MY TAKE: Why the unfolding SIEMs renaissance fits hand-in-glove with ‘digital transformation’

SIEM systems have been on the comeback trail for a few years now. And now SIEMs could be on the verge of a full-blown renaissance.

Related article: Freeing SOC analysts from tedious tasks

I spoke with several vendors who are contributing to this at RSA Conference 2018. One of them  was Securonix, a supplier advanced next-generation SIEM  (security information and event  management) technology. The Addison, Tex.-based company is also a leading innovator in UEBA (user and entity based analytics) systems.

For a full drill down of my conversation with Nitin Agale, Securonix’s SVP of products, please listen to the accompanying podcast. A few takeaways from our discussion:

SIEMs’ second wind

SIEMs, you may recall, first cropped up in 2005, and, at the time, got unfairly hyped as something of a silver bullet. SIEMs are designed as a tool to collect event log data from Internet traffic, as well as corporate hardware and software assets, and then cull meaningful security intelligence from a massive volume of potential security events.

For a number of reasons, SIEMs never quite lived up to their initial promise. Now, 13 years later, we’re in the midst of a “digital transformation” that has resulted in an exponential increase in the volume of business data, much of it circulating in the cloud. Oddly enough, these Big Data spikes seem to have sparked innovation that is giving SIEMs their second wind.

Vendors like Securonix are rapidly merging legacy SIEMs with nascent technologies, such as UEBA and SOAR  (security, orchestration, automation and response) solutions. The common denominator to these innovations is that they bring machine learning and advanced database storage solutions – such as Hadoop – to bear, sifting and making sense of SIEM logs, as well as inputs from many other one-off security systems.

Data science and machine learning techniques that were immature a decade ago, are now sophisticated enough and being used to analyze and understand this massive volume of data.

Mind-boggling complexity

This all adds up to a fast-moving river of innovation that is gaining momentum and amassing power as it rolls downstream – and none too soon.


“What’s going on is people are generating a lot of data right now, with different kinds of devices, and with work cultures changing,” Agale told me.  “This digital transformation is necessary because companies want to provide their employees the flexibility to do their jobs, and make it faster and  simpler for them to work from anywhere, on any device.”

The mind-boggling complexity to accomplish this has created an astounding volume of data, moving back and forth between traditional company networks, and weaving in and out of cloud services infrastructure.

In short, it’s a perfect scenario for the original idea behind SIEM platforms, which was to cull meaningful information from the massive volume of security events being generated by servers, desktops, laptops and also firewalls, antivirus and intrusion detection/prevention systems (IDS/IPS).

“The core issue is now, with so much data coming in, is, How do you analyze the data and find that needle in the haystack?” Agale says. “How do you go through all of the data they’ve collected, tie the related events together and find the malicious activity they need to be focusing on?”

UEBA shakeout

UEBAs appear to be a key to fusing together input from multiple security systems, including SIEMs. Standalone UEBA solutions are doubling each year and could top $200 million this year, according to Gartner. Securonix and other vendors are incorporating UEBA capabilities into their core security offerings.

Gartner analyst Avivah Litan recently told Esecurityplanet that she expects a shakeout, with the  standalone UEBA products that survive evolving into next-generation SIEM solutions. Litan also believes other UEBA offerings will find their way into other security technologies.

The trend of security vendors now getting around to apply machine learning techniques – the same methods used by Google to derive search results and Amazon to pitch products – dovetails right into this.

“If you tried to do this manually you would need an army of people, and you’d generate a lot of alerts that are not in line with the threats you’re looking for,” Agale observes. “Machine learning will learn the patterns on how people are behaving, patterns of how devices are working in your environment, and help you baseline that activity. And then look for any sort of deviation from normal.”

It’s not rocket science. And the security systems being brought to market today by security vendors are geared toward scaling up the simple screening tasks to the level required by digital transformation. It looks like SIEMs are going to pay off, big, after all.



Share on FacebookShare on Google+Tweet about this on TwitterShare on LinkedInEmail this to someone