Over past decade we have seen the evolution of SIEM from simple log management to Next Generation SIEM. During this evolution, OEM’s have invented and used lots of buzz words like SIM, SIEM, SOC-in-the-box, NexGen SIEM, etc.
Remember those days when simple monthly report generation was nightmare. We also witnessed SIEM database starting from structured to unstructured and currently use of big data platforms.
What Next….
There is proliferation of new threat vectors and they will grow much more in upcoming years. With this shift, technology must evolve and address the issues. To address these issues SIEM tool will need to have larger data inputs from entire pile of technologies. As there will be growth in volume and velocity of data inputs, big data platforms will be used in most of the places.
Existing SIEM platforms may get a new layer on top of them to address growing security needs. These layers will consist of Machine learning, Behavioral Analytics, Anomaly detection, security orchestration, custom/focused threat intelligence IoT’s & Automation. We may see chat-bots used for gathering information from systems. For example, an analyst may ask chat-bot to fetch system patch level or currently logged on users. Vendors/OEM/Service Providers will be collaborating these technologies under one frame work.
Machine learning may be used to learn typical responses by analysts to specific patterns observed over network and provide alert/alarms as and when patterns are matched. Tools may try to have visibility over network traffic and capture meta data for more granular detection.
I can foresee that L1 level analysts may be replaced by automation tools. Automation tools will be used to identify and respond to majority of auto generated triggers. For example, a known blacklisted IP addressing trying to probe into my network, automation kicks in and blocks on perimeter device. With automation possibility of use case are many, SOC & IR team will be going to love this faster way of incident response.
L1 Analyst team may be replaced but you may see emergence of Hunt team, reverse malware analyst and forensic teams for post breach analysis. There is shortage of people with these skills. Existing SOC people/team better start developing skills around these areas and be market ready.
Below are few questions CISO, SOC Managers, CIO or Management should answer to see SOC at more matured state.
- Have you done security posture assessment?
- What are the gaps identified and remediation plan?
- What are the objectives SOC must accomplish to solve the current problems?
- What are your mile stones short – term and Vision for long-term?
- How your risk posture line up with business objectives and Vision?
- What (people, process, technology, governance, etc.) do you need to achieve the objectives?
- What should be done internally and what can be outsourced?
- What is the required initial investment, on-going costs of running/developing/maturing a SOC?
- How will you prove the value of the SOC?
Overall SIEM or specifically Security operation center are going to get more mature with many tactical equipment integrated together. It’s time for Security Orchestration, Automation and Response.
Ameya is a former Happiest Mind and this content was created and published during his tenure.
