Ashes to ashes, we all fall down: The death of SIEM and rise of SOAR
Updated: Mar 27, 2019
Security Information and Event Management or SIEM, once upon a time referred to as SEM (security event manager) or SIM (security information management) or SIM/SEM or (replace your preferred acronym here) is a category of software that surfaced to the top in the late 90s with Intellitactics (1996), NetForensics (1999), Arcsight (2000), Q1 Labs (2001), LogRhythm (2003), and Splunk (2003). SIEM solutions would offer hope to security analysts looking to aggregate and correlate all of the log and other event information from different servers and devices on their network into a single place. The efficacy of such a solution was wholly predicated on the power of its correlation engine giving it the ability to see similar indications of compromise (IoCs) generated across different devices and systems in the network in order to eliminate false positives and validate true positives -- the concept that A+B+C equals to something bad happening. SIEM solutions became the Syslog-NG on steroids; an open source log server initially released in 1998 as a distributed agent-server log server for centralizing logging in enterprise environments of systems that supported the syslog format. Syslog was developed in the 1980s by Eric Allman as part of the Sendmail project. It was readily adopted by other applications and has since become the standard logging solution on Unix-like systems for both servers and networked devices.
Anecdotally, as I drove in to the office in 2014, I recall a news report that was playing on NPR news that discussed the growing problem of alarm fatigue in emergency rooms. In the case of Boston Medical Center, an analysis found that 7 North was experiencing 12,000 alarms a day on average. A cacophony that was then being referred to as alarm fatigue that referred to the desensitization of the nursing staff to the many noises in the unit, which was causing increased patient deaths.
Unlike central log servers, such as Syslog-NG, SIEM solutions were able through native support, syslog support, APIs, and other plugins to centralize events from not just syslog-enabled endpoints, but also intrusion detection systems, firewalls, antivirus, network access control solutions, and even NetFlow data from routers.
And unfortunately, as history has proven in infamous breaches such as the Target breach whose costs approached $300 Mn in 2017, the alarm fatigue problem has led many Security Operations Centers (SOCs) running SIEM solutions to mistakenly close real alarms as false positives.
A survey by FireEye polled C-level security executives at large enterprises worldwide and found that 36% of respondents receive more than 10,000 alerts each month from their SIEM, of those alerts, 52% were false positives and 64% were redundant costing companies an average of $1.27 Mn every year.
It goes without saying that SIEMs have quickly lost their luster as security analysts continue to take fire from their SIEM of false positives on a daily basis or from the MSSP they had to retain for the daily care and feeding and 24x7 monitoring. It quickly became obvious that a SIEM required daily, round-the-clock tuning by a seasoned staff capable of creating rules for that specific platform in order to lower the amount of noise with no end in sight. The dream of effective centralized monitoring of events in the enterprise would need to be reimagined.
Enter SOAR, Security Orchestration and Response. New startups such as Exabeam, Swimlane, ServiceNow, Siemplify, Rapid7, DFLABS, Demisto, Cyberbit, and Threatconnect have come to the proverbial rescue with more startups surely to show up on the scene as more venture capital is poured into this new area of cybersecurity from Sand Hill road.
Unlike SIEM solutions which gather and analyze data produced from different formats and sources and rely on the fallible human to make judgement calls on events in an exceptionally manual and non-deliberate way, SOAR solutions expand and improve SecOps mechanizing and organizing activities previously relied on by the human analyst across all sense and response actions -- taking SIEM further by combining data collection, threat and vulnerability management, incident response and case management, workflow, and analytics to provide organizations the ability to implement autonomous workflow and process execution and response actions through what are referred to as "playbooks." Additionally, SOAR solutions integrate with a wider range of internal and external applications unlike its SIEM predecessor, combining not just IT related controls, but also tie together non-IT related processes and procedures as well.
It's anticipated that because SOAR and SIEM solutions are such close cousins, that the two product lines will eventually merge through M&A or as SIEM vendors respond to lost market share and begin to add SOAR capabilities to their platforms. Many previous SIEM platforms such as LogRhythm have already begun to mature in this direction as they quickly try and react to buyer demands and market forces.
I've interviewed numerous CISOs in this polarized debate on whether or not the SIEM is now considered legacy and will soon die out. CISOs across different organizational sizes are carefully looking at their budgets to determine if they should continue investigating in their licensing renewals with vendors such as HP or IBM. The responses have been thus far the same where I get a question as a response instead, "why put more money into a solution that does half the number of things my SOAR solution can do without losing any functionality?"
But at the moment, the jury is still out on whether or not the body is beginning to get cold on SIEM solutions as SOAR continues to evolve and ITSM companies, such as ServiceNow enter the market.
As a matter of transparency, I will be releasing a research report on the new SOAR market this year, which will be followed by numerous case studies on some of the SOAR solutions I've mentioned in this report.