Last week at the RSA Conference 2015, RSA CISO Eddie Schwartz declared that in addition to Anti-Virus, SIEM solutions are also ‘dead’ and that IT security departments need to become “more big data aware“. ‘Big Data’ in this case refers to the collection and processing of data holistically in an organisations environment, not just collecting data from individual security appliances.
This comment may seem surprising on face value, however is quite telling of the current state of operational security within organisations today. When performing their work, security analysts typically respond to security alerts from a number of individual security appliances or applications on the network. This requires a lot of effort on part of the security analyst, to view each event and ask the question, what does this event mean in the context of my environment? This approach creates issues for scalability as organisations typically record thousands if not millions of events per day.
In recent years, the security industry has invested heavily in threat intelligence to try and solve this issue. Threat Intelligence helps to provide context for events and therefore reduces the amount of events analysts need to manually process.
In order to provide this context, appliances must integrate with numerous internal and external sources of information, something that traditional SEIM appliances are not built to do.
And what of the future of SIEM? According to Mr. Schwartz, “SIEM will continue to be important for organisations at some level of log management, such as the small-to-medium enterprise who are looking at it for compliance. But to deal with advanced threats and focus on the network and go by reputation, you have to go beyond the SIEM. You can build your own system with a data warehouse or you can use a managed partner, but who builds their own technology. SIEM has limited visibility.”
EMT Distribution has recently partnered with ThreatQuotient in order to provide a leading threat intelligence product to our clients. ThreatQuotient helps organisations easily enable a multitude of intelligence sources with the flip of a switch. ThreatQ is an on-premise threat intelligence platform (TIP) that automates, structures, and manages all of your intelligence in a central analytical repository.