Article

Traditional SIEM versus NextGen SIEM

Security incident and event management technology has evolved, with NextGen SIEM providing the tools to help security teams achieve a new level of protection.

By Tim Ferguson

Fri 1 Mar 2019 @ 11:45

Despite substantial investments aimed at improving the security maturity of organisations, many security teams continue to be overstretched and unable to be as effective as they should be.

The team may not have enough resources to deal with the constant wave of alarms indicating potential threats, analysts may be spending too long trying to work out which threats are genuine as they work across multiple platforms, or too much time is spent on manual and repetitive tasks rather than work that is more critical or strategic.

One reason that security teams could be struggling is that they are using traditional security incident and event management (SIEM) systems that are no longer appropriate in the modern cyberthreat landscape. Architectural complexities and a lack of certain capabilities, as well as the increasing sophistication and volume of threats have all played a part in some SIEM tools falling behind the curve.

The traditional form of SIEM now falls short in numerous areas:

  • A lack of centralised visibility
  • No automation or metrics to understand maturity
  • Fragmented workflows
  • Segmented threat detection
  • Information overload
  • Swivel-chair analysis caused by reliance on multiple user interfaces

Some organisations have melded their traditional SIEM implementation with other technologies in an attempt to gain the additional functionality they so badly need. Ultimately though, traditional SIEM solutions are limited and don’t have the flexibility to scale with security requirements.

But SIEM is evolving, with the next generation of the technology tackling these issues. To understand how it does this, it’s useful to compare traditional solutions with NextGen SIEM.

To start with, traditional SIEM only focuses on collecting exception-based security data to prioritise security events. It also relies heavily on fixed ways of arranging data and processing rules provided by users.

Traditional SIEM also does little to help prioritise which alarms need to be dealt with first. This creates alarm fatigue, meaning genuine threats could potentially be missed.

Automation to help security teams simplify workflow is often missing, while this type of SIEM solution also fails to adequately keep pace with changing requirements and security trends.

In contrast, NextGen SIEM, collects a broader range of data and identifies threats by corroborating them against other security-related activities.

NextGen SIEM also reduces the mean time to detect (MTTD) and respond (MTTR) to threats through scenario- and behavioural-based analytics. An added benefit is that it tracks these MTTD and MTTR metrics to provide evidence of the security team’s value to the business.

A key NextGen SIEM innovation is that it combines a range of other capabilities, including user and entity behaviour analytics (UEBA); network traffic and behaviour analytics (NTBA); and security orchestration, automation and response (SOAR) in a single solution.

Automation and defined workflows improve collaboration and effectiveness of the security team, while, each product release requires minimal tuning, lowering the administrative burden on the security team.

The next generation of SIEM technology fills gaps in functionality that traditional solutions lack, while addressing the need to continually evolve with the cyberthreat landscape. It helps security teams be more effective and efficient, while at the same time providing ways to prove their worth to the organisation.

To find out more, visit the LogRhythm SIEM solution page.