As cybersecurity became more and more important over the last decade, companies invested in a large number of solutions across different vendors that solve very specific problems (aka point solutions).
It’s worth noting that as security teams assess their security postures, they are increasingly looking to solutions that can holistically identify attack tactics, techniques and procedures across on-premises, public cloud, private cloud and modernized application environments.Īlong these lines, a key driver of this rationalization exercise has been the rapid sprawl of security solutions within the IT estate. Many are going so far as to map out their security investments to understand which solutions help them address which tactics and techniques, and they are using this map to both identify gaps and rationalize overlapping solutions.Īs MITRE ATT&CK looks to become the global standard against which organizations can measure and test their detection and response capabilities, we see this trend continuing into the future. Many organizations we speak with today are actively in the process of adopting and implementing the MITRE ATT&CK framework and, in many cases, they are judging and measuring themselves against MITRE coverage. To better support organizations, some vendors across the security stack are building MITRE ATT&CK awareness directly into their solutions. Solutions are also increasingly converging with security orchestration, automation and response (SOAR) tools to provide more unified detection, investigation and response capabilities and accelerate processes so that organizations can more effectively eradicate, report and recover from attacks. Moving beyond detection, solutions today are leveraging artificial intelligence (AI) to accelerate investigations by automating L1 tasks, enabling analysts to focus their much-limited time on more in-depth L2 and 元 level investigation, response and threat hunting activities. These capabilities include machine-learning powered behavioral analytics to identify outlying behaviors that signal the presence of a stealthy attacker real-time correlation against threat intelligence to quickly detect known threats and alert analysts and a spectrum of anomaly detection, predictive analytics, historical correlation and other intelligent analytics to address a wide range of business-critical security use cases.
Accelerating Threat DetectionĮffective solutions today include a range of analytics to detect threats across the spectrum, from sophisticated advanced persistent threats and malicious insiders to ransomware and other commoditized malware. SIEMs today have evolved to address the constantly changing threat and regulatory landscapes in a few different ways. The Present: Platform Convergence (SIEM/SOAR/UEBA) - Accelerating Detection, Investigation and Response
Security information and event management solutions in the past were used as a central tool to help organizations achieve and maintain compliance.
The evolution of SIEM has always been tied to different market drivers as well as threats prevalent during those times, and we will try to highlight these throughout this blog. As we glance into the future, we see a SOC that is constantly innovating, adopting interoperable technologies and striving to achieve faster speed and greater efficacy.
Starting out as a tool originally designed to assist organizations with compliance, SIEM evolved into an advanced threat detection system, then into an investigation and response platform that empowers security operations center (SOC) analysts to respond to incidents quickly and effectively.Ĭlearly, SIEMs have always been the core platform for many security teams, just in different capacities.
With the release of the 2020 Gartner Magic Quadrant for Security Information and Event Management (SIEM), we feel that it is an appropriate time to reflect on the evolution of SIEM over the years.