Protect your organization as SIEM vendor, technology and threat landscape changes

Introduction

The risk of cyber-attacks and cyber insecurity remains a top concern for many stakeholders surveyed in the Global Risks Report 2024, published by World Economic Forum. Today CISO organizations are under tremendous pressure to secure their businesses against rising tide of sophisticated cyber-attacks, securely enable & embrace Generative AI capabilities, meet stringent regulatory requirements which are putting CISOs at risk by holding them personally liable for a cyber-attack while striving to meet budgetary obligations. ?

?

Security Information and Event Management (SIEM) is one of the core foundational systems used by cybersecurity teams to detect and respond to cyber intrusions in real-time. In the rapidly evolving SIEM market, three out of the five leading providers ranked in Gartner’s 2024 Magic Quadrant for SIEM have undergone significant organizational and business changes in recent weeks. This turbulence poses significant challenges to CISOs and their teams in selecting, implementing, and operating their core security stack critical for defending against cyber threats. This white paper outlines the future state architecture to guide organizations in building a resilient and adaptive modular security framework to handle this transformation.

The Current Landscape

The recent consolidation of SIEM market is a natural evolution when a technology segment matures. The security industry has seen these consolidations in the past in Identity & Access Management, Firewalls, Endpoint Detection & Response etc. areas only for the market leaders to be disrupted by more nibble, innovative providers. If history is a good predictor of the future, then Gartner’s SIEM magic quadrant will be completely different in couple of years with new players in the leader’s quadrant and most likely SIEM category replaced by a new security category.

?

Sophisticated cyber-attacks today pose a significant risk to the businesses, economy, and CISOs’ careers & reputations. ?Therefore, picking a consolidated platform with various degrees of not-so-best-of breed solutions will not help other than an initial cost reduction followed by an exponential price increase due to vendor lock-in. A good analogy is, you want to get the best, specialist surgeon to perform the surgery for your life-threatening alignment and not a general surgeon (no offense) if your life is on the line. Similarly, when business reputation, CISO career and reputation are on the line, they will lean on best-of-the breed innovative solutions and not on initially discounted, loosely integrated platforms.

?

Enterprises are made up of heterogeneous, hybrid environments that CISO organizations must secure using a range of security controls. The consolidation in the SIEM marketplace will not benefit CISO organizations significantly due to few key reasons:

1.????? Consolidation will result in more vendor lock-in

2.????? Innovation is put on the back burner to prioritize integration efforts.

3.????? Integration of these consolidations will take time, and most will fail based on the history of past consolidations.

?

The current SIEM players are not listening to their customers’ needs and instead embarking on a consolidation spree to grow their declining market share. Instead of focusing on their customers’ pain points around lack of standardization with current SIEM solutions, perpetually rising costs and slow adoption of emerging technologies, these consolidated platform providers are betting customers will solely be deciding on cost basis. Therefore, the significant changes in the SIEM market necessitate a strategic approach to security detection & response architecture that emphasizes the principles of standardization, flexibility, data ownership, cost-efficiency, and advanced technology adoption.

Key Operating Principles

o?? Flexibility: A consolidated platform with not-so-best-of breed solutions is not new or universal. While some platform-based solutions can offer integrated functionalities, they may not suit every organization, especially those with diverse, hybrid environments and stringent regulatory requirements. Avoiding vendor lock-in remains crucial for maintaining flexibility and control for many organizations.

o?? Data Ownership: Today, there is very little to no maintenance associated with your cloud-based data lake solutions. Prioritize utilization of existing investments made by your organizations in platforms like Snowflake, Amazon Security Lake, GCP, Azure, Databricks, or Elastic, leveraging their capabilities to partition tables and manage your Security Data Lake effectively. This approach ensures control over your security data and flexibility in performing analytics.

o?? Standardization: Parse and standardize data pre-processing before ingestion into your Security Data Lake. Adopt standards such as the Open Cybersecurity Schema Framework (OCSF) to ensure consistent data formatting and easier integration with future Gen AI enabled products.

o?? Cost-efficiency: Utilize the cold storage capabilities of your Data Lake solutions for non-security events. This practice keeps your data lake optimized and cost-effective by segregating high-priority security data from routine logs to alternate low-cost solutions. Be cautious of vendors offering unlimited data ingestion at seemingly low costs. Examine the fine print, as such models are not sustainable for any vendor, and you are likely to be subjected to bait and switch.

o?? Automation: Automate response to your high fidelity SIEM alerts with mature playbooks and conduct basic threat hunting & investigations leveraging threat intelligence feeds using the data in the standard format.

o?? ?Advanced Technology Adoption: Leverage innovative threat detection capabilities, potentially using Gen AI capabilities, that can operate directly on your data lake. Explore vendors specializing in localized threat analytics in addition to traditional all-inclusive SIEMs. Retrieval-Augmented Generation (RAG) can enable you to access and analyze your data by leveraging Large Language Models (LLMs), thereby gaining valuable insights and increasing efficiencies.

?Roadmap for implementing this architecture:

Phase 1 Own Your Data – Avoid Vendor Lock-Ins

Separate Data Ingestion, Data Storage, and Threat Detection Capabilities – This is the future. By modularizing, you can rip and replace any component with best-of-breed, any time while maintaining complete control over your security infrastructure.

-????????? Data Ingestion (Security Data Fabric) – Decouple log ingestion from SIEM by investing in a robust Security Data Fabric Solution (SDF) to handle schema drifts, provide observability (visibility) to data flow, connect to various systems and telemetries, and dispense data to multiple consumers without delays. It should also minimize ingress and, more importantly, egress costs. For example, if you use MS Sentinel as your SIEM and your IT environment is on AWS/GCP, ensure your SDF reduces egress cost also besides ingress cost.

-????????? Data Storage – Store data in different cost-efficient locations based on its use:

o?? Event Filtering – Enable filtering of events to ensure the SIEM only receives pertinent security data to fire all the threat models and policies defined.

o?? Enterprise Data Lake Partitioning – Partition tables within your Enterprise Data Lake to host your Security Data Lake, requiring little to no maintenance for threat hunting capabilities.

o?? Pre-Processing Data – Ensure data is parsed before seeding into the data lake, making it usable. Dumping raw data into the Security Data Lake is ineffective; this is a key requirement of the SDF.

o?? Cold Storage Utilization – Push any compliance related data that is not immediately needed to cold storage, with the ability to replay the data if needed.

-????????? Threat Detection – Once pertinent data is in the SIEM then detection rate should improve while reducing false positives. Threat hunting teams can leverage the full data set in the security data lake needed to perform hunting activities.

o?? SOAR Integration – A SOAR that integrates with your SDL and your SIEM should be able to automate mature processes where needed.

o?? Managed SOC Vendor Integration – Have your Managed SOC vendor operate within your ecosystem rather than outsourcing your security stack.

?

Phase 2: Integrating Headless SIEM into Your Security Stack

Future Proof Architecture with less vendor lock-in

The Next Gen adaptive, intelligent Headless SIEM vendors must prioritize what matters to CISOs—effective threat detection—over infrastructure concerns like plumbing and storage. They must provide threat detection content without requiring extensive infrastructure or moving data externally for processing, instead leverage the compute power of existing data lake for threat evaluation. Integrate your Next Gen SIEM with a robust Gen AI enabled SOAR platform to automate responses and streamline threat management.

?

Phase 3: Preparing SOC, IAM, DLP, Vulnerability, and 3rd Party Risk Teams with AI-Powered Data Analytics

Future Proof modular Architecture with best of breed capabilities with no vendor lock-in

?Just when CISO organizations seemed to have secured Cloud computing and hybrid environments, the emergence of Generative AI is forcing security teams to leverage lessons learned from cloud adoption journey to fast track securing and adoption of this new disruptive technology. Security teams are focused on securing generative AI capabilities while exploring opportunities to leverage this technology to enhance their security capabilities. Security team don’t want to be limited in their adoption of Gen AI capabilities to Co-Pilots.

?

In today's dynamic threat landscape, CISO organizations are tackling various sophisticated threat use cases amidst extensive institutional security data being generated. When this institutional knowledge merges with AI's capabilities, it transforms enterprise security data into actionable insights. Currently, AI models primarily focus on web data, missing the crucial insights embedded within the organization’s security data. The security data fabric along with data in Security data lake bridges this gap by integrating institutional security data seamlessly with AI, enabling interaction with insights rather than just raw not pertinent security data. Retrieval-Augmented Generation (RAG) allows your security data to become part of the prompt used to query the LLM model. Thereby providing tremendous detection insights into security data and enabling robust threat hunting capabilities.

?

Furthermore, consolidating Identity, Vulnerability and GRC data into the security data lake would further streamline and modularize the security stack to leverage best-of-breed solutions to run on the standardized & normalized data expediting adoption of new emerging technologies to protect against emerging threats and meet rapidly evolving regulatory landscape while having full control of the data and optimizing security budget.

?

Value delivered by this Future State Architecture

1.???? Flexibility and Control: Modular architecture allows easy replacement or upgrades of individual components, ensuring adaptability and control over your security infrastructure.

2.???? Enhanced Data Management: Effective data handling and connectivity improve data flow visibility and integration, while cost efficiency minimizes ingress and egress expenses.

3.???? Optimized Security Operations: Filtering pertinent data and pre-processing before ingestion ensures SIEM efficiency and actionable insights.

4.???? Improved Storage Management: Partitioned data lakes require minimal maintenance, and cold storage utilization keeps the data lake efficient and cost-effective.

5.???? Integrated Automation and Response: SOAR integration with SDL and SIEM enhances automated threat detection and response, while managed SOC vendor integration ensures better oversight and control.

6.???? Efficiency Gains: Drive significant efficiency improvements by leveraging AI to process and analyze data.

7.???? Extreme Automation: Achieve high levels of automation by securely guiding users through relevant information, enhancing productivity and efficiency.

8.???? Cost Reductions: Reduce overall operational costs through enhanced automation and streamlined processes.

9.???? Future-Proofing: Adaptable architecture allows quick response to market changes, ensuring continued innovation and a strong security posture.

Future Outlook

The proposed architecture supports an adaptive security posture for the foreseeable future. Security data fabric will become an integral part of the organization functioning as a centralized data bus. SOAR can truly become a security orchestration and automation platform by not only automating few incident response playbooks but automating vulnerability ticketing, quarterly access certifications, third party vendor questionnaires, GRC metrics reporting etc. based on the data orchestrated by the security data fabric.

Conclusion

Today’s consolidated platform approach comes with a significant risk of vendor lock-in at the cost of innovation when the threat landscape is changing at a rapid pace. Leading security market players should embrace standards so that the data is interoperable on any SIEM platform rather than locking their customers with a proprietary data format and making it difficult to switch SIEM providers. The SIEM vendor that builds adapters to seamlessly operate on existing proprietary formatted log data from other impacted SIEM vendors due to consolidation will take the market share faster than consolidated platforms.

?

The current SIEM market consolidation will force CISO organizations to fast-track adoption of flexible, modular, future proof security architecture. By standardizing log data collection and ingestion, segmenting data storage based on usage leveraging standardized format and adopting innovative best-of-breed threat detection capabilities on top of standardized data, the organizations will be well positioned to take advantage of emerging technologies just as the threat actors are doing. This will help the CISO organizations to stay toe-to-toe with threat actors, if not a step ahead.