In today’s ever-evolving technological age where everyone has the power to innovate, develop, design, enforce, implement, multiply, evolve, and increase, things are becoming unmanageable. Simply put, there is no control.
And then there is the flip side of the coin, where organisations simply stick to what they know. There is no innovation and no development – they are simply keeping their businesses ticking over.
So where does security information and event management (SIEM) fit in? What does it do and why do we need it?
In today’s big data world every entity is facing a similar problem. They lack the end-to-end visibility that helps to prevent attacks. While security solutions and controls definitely help to plug the holes, they still lack adequate functionality to consolidate, normalise and correlate events from various point solutions. These capabilities are at the core of a SIEM solution as they help to develop a strong “single-pane-of-glass” view that enables the business to baseline, detect, and triage, allowing the analyst to pinpoint and identify anomalies and threats at a glance.
Is this still relevant today? More than ever. There is a growing need to have access to the historical and recent activity that happens within today’s largest enterprises to enable true visibility and control over the entire IT stack. New and emerging technologies such as SOAR (See my previous article “Why SOAR is important… How is it different… How it helps your organisation” for more insight to the SOAR topic) are becoming increasingly reliant on historical information provided by SIEM to facilitate adequate triage, incident consolidation, and false-positive mitigation. With SOAR, even machine learning and AI functionality rely on historical context.
To answer the one-million-dollar question… No, SOAR does not Replace SIEM. If anything, it simply augments the analyst’s capability or in some cases, replaces the analyst.
