Improving SIEM Efficacy as the Market Evolves: Four Key Areas Where Cynode Can Make a Difference

Date: June '24
Author: Armagan Zaloglu, CEO

May 2024 has been a significant month for the Security Information and Event Management (SIEM) market. The highly anticipated Gartner Magic Quadrant was released on May 8th, followed by two major developments involving two of the five Magic Quadrant leaders: (1) Exabeam and LogRhythm announced a planned merger, and (2) Palo Alto and IBM revealed a partnership, where Palo Alto is to acquire IBM's cloud SIEM assets.

Indeed, the SIEM market never lacks excitement, whether it's mergers and acquisitions or technological innovation. Several past developments were due to:

  • Some technology providers not being innovative enough. For example, certain vendors were slow to integrate Security Orchestration, Automation, and Response (SOAR) and User and Entity Behavior Analytics (UEBA) features. Some lagged in creating an ecosystem for application development, and/or offering cloud-native infrastructures.
  • Another reason for major shifts or disappearing vendors is related to usability features. The absence of features that could simplify everyday operations like log collection, detection rule engineering, and alert triage has been problematic.
  • Finally, the SIEM market has to contend with the rise of tangential fields such as Endpoint Detection and Response (EDR), Extended Detection and Response (XDR), and SOARs, which might take over some of the SIEM functions.

SIEM are among the top five most invested cyber security technologies for the past 15 years. It plays a critical role in detecting abnormal behaviour and thus attacks progressing in networks. Christopher Crowley of the SANS Institute releases a highly insightful SOC survey report (1) each year. One of the key insights these reports consistently present is the users' preference for using SIEMs mainly for detection (SIEM over other technologies and detection over functions such as response). This is where things become somewhat complicated and contradictory. Even though SIEMs are the preferred detection technology, user satisfaction rates are not necessarily high.

Recent developments demonstrate the need for further commercial efficiency requirements, and that SIEMs must deliver more value to their customers to maintain its dominant position in the market. If SIEM “means” detection, practitioners need to successfully handle two fundamental requirements, with all other tasks following suit:

(1) Companies must have a streamlined, consistent and insightful log flow. 

(2) Detection rules should be properly managed, updated, and retired in accordance with changing adversarial TTPs and business requirements.

At Cynode, we offer a variety of services to support SIEM users, helping them achieve the best detection through their SIEMs:

   (1) We establish threat centric validation integrations to continuously assess whether there is inadequate logging against real-life threats, which could lead to insufficient detection. The service identifies any gaps in the log source or handling within the SIEM.

   (2) We set up threat centric and analysis based detection rule validation integrations. These validations reveal conflicting and obsolete rules, as well as missing rules that could result in overlooked key security events. We address detection gaps by supplying either vendor specific (for supported vendors) or Sigma rules.

   (3) We can handle SIEM management entirely. Our expert SOC team can serve as your extended team for SIEM management.

   (4) Our cyber advisors can help you select your detection technology, whether it is EDR, SIEM, XDR, or others.

We will publish subsequent blogs to provide more insight into these areas. Stay tuned!

Further reading:

https://cynode.com/services/proactive-hardening-services/siem-validation-hardening 

 

Resources: 

https://www.sans.org/white-papers/sans-2022-soc-survey/

 

RELATED RESOURCES

    Update cookies preferences