SIEMs to be Obsolete
By Daniel Felman, Lead Data Scientist, SecBI
In 2005 the concept of Security Information and Event Management (SIEM) combining SIMs and SEMs was first coined. Since then, many corporations have adopted SIEMs to ensure better network visibility and easier investigation of suspicious communications. The SIEM’s ability to instantly alert analysts on unusual behaviors within an organization’s network gave SOC teams a significant boost by notifying them about potential breaches.
The SIEM’s main function is to collect logs from many sources, including edge-based devices, routers, servers and all other logging components in an organization. A SIEM expert is required to install, configure and customize rules for the specific organization and constantly update them to monitor newly added capabilities on existing devices. Of course, the same process must be repeated for newly installed devices as well. The SIEM then correlates and tests the logs with the predefined rules, and every time any of those rules are triggered, sends an alert to SOC operators for further analysis. And this process hasn’t changed significantly over the past 15 years, despite the data explosion hindering SOC analysts ability to keep up the information they need to detect true cyber attacks.
Given the artificial intelligence (AI) revolution, isn’t it time for SOC teams to integrate smarter tools and focus only on the alerts that matter?
Make AI Your Ally: Find a Solution Beyond a SIEM
What is needed beyond a SIEM is the following: A detection module based on a supervised machine learning module (such as a decision tree or random forest) that could quickly discard benign activity (false positives). Or a neural network that finds hidden patterns and acts in real time. The required solution should be able to automatically understand the severity and risk of every action. It should understand if an attack occurred, and if so, remediate accordingly. This kind of advanced analysis cannot be achieved by a regular SIEM. It requires contextual information embedded with behavioral analysis. One alternative is a hybrid machine learning algorithm, which can identify stealthy incidents and automatically follow the appropriate line of action.
To give an example, let’s assume that a SIEM rule is to create an alert whenever a user downloads 10 GB of data within one hour. Now, what happens if the whole marketing team receives three options for the new marketing video in HDR? This could generate an alert for every single marketing team member. However, a supervised machine learning algorithm can aid the SOC team’s decision-making by incorporating features like the file type or the number of people that behaved similarly, which provides a more semantic understanding of the incident. On top of that, an unsupervised machine learning algorithm could profile the users to understand that it’s not the first time they behaved this way. Such context can help dismiss false positives without any human intervention. Conversely, false negatives could be detected similarly by identifying unusual user behavior. For example, if the HR manager downloads many small files from a sensitive repository at a rate of 2 GB per hour, a case the SIEM rule wouldn’t catch.
In conclusion, the best way to organize all events in a network is by logging them with a unified system that is empowered to protect sensitive information from potential attacks. By adding advanced analysis on top of SIEM’s existing capabilities, logs’ context can be easily understood, false-positives can be reduced, and hidden threats can be detected and remediated quickly, accurately, and comprehensively.