The purpose of this white paper is to provide an overview of the changing security landscape and, more importantly,
to provide insight into the rapidly changing SIEM category and the reasons that have led to those changes. To offer a complete picture of the changes to SIEM technology, it is valuable for some customers to understand the context of the SIEM market and how (and why) solution mentioned in the whitepaper differentiates itself from this traditional approach.
So what do the SEM, SIM, and SIEM mean?
Initially, Security Event Management (SEM) tools were designed for threat management against a noisy external threat environment that consisted primarily of worms. The orientation of SEM tools was primarily network and system events combined with real-time analysis to support incident response. In other words, IT professionals could purchase a SEM tool for real-time analysis to support incident response, and a separate SIM tool for long-term storage and historical analysis to support trend reporting and forensics.
The Rise of SIEM
Security Information and Event Management (SIEM) emerged as companies found themselves spending a lot of money on intrusion detection/prevention systems (IDS/IPS). These systems were helpful in detecting external attacks, but because of their reliance on signature-based detection, they generated a lot of false positives. First-generation SIEM technology was designed to reduce this signal-to-noise ratio and help capture the most critical external threats.
Using rule-based correlation, SIEM helped IT teams detect real attacks by focusing on a subset of firewall and IDS/IPS events that were in violation of policy. Although expensive and time-intensive to maintain and tweak, SIEM
investments continued as they solved a big headache of sorting through excessive false positives and effectively protecting companies from external threats.
So What went Wrong?
While SIEM was a step in the right direction towards improved management, the world got more complicated when new regulations such as the Sarbanes-Oxley Act (SOX) and the Payment Card Industry Data Security Standard (PCI DSS) required much stricter internal IT controls and assessment. Virtualization became more prevalent as well, and new security point solutions were introduced as the explosion of personal devices entered the enterprise. More recently, the rapid rise of public cloud computing introduced new security challenges for IT departments, in part because of architectural differences that make security tools built for on-premises environments sub-optimal for security visibility of public cloud environments.
To satisfy new compliance regulations, organizations were required to collect, analyze, report on, and archive all logs to monitor activities inside their IT infrastructures. The intent was not only to detect external threats, but also to provide periodic reports of user activities and create forensics reports surrounding a given incident. Though SIEM technologies collected logs, they processed only a subset of data related to security breaches. They weren’t designed to handle the sheer volume of log data generated from all IT environments (including public cloud, private cloud and virtualized on-premises infrastructure, and hybrid environments) and components (such as applications, switches, routers, databases, firewalls, operating systems, IDS/IPS, and Web proxies).
What options do the organizations have?
Despite the billions (with a “B”) spent every year on security, these things hold true:
- More and more organizations are finding themselves in the crosshairs of various bad actors for a variety of reasons, most often to steal customer data or IP, or smear a reputation.
- In the “security arms race” between malicious actors and the organizations defending against their attacks, stacking single-point security solutions is not only an expensive approach, but also ineffective and impractical for most organizations.
- In spite of SIEM technology’s tenure in the marketplace it continues to disappoint users.
Unified Security Management (USM)
Fortunately, there is an alternative to traditional SIEM, one that overcomes the challenges that continue to limit the effectiveness of SIEM technology: AlienVault® Unified Security Management® (USM). Unlike any other security solution on the market, AlienVault USM has dramatically reduced the cost and complexity of buying and deploying the essential security controls required for comprehensive security visibility.
Click on Download Now to explore the features, benefits and applications of Unified Security Management.
Since You are here: