SIEM is dead, long live SIEM

But do we need a new name for it?

SIEM – Security Information and Event Monitoring

I was reticent to write this post as it could turn into buzzword bingo, and who needs a post suggesting yet another acronym?

However I have been thinking recently that SIEM needs to expand, and the term seems to always get people stuck thinking of traditional / historical SIEM. not where it should be going.

Traditionally SIEM systems collect and analyse ‘security’ events.  Now this is awesome if the attacker or malicious insider triggers a ‘security’ event.  What if they don’t?  The whole issue around the much discussed Advanced Persistent Threat (APT) thype of attack is that they have time, money and resources to ensure they do not trigger obvious security events.

In order to detect and understand the more subtle attacks, or those that are hidden amongst other attacks such as when a large DDoS is used as a diversion need much broader and more in-depth sources of data and correlation abilities than traditional SIEM installations.

As examples;

Consider malware installed under the context of an administrator that is not picked up by AV (this is easier than you think) then hides itself from general detection.  The ops guys may notice an increase in CPU or RAM use on the server, but without the security viewpoint are unlikely to consider root-kit type malware.

Consider data being exfiltrated relatively slowly, increases in network traffic that are not related to a change, but also that cause no performance issues are very likely to be overlooked if only considered from an operational perspective, however this data being viewed from a security standpoint may warrant further investigation.

Consider data moving between systems where it would not normally move, or accounts logging on at unusual times or from unusual places – these may not generate specific security alerts, but can be much more easily spotted and flagged by a log correlation solution that sees everything in the environment.

To me the answer is obvious and has much wider benefits than just for security.  SIEM solutions should no longer be in a silo collecting just security data, and operational log collection systems shouldn’t be just for IT operations.  A single solution that collects basically all the logs and other pertinent information into some sort of ‘big data’ redundant and scalable storage back end (likely Hadoop based) will provide huge benefit to the organisation.

If the raw log data is also enriched with contextual information such as the CMDB, network information, threat feeds etc. the alerting can be moved from generic alerts to much more organisation specific and prioritised based on the real risk.

Logical separation (and physical if required) along with access controls and agreed roles and responsibilities can be used to ensure that different teams only have access to the data and reports they should, and cannot access data they are not supposed to.

Having a single tool for operations, security and likely business reporting is architecturally more simple, easier to support, and likely lower cost than having multiple tools.

So, the solution is obvious to me, but should it still be called SIEM?  I think the security use case of the single log collection solution is likely still SIEM, but on steroids as it has so much more data to correlate and search across and likely much more powerful ways of doing this.  However it must not be looked at in isolation and we have to get away from the outdated notion of just collecting and alerting on ‘security’ events.

As an example I was at a presentation recently around big data and SIEM and they did not once mention the broader use cases and benefits, the talk focused purely on the traditional SIEM model, just with a more data.

What do you think?  Do we need a new term, if not, how do we move peoples thoughts forwards and away from only thinking of IEM in traditional terms?

K