Blog A3Sec

SIEM is the heart of SOC and correlation is the brain of SIEM

Written by Israel Gutiérrez, Global CTO | 10 August, 2022

SIEM (Security Information and Event Management) is a system, an application or a solution where IT security information is concentrated. It is a fundamental principle in the creation of a security event management system.

In 2003, Gartner was the benchmark on the formalization of SIEM technology, as can be evidenced in the first Gartner chart. In 2011, McGraw Hill published the first book on SIEM, "Security Information Event Management (SIEM) Implementation", also written by David R. Miller, Shon Harris, Allen A. Harper, Stephen VanDyke and Chris Blask.

A book that talks about what were considered, at the time, the leading SIEMs: OSSIM, Cisco MARS, Q1 and Arcsight. However, some of these names are no longer circulating on the web, as they were absorbed or transformed by other organizations.

We have seen the arrival of DR (Detection and Response), EDR, NDR, XDR ... systems. And so on, multiple technologies that have changed more in name than in technology per se. SIEM has gone through Next-Generation SIEM, Security Analytics and is now an MDR service.

 

The evolution of SIEM

In its development process, SIEM was considered a log manager, a regulatory compliance tool for: event correlation, active response and endpoint security.

  • Log Manager: there will be an increasing amount of information flowing from Pentabyte to Yottabyte. The SIEM which supports these volumes of information efficiently will be the one that has done 50% of the work to adapt to the new challenges in information management and analysis.

  • Regulatory Compliance: all regulations must be taken into account. The SIEM must be 100% compliant. If it is correctly configured and managed, an audit should not be a problem.

  • Event Correlation: This area has seen great improvements in recent years, with SIEM vendors adding more correlations and related work cases. They have even created new ways to develop these cases and to adapt to a better and more efficient correlation. Important changes will be observed in the formalization of correlation methodologies, as well as new rules and standardization (in this process) where Machine Learning will play a very important role.

Correlation is the basis of information intelligence, an intelligent SIEM is one that has the ability to develop better and different forms of correlations, which will ultimately have a greater impact on organizations.

If the SIEM is the heart of the SOC, correlation is the brain of the SIEM, and this is where all manufacturers should bet on creating better ways of correlating information, since the intelligence they can generate will trigger the ability to detect and respond quickly to incidents.

  • Active Response or SOAR (Security Orchestration Automation and Response) call: it is necessary to react to security incidents. The different IT areas must adopt flexible methodologies and technologies for the whole process of creation, technological management and security.

Automation is now SOAR and the future of this will be oriented in more fast streamlined SecDevOps-like models with recipes and playbooks. The more infrastructure we have as code, the more correlation will trigger events that execute playbooks, and these in turn will produce more events for better playbooks. Thus generating a work cycle for better reaction to different security incidents.

Right now SOAR must evolve to create better playbooks or adaptive recipes so that the work becomes more collaborative and replicated. We will see SOAR systems adapting faster and better to different technologies, both those that are emerging and those that are established.

  • Endpoint Security: 15 years ago it was considered that SIEM should have HIDS type security agents that support endpoint protection, collecting information in order to generate correlation, improve visibility and increase the possibilities of protection and security.

Now we can see that this functionality has been relegated to EDR, proprietary information gathering systems, Machine Learning and rule-less detection capabilities for early threat detection and reaction. SIEM still has high value versus EDR, as we must bring data from one tool to the other in order to identify, contain and secure the infrastructure with an enhanced view of what is happening at the endpoint. The SIEM system will continue to evolve to better support the integration of EDR systems and build knowledge bases for organizations.

Although it contains some of these elements, SIEM has changed over the last 15 years, becoming the nerve center of the security incident detection and response strategy, it is the heart of the SOC.