Monster post of the week goes to Gunter Olmann’s NextGen SIEM Isn’t SIEM blog post.
To paraphrase the first half, basically SIEM’s main weaknesses have been fidelity and trying to integrate newer sources. These newer sources are pushing that fidelity and active response away from the SIEM and down closer to end endpoints/attackers/events.
…Interjecting my own thoughts for a moment: Also, in the past, a SIEM was only as good as the intelligence behind it, which was often fueled entirely by the staff sitting directly in front of it. I’m sure every SIEM and MSSP vendor has been asked, “So, what do we look for out of these million logs entries?” by every single one of their clients, and the answer is always, “It depends,” or, “What do you want to find?” (You’d think intelligence would get pushed downhill, but I think only the most obvious of intelligence ever gets outside a singular organization’s walls, including those that share it!) The best (luckiest) shops have SIEM ninjas in house, but most just flounder wetly about in the hallway. Now, back to Gunter…
And he frames the transition correctly by saying these new tools typically do only a narrow scope of things really well.
Honestly, I’m not sure asking what the “next gen SIEM looks like” is exactly the right question. I’d take a small step back and say, “What does the next SOC look like?” (I’m writing this as I read the article, and Gunter goes to the same direction!) Do we still strive for one pane of glass? Do we have many panes of glass with best of breed tools?
I like Gunter’s bullet points on what the next SOC/SIEM should do or look like.
But I do want to add one other factor into this. The shops that have the budgets to get things like big SIEM tools and various other Threat Hunting or SOC-supporting tools are also the ones fighting with a ridiculous technology change pace in their own networks, and those that have manageable environments are the ones too small for the best tools. Between cloud, IOT, mobile devices, and advancing system sprawl, it’s a huge endeavor for a SOC just to keep up with its own organization.
Anyway, just to interject a wonderful (or nightmarish) vision of the future…we keep taking steps forward towards actual Gibson/Shadowrun-like ICE!