Over recent years most organizations have gone through profound changes, introducing digital technologies to drive business efficiency and competitiveness. This has seen the rapid adoption of new technologies and the migration toward Cloud solutions, IoTs, browser based “anywhere, anytime applications and so on. With a continuous scaling of an organizations environments and the sheer volume of data being generated, by customers, users, business systems, IoT devices, the number of human to machine and machine to machine transactions has escalated. This has significantly influenced many organizations to adopt a variant of log management solutions to ensure protection of data and users. With the exponential growth in the number of cybersecurity breaches, it is no secret that organizations are looking for ways to prepare themselves to improve their visibility, detection, and ability to respond to these threats.
Initially organizations were using two technologies Security Information Management (SIM) and Security Events Management (SEM) systems to monitor and address security incidents., In 2005 Gartner coined the concept of combining these two and defined Security Information Event Management (SIEM) – capable of analyzing, gathering, and presenting information after collecting from the network and connected devices, security systems, etc. Due to high cost and the complexity to implement SIEM, it was first considered to be a large enterprise only solution. However, with the evolution of commercial off the shelf SIEM products, no longer are they considered as large enterprise solutions. SEIM tools are now affordable and accessible for organizations of all sizes. In fact, using a SIEM has become a necessity for every organization irrespective of their size or business, to ensure data; often a company’s most asset; is not lost or compromised.
SIEM is a tool that can be used for centralized alerting, logging, and compliance. SIEM solutions can correlate collected data to provide context for alerts and events across business and IT systems. SIEM solutions also help organizations to meet auditing and regulatory compliance. SIEM collects data logs from devices, applications, systems, and existing security tools. Once the data logs are collected, SIEM normalizes and aggregates the data for the analysis stage. In the next stage the SIEM will analyze the aggregated data and based on the rules defined by the organization it can alert appropriate team on any suspicious events.
SIEM solutions themselves have gone through many iterations and have evolved from managing the security events, correlation, and log aggregation. Early SIEM solutions combined log management and event management systems, which were previously separate. During this period, SIEM tools could detect an attack only if that threat was known, they were unable to detect zero-day attacks or unknown threats. These early SIEM solutions provided basic log aggregation across different system types along with basic event correlation capabilities and they were limited in the scale of data that could be processed. The next generation of SIEM technologies addressed this shortcoming and were capable of handling large volumes of data. They also had the capability to correlate this log data with real time events and data from threat intelligence feeds. They also improved on the visualization capabilities. Recently SIEM solution providers have made further enhancements and combined additional critical capabilities like ‘user and entity behaviour analysis’ (UEBA), and most importantly ‘security orchestration, automation and response’ (SOAR).
SIEM, from a software product perspective has gone through several evolutions, however, there remained a number of challenges to deal with; like complexity in deployment, lack of flexibility, slow respo nse times, extremely high costs; that deterred many organizations from acquiring and implementing a SIEM tool. With the first generation SIEM tools, a key challenge was that they were rule-based systems which resulted in generating a large number of false positives, which in turn led to security analysts not being able to act on or ignoring the true positives. increasing larger volumes of data across the organization, the security team were being overwhelmed by the sheer number of alerts and the pressure to close security issues or tickets. The evolutions and enhancements that the SIEM products have made over the past decade has made them an integral part of cybersecurity investment for organizations of all sizes.
It is important to note that deploying a SIEM tool itself is not enough and by itself is not a managed security service. An organization needs the right skilled people and operational procedures in place to utilize the SIEM and to establish a managed security posture and capability. That’s where the concept of building and operating a security operations center comes in. Gartner defines a security operations center (SOC) as a team, often operating in shifts around the clock, and a facility dedicated to and organized to prevent, detect, assess and respond to cybersecurity threats and incidents, and to fulfill and assess regulatory compliance. The SOC provides round the clock monitoring for cyber threats and ability to engage immediately in incident response.
SIEM is a key technology component of the SOC. Other mandatory requirements to operate a SOC are skilled security analysts, up to date threat intelligence, and operational procedures. Building and operating a dedicated SOC facility is complex and expensive and requires considerable expertise. According to the SANS Institute, the two most frequently cited barriers to SOC excellence are a lack of skilled staff, and the absence of effective orchestration and automation of threat detection and response. Security Analysts are in high demand due to the limited number of skilled security professionals available and they command huge salary packages, which in turn adds to the cost to operate a SOC. With the ever-evolving threat landscape, an organization needs to keep their security professionals up to date and certified so they can comprehend and address these cybersecurity threats.
An alternative to establishing and operating a dedicated “inhouse” SOC, is using a Managed Security Services Provider (MSSP). The MSSP core focus is to enhance cybersecurity posture of its clients as the extended support and operational function of the client’s cybersecurity team. MSSP’s offer SOC as a service, which can address the above discussed key challenges for an organization to build and operate their own dedicated SOC. The key returns for the organization are – Cost Savings, Security Expertise, 24 x 7 visibility, and compliance management. An MSSP offloads the overhead of acquiring the right security expertise, the right amount of resources required to provide 24×7 or business hours security analysis, monitoring, and response capabilities. An MSSP also helps organizations to filter out the most important and critical security events from the vast amounts of logs which is almost an impossible task for an organization with inadequate expertise, resources and well-honed processes needed to perform this this function. By engaging an MSSP, it can remove the onus on an organization to setup the required processes, procedures and reduce the timeline for an organization to elevate their cybersecurity maturity. With the inbuilt capabilities, resource, and processes; an MSSP can deliver more value by reducing the Mean-time-to-detect (MTTD) and Mean-time-to-Respond (MTTR) to any critical security event. An MSSP can provide appropriate security analysis and more up to date cybersecurity posture reports which can guide the organization in planning their security roadmap.