Digital transformation is creating rapidly growing volumes of data, leading to new vulnerabilities and attack vectors. At the same time, adversaries are growing increasingly more sophisticated – consider the recent Capital One breach, or the Equifax breach.
This combination of factors means SOCs are struggling to fulfill their critical mission of identifying and eliminating threats. Currently, with the tools available to analysts on the market today, they lack visibility across the expanding attack surface, are overwhelmed by the volume of security alerts, and struggle to reliably identify and act on threats due to a lack of context about the threats and entities involved.
With these challenges in mind, we envision a new kind of SIEM that meets analysts’ needs and helps cultivate a more effective SOC. This next-gen SIEM must evolve to become the central hub for all data and processes within the SOC, not simply provide alert management for traditional security events. This will empower analysts to visualize the threats that matter most to the business, improve the speed and accuracy of triage, investigation, and response, and magnify the intuition of analysts.
Here’s how we believe the SIEM must evolve:
- Behavioral analytics: Analysts must be empowered to move beyond restrictive, rules-based detection to become more effective. Instead, the next-generation SIEM should help reliably identify high-impact threats, and give analysts the context they need to detect and act. Machine learning-based observations of users and systems on the network are critical for detection.
- Community collaboration: Adversaries are becoming more sophisticated, and SOC analysts are already doing what they can individually to keep their organizations secure. To help analysts stand together against these adversaries, SIEM must foster a peer community that can operationalize threat sharing of curated proprietary, open, and commercial intelligence, as well as provide access to a community of global CERTs. With a community behind them, analysts can prevent repetitive investigative efforts and put their time and resources to work in other critical areas.
- Analyst insight: SOC analysts are overwhelmed by 24/7/365 monitoring, a heavy workload, and a slew of other challenges that make their jobs difficult. As we work to empower analysts, the SIEM must be able to capture and learn from their behavior, helping to automate investigations, improving decision-making, and speeding new talent onboarding.
- Orchestration & automation: Sixty-seven percent of analysts believe automation of workflow will relieve pressure and reduce burnout. To meet these needs, the SIEM must enable rapid threat response through integration with solutions that automate manual, repetitive processes and orchestrate the incident-response workflow.
- Cloud: As organizations shift to the cloud, the level of complexity required to maintain a strong security posture increases as well. With this in mind, the SIEM should be cloud-native and able to combine SaaS-based services with core product capabilities, as well as offer flexible deployment models that enable enterprises and MSSPs to streamline security operations as they shift to the cloud.
Finally, these capabilities must be delivered through a scalable, extensible data analytics platform, purpose-built for petabyte-scale data growth and the real-time and historical analytics demands of the modern SOC.