Team working on SIEM, XDR technologies

Is the SIEM dead?

The bastion of the business for decades, the Security Incident and Event Management (SIEM) continues to be the primary means to detect and respond to business threats before they can impact business operations. There have been multiple challengers over the years. AI and machine learning, observability platforms and most recently Extended Detection and Response (XDR) have all seen SIEM declared dead, and yet the SIEM continues to defy expectations and reinvent itself.

Next generation SIEM, for instance, provides threat hunting capabilities in addition to collating and analysing log data in real-time from applications, servers and endpoints. The technology has also gone mainstream, with predictable pricing effectively lowering the threshold and bringing the technology within the reach of the SME.

The most recent challenger to the throne is XDR. It’s ability to monitor attack vectors across endpoints, cloud, and other network systems and to apply advanced analytics for threat detection makes it appear more dextrous and responsive. But fast forward to now and those XDR vendors that touted the technology as a replacement for threat mitigation are adding SIEM to their portfolio, either as a platform offering or as an add-on to attract more custom. This is because the way data is now being collected, interrogated and governed have fundamentally changed, exposing the current limitations of XDR.

Where XDR need improvement

Firstly, data lakes have become the dominant form of data aggregation, resulting in huge data volumes that can be costly to analyse. There’s almost too much of it, causing a high cardinality environment which makes data recall slower and more difficult to visualise issues and create use cases. The emphasis now is on leveraging a subset of that data around a common taxonomy and subjecting it to business analytics in order to make that analysis cost effective and reduce time to insight. From a security perspective, it’s all about being able to siphon off a pool of security data from that massive lake and being able to manipulate that data which can then be provided to the SOC analysts and threat hunters conducting the investigation.

However, XDR adopts a very narrow view, focusing on specific attack vectors where the data comes into the organisation and mitigating the risk these may pose. It doesn’t go wide enough in its capture and this is problematic because the accepted wisdom is that data should be analysed as close to the original source as possible. Doing so ensures the highest degree of accuracy, the fastest response by reducing latency, and removes the need to replicate it in other storage mediums across the environment, thereby increasing the total cost of ownership of that data.

Secondly, XDR is not designed to assist with industry regulations which are steadily ramping up. Numerous industries are facing an increased compliance burden with many businesses coming within scope of NIS2, for instance, while those in the financial sector need to comply with DORA, and the healthcare sector DSPT.  XDR may be adept at performing the necessary counter measures and applying mitigation, but it doesn’t provide the analytics or proof points needed to demonstrate compliance with these frameworks. Perversely, this means that while the organisation might be more secure, it cannot prove it when it comes to the audit.

Knowing controls are in place, that you have visibility of what’s happening around those controls, counter measures deployed for those controls, and that the data proving as much is being imported in a way that meets the regulatory demands of the compliance framework is essential for regulated industries. But it’s very difficult to use XDR to provide that level of visibility or to create those proofs in its current state.

Visualising issues

In contrast, the SIEM is all about visibility. It presents a correlated view of data across multiple data points via a dashboard populated with interactive graphs that can then be viewed and interrogated. Just as it is now common place to analyse metrics and telemetry data from across the estate to ensure uptime is within acceptable limits over the network infrastructure and cloud environment, so we need to be able to demonstrate the tolerance levels of the organisation with respect to security payloads and workloads. It’s here where the SIEM excels in presenting a granular view of those levels.

Ensuring visibility across the organisation is also vital for operational efficiency. The SIEM provides a level playing field and a common language to help teams communicate and manage security across departments. Typically, in addition to a core security team there might be DevOps, SecOps or Network Operations, and a team that owns EDR/XDR, all of whom have a vested interest in security but who don’t interact. How they then share that data, ensure they are looking at the same thing, determine who has responsibility when an issue happens while preventing duplication is essential to ensure the smooth running of the organisation.

What the future looks like

And so, it would seem, we have come full circle back to the SIEM. Except it’s not a technology that tends to stand still and even now is in the process of reinventing itself. There’s now a drive towards convergence which is seeing disparate technologies brought together over the SIEM to complement its threat hunting capabilities. Putting these technologies over a single platform reduces complexity and swivel chair operations (whereby analysts go from one interface to another), brings down management costs and eradicates duplicated functionality.

The convergent SIEM uses contextual information to enrich logs and qualify alerts through technology such as User Entity and Behaviour Analytics (UEBA) and Security Orchestration Automation and Response (SOAR), while automated investigation and response are carried out by case management tools, reducing mean time to response (MTTR) and freeing up security professionals to focus on more specialist tasks. Harmonising these technologies over the SIEM means each then becomes more than the sum of its parts, effectively complementing each other to confirm the threat, the risk it poses and to prioritise the appropriate level of response.

In an era where teams are being asked to do more with less, convergence may well offer the cost and efficiency the organisation has been looking for in order to improve resilience. Moreover, as it provides a cohesive single view which it also allows those overseeing operations such as the CISO better manage the cyber security posture. In fact, a Gartner found 75% of CISOs are pursuing vendor consolidation to improve risk posture and reduce spend. So, while XDR may not have lived up to the hype, it has certainly proved useful in revealing where and how the SIEM can be applied in a modern context and in harmony with other tools to improve threat detection and response.