With the release of the 2020 Gartner Magic Quadrant for Security Information and Event Management (SIEM), we feel that it is an appropriate time to reflect on the evolution of SIEM over the years.

Starting out as a tool originally designed to assist organizations with compliance, SIEM evolved into an advanced threat detection system, then into an investigation and response platform that empowers security operations center (SOC) analysts to respond to incidents quickly and effectively.

Clearly, SIEMs have always been the core platform for many security teams, just in different capacities. As we glance into the future, we see a SOC that is constantly innovating, adopting interoperable technologies and striving to achieve faster speed and greater efficacy.

Download the Gartner MQ for SIEM

The evolution of SIEM has always been tied to different market drivers as well as threats prevalent during those times, and we will try to highlight these throughout this blog.

The Past: SIEM 1.0 — Get Me Compliant

Security information and event management solutions in the past were used as a central tool to help organizations achieve and maintain compliance. Whether it be Payment Card Industry (PCI) standards, the Sarbanes-Oxley Act of 2002, the Health Insurance Portability and Accountability Act (HIPAA) or other regulations, organizations were focused on implementing static compliance-driven rules.

In fact, it was common to see organizations buy a SIEM without a real plan or strategy to address security use cases. Additionally, a lot of the focus in past SIEMs was on on-premises environments and what’s happening within an organization’s perimeter.

Key market drivers:

• Compliance
• Industry-specific regulations (e.g., PCI)

Key threats:

• Smash and grab
• Basic malware
• Solo hackers

The Present: Platform Convergence (SIEM/SOAR/UEBA) — Accelerating Detection, Investigation and Response

SIEMs today have evolved to address the constantly changing threat and regulatory landscapes in a few different ways.

Accelerating Threat Detection

Effective solutions today include a range of analytics to detect threats across the spectrum, from sophisticated advanced persistent threats and malicious insiders to ransomware and other commoditized malware.

These capabilities include machine-learning powered behavioral analytics to identify outlying behaviors that signal the presence of a stealthy attacker; real-time correlation against threat intelligence to quickly detect known threats and alert analysts; and a spectrum of anomaly detection, predictive analytics, historical correlation and other intelligent analytics to address a wide range of business-critical security use cases.

Integrating With AI and Other Tools

Moving beyond detection, solutions today are leveraging artificial intelligence (AI) to accelerate investigations by automating L1 tasks, enabling analysts to focus their much-limited time on more in-depth L2 and L3 level investigation, response and threat hunting activities.

Solutions are also increasingly converging with security orchestration, automation and response (SOAR) tools to provide more unified detection, investigation and response capabilities and accelerate processes so that organizations can more effectively eradicate, report and recover from attacks.

Adopting the MITRE ATT&CK Framework

To better support organizations, some vendors across the security stack are building MITRE ATT&CK awareness directly into their solutions. Many organizations we speak with today are actively in the process of adopting and implementing the MITRE ATT&CK framework and, in many cases, they are judging and measuring themselves against MITRE coverage. Many are going so far as to map out their security investments to understand which solutions help them address which tactics and techniques, and they are using this map to both identify gaps and rationalize overlapping solutions.

As MITRE ATT&CK looks to become the global standard against which organizations can measure and test their detection and response capabilities, we see this trend continuing into the future. It’s worth noting that as security teams assess their security postures, they are increasingly looking to solutions that can holistically identify attack tactics, techniques and procedures across on-premises, public cloud, private cloud and modernized application environments.

Along these lines, a key driver of this rationalization exercise has been the rapid sprawl of security solutions within the IT estate. As cybersecurity became more and more important over the last decade, companies invested in a large number of solutions across different vendors that solve very specific problems (aka point solutions).

The challenge many teams now face is that, despite all these security tools — on average, 25 to 49 per organization from up to 10 different vendors, according to Enterprise Strategy Group (ESG) — security teams are still lacking critical insights due to limited integration points, and it’s simply too much to manage for engineers and analysts alike. From an engineering point of view, it’s far too many solutions to successfully implement, deploy and maintain, and from an analyst point of view, it’s way too many solutions to have to individually interact with during a high-stress investigation.

The impact of this sprawl is amplified by the fact that, as skilled analysts remain in extremely high demand, security leaders are increasingly pressured to make analysts’ lives easier to retain talent. As a result, cohesive, simplified user experiences are coming to the forefront of solution requirements, and top SIEM solutions are rethinking how they unify processes to streamline the analyst’s workflow, empowering them to act faster and more effectively and making their daily jobs easier.

Key market drivers:

• Security analyst alert fatigue
• Market consolidation
• Journey to the cloud
• Integration with SecOps
• Insider threat programs

Key threats:

• Global-scale malware and ransomware (e.g., Maze)
• Advanced threats and nation-state attacks
• Attacks and misconfigurations in the cloud

The Future: Innovating With Open and Interoperable Cybersecurity

Going into the next evolution of SIEM, two key areas that will become more prevalent are the continued adoption of behavioral-based analytics across users, devices, networks, applications and cloud environments and the need for more cohesive workflows powered by more seamless integrations. As teams rationalize the investments they have, they want to simplify their environments, but they can’t afford to lose insights or speed.

Today, attackers have a major benefit of flexibility and agility. It’s our job as vendors to help customers shift that dynamic to gain flexibility, agility and, in turn, speed, so they can handle threats more quickly and accurately.

As part of this, we see an increasing number of solutions coming together with a need for common integration layers that centralize insights; unify detection, investigation and response workflows; and provide added intelligence so that security teams can start implementing risk-based and confidence-based automated response actions.

As an active leader and contributor to the Open Cybersecurity Alliance, IBM is paving the way with other like-minded vendors for cross-industry collaboration on common, open-source code and practices that will enable tools to freely exchange information, insights, analytics and orchestrated response. By doing so, security analysts can focus on use cases with more behavioral insight, instead of being forced to context-switch between a dozen or more different tools from different vendors.

As insights, solutions and workflows come together in much tighter fashion, it’s increasingly critical to infuse value-adding AI across detection, investigation and response processes. This can help us to understand changes across systems and environments, identify outlying actions that can be indicative of threats, and start automating low-risk response actions to save time and accelerate containment.

Lastly, as governments increasingly follow the lead of the General Data Protection Regulation (GDPR) and the California Consumer Privacy Act (CCPA), organizations need to treat data privacy as a critical function and ensure that privacy processes are directly baked into incident response processes. Solutions that treat privacy as a first-class citizen and consistently update out-of-the-box (OOTB) playbooks with new and changing regulatory requirements will help to dramatically reduce compliance risk for organizations while simultaneously accelerating response and breach notification processes.

Key market drivers:

• Vendor consolidation
• Open Cybersecurity Alliance
• 5G and edge computing
• Containerized security

Key threats:

• Internet of Things (IoT)-based attacks
• Phishing and social engineering attacks
• Global-scale malware and ransomware (e.g., Maze)
• Advanced threats and nation-state attacks
• Attacks and misconfigurations in the cloud

Connecting the Past With the Future

We see the continued evolution of the SIEM and Threat Management as being based around a scalable, open security platform, which supports security orchestration and automation across users and devices, leveraging advanced analytics and AI to deliver prioritized, contextual results.

IBM Security QRadar, an intelligent SIEM, is well-positioned to deliver on the promise of open and interoperable cybersecurity. A commitment to innovation, customers and analysts who work in the solution every day helped place IBM as a leader for the 11^th consecutive time in the latest Gartner Magic Quadrant for Security Information and Event Management.

To learn more about the evolution of SIEM, please join us for our webinar titled, “The SIEMs of Change: Past, Present and Future of Threat Detection.”

Register for the webinar