Security information and event management, or SIEM, was introduced some 17 years ago. It makes sense for a next-gen SIEM to emerge now, or it may already be long overdue. There is a need for a more powerful upgrade to the system that has been in place for nearly two decades.
Some say that traditional security information and event management is dying and organizations would have to transition to next gen SIEM whether they like it or not.
There is a need to adopt a new system that is cloud-based and analytics-driven. This new system is also expected to be laser-focused on outcomes. It is not restrained by a dated framework and overly strict procedures.
However, next-gen SIEM is not the only upgrade organizations can turn to as they improve their security posture. A related solution called Open XDR offers comparable outcomes through a different approach and framework.
Get to know more about next gen SIEM and Open XDR in the discussions below.
A Closer Look at Next-Gen SIEM
There is no definite or universally accepted definition for next-gen SIEM. However, a good starting point to establish its nature lies in Gartner’s definition: a technology designed to “support threat detection, compliance, and security incident management through the collection and analysis of security events and a wide variety of other event and contextual data sources.”
When applied to the concept of next-gen SIEM, the definition largely remains the same with the introduction of improvements sans paradigm-altering changes.
Next gen SIEM is more advanced than base SIEM, but it has the same framework and objectives. It is not a new solution that employs different cybersecurity approaches and principles.
It may utilize big data technologies and data modeling plugins, offer improved workflows and user interfaces/experiences, and provide additional features like user and entity behavior analysis (UEBA) and open integration with SOAR. However, its process and goals are mostly the same.
The new capabilities of next-generation SIEM may vary depending on the vendor, but the following hallmark features are usually present.
Cloud-native operation – As modern IT infrastructure increasingly relies on cloud computing, it only makes sense for next-gen SIEM to natively operate on the cloud and be compatible with cloud-based systems.
This enables the unified monitoring of apps, devices, servers, and endpoints. It makes log collection across different sources more efficient.
Advanced threat detection and incident prioritization – In contrast to conventional SIEM, the next-gen iteration is capable of identifying and anticipating threats and attacks. It can discover suspicious activities, unusual behavior, and patterns that coincide with malicious activities.
Better handling of false positives – False positive alerts are not completely avoidable. However, it is clear that conventional SIEM has too many false alerts. Next-gen SIEM employs artificial intelligence and event correlation mechanisms to improve detection accuracy.
Cost-effective data processing – Legacy SIEM is often associated with volume-based data evaluation. As such, the more data is collected and analyzed, the higher the SIEM operation cost becomes. New-gen SIEM addresses this problem through a flat pricing data evaluation model, It significantly reduces the cost of data ingestion.
Better integration – Next-gen SIEM is designed to work with more security tools and systems including SOAR (security orchestration automation and response), real-time visualization tools, behavior analytics, and threat intelligence from open/public, custom, and other sources
Considering a Next-Gen Alternative
While the new-gen SIEM represents a significant leap from its predecessor, it is far from perfect. It has some weaknesses. For one, low data management efficiency is inherent in SIEM’s framework.
There have been efforts to address this with the release of enhanced next-gen SIEM platforms, but a systematic and seamless process for data collection, storage, correlation, and prioritization is still absent.
Security teams generally have to face huge amounts of disorganized security data as they attempt to uncover risks and respond appropriately.
On the other hand, there are concerns over SIEM’s predisposition to making security teams work harder, not smarter. SIEM’s framework does not offer optimum conditions for handling big data and taking advantage of artificial intelligence.
While it is possible to do security data correlation with SIEM, the efficiency of the process could use further improvements.
There have been efforts to address this problem with the release of next-gen SIEM solutions that provide out-of-the-box data processing and prioritization mechanisms, but they have yet to prove their effectiveness.
Also, manual work continues to be essential in SIEM, as evidenced by the necessity for human-written rules or human-directed configurations.
Moreover, even with next-gen SIEM integration improvements, it can still be quite selective. There are challenges in making it work with the security tools commonly used by organizations.
This is mostly due to the complexity of data models used by different vendors. It is not impossible to find ways to integrate, but it can be tedious. Also, issues emerge when new versions of integrated tools are released by different vendors, which results in integration issues that need to be addressed individually.
Open eXtended Detection and Response or Open XDR is regarded as an alternative to next-gen SIEM, but it may also be considered as a supplement. It has similarities with SIEM but is different mainly because of the distinct framework and ease of integration.
Both are seeking to achieve comparable goals, but their methods are not the same.
Open XDR has distinct approaches that allow it to tackle security threats in ways or methods not covered by both traditional and next-gen SIEM.
The Open XDR framework is notably different from SIEM. In particular, the way it handles data can be considered more effective and efficient.
It forces data to go through normalization and enrichment before it is stored in a data lake or a big data processing system, which is in stark contrast to what conventional SIEM does.
This allows Open XDR to maximize the benefits of artificial intelligence since the collected and stored security data is already organized in a consistent and sensible format.
Additionally, Open XDR makes it possible to address multiple risks through different security controls using a unified dashboard with a familiar user interface and user experience.
It also makes it easy to use UEBA, SOAR, NDR, EDR, and various other tools under a single platform.
Next generation SIEM and Open XDR are some new cybersecurity technologies organizations will eventually have to get acquainted with as they improve their cyber defenses.
Threats continuously and rapidly evolve. It is inevitable to adopt updated versions of security information and event management and extended detection and response. In the future, new technologies will be developed to counter new threats.
However, this does not mean that organizations should blindly take on new cybersecurity solutions that purport to match the evolution of threats. It is also important to examine these new solutions to determine if they correspond to an organization’s needs.
Simply upgrading to a next gen solution may not be enough. A different approach may be necessary, something that can be offered by an alternative or supplemental solution.