including related alerts and forensics. It alleviates alert fatigue, boosts analysts' productivity, and bridges the analysts' skill barrier, with no need to continuously add and manage correlation and enrichment rules like in the SIEM.


Modern SOCs must offer operational efficiency and productivity

Traditional SIEM-driven SOCs require hours or days to investigate incidents due to lack of data, partial forensics instrumentation, and manual operation of multiple interfaces, without considering the dozens of staff to review basic alerts on known attack patterns and signatures, not to mention the effort required to administer and maintain the SIEM. With thousands of leads automatically triaged and fused into incidents, intelligence-driven and unified SOCs need only minutes or hours of investigation, thanks to broad visibility, automation, and unified user interfaces.


Data is simply the means. Intelligence for action is the end

That is the heart of the question: Why is SIEM alone not sufficient for a truly effective SOC? SIEM is all about data, a means to an end. And the end is risk prioritising and action-focused intelligence. SIEMs will still be needed for log collection, monitoring, and compliance purposes, but for the actual task of threat detection and response, a SOC must be intelligence-, not SIEM-driven. An iSOC system is context-aware and delivers fast, clear and actionable information through coverage, continuity, context, clarity, collaboration, coherence.


Contributed by Yitzhak (Itzik) Vager, VP cyber product management & business development, Verint Systems Ltd. 

*Note: The views expressed in this blog are those of the author and do not necessarily reflect the views of SC Media UK or Haymarket Media.