Two Decades Later, SIEM Technology Finally Delivers on Its

            Original Promise


            By Avi Chesla, founder and CEO of empow



            When SIEM technology came to market nearly two decades ago, IT and security professionals had grand
            visions of how it would help them consolidate the plethora of data generated by their various security
            tools, analyze and correlate it to identify security incidents, and then prioritize response. Fast forward 20
            years, and the unfortunate reality is that SIEMs – both traditional and next-gen – have yet to deliver on
            the technology’s original promise. What went wrong? Simple  the threat landscape changed rapidly and
            dramatically, but SIEM technology failed to adapt.

            Over  the  years,  SIEMs  have  remained  laser-focused  on  identifying  security  incidents  using  human-
            written, static device log parsers and correlation rules – in other words, rules that require human security
            experts to be involved in rule development, deployment and management. While this approach worked
            just fine in the simpler days of security – where IT infrastructures were much more streamlined and a
            concrete perimeter existed separating a company’s assets from the outside world – it quickly became
            obsolete with the advent of internet computing and follow-on trends like mobility, cloud and, now, internet
            of things (IoT). Another major shift impacting cyber security is the creation of platforms that can generate
            new types of attack tools and malware code – what the market calls “machine-generated attacks.”

            These trends obliterated the perimeter, and, those that made the development of new malware types
            easy, dramatically decreased barriers to entry for cyber-criminals. Internet malfeasance once required a
            high degree of technical proficiency, but now anyone with an internet connection and a credit card to
            purchase exploits-as-a-service can join the global ranks of cyber-criminals. And, as mentioned, those
            infamous, artisan basement hackers from the 1990s have evolved into automated, machine-generated
            attacks, increasing attack velocity and effectively making every threat “brand new.”

            Enterprises responded to this shifting threat landscape by procuring more and more technology, which
            has  created  incredibly  complex  and  largely  unmanageable  security  infrastructures  that  generate
            overwhelming cascades of data and security alerts. This has created an oppressive Big Data problem
            that SIEMs simply were never designed to address. Instead, enterprises kept writing more and more log
            parsers and correlation rules (think hundreds of thousands in the case of large enterprises – what we call
            the “Big Rules” problem), many of which are obsolete, conflicting or simply ineffective in classifying new
            attacks, since human-written rules are only effective against known attacks.








                                 58