As a result, rather than becoming security’s silver bullet, the “Big Rules” problem has actually rendered
            SIEM technology relatively impotent for the following reasons:

                 It’s  too  reactive  –  Human-written  rules  can  only  be  developed  against  known  threats  and
                   patterns. In other words, SIEMs can only detect attacks after the fact, causing them to miss new
                   or unknown attack sequences.
                 Too passive – SIEMs are designed for alerting, not responding. They lack the machine-based
                   incident response capabilities that can automatically contain or remediate threats in real time.
                 Too complex – Organizations are burdened with thousands of  security correlation rules that
                   consume inordinate numbers of man-hours and are simply impossible to maintain manually.
                 Too  expensive  –  SIEMs  require  massive  ongoing  investment  in  services,  technology  and
                   personnel  to  cope  with  the  “Big  Rules”  problem,  which  results  in  a  very  high  total  cost  of
                   ownership.
            Is there a way out of this mess? Will SIEM technology ever be able to deliver on its promise to make life
            easier for security professionals? The answers to these questions are yes and yes, and the key to both
            is focusing on attack intent.



            New Opportunity for SIEM Technology: Deciphering Attack Intent

            There is perhaps no better defense against today’s sophisticated cyber-criminals than first understanding
            the intent behind their attack methods, and this presents a significant opportunity for SIEM technology to
            finally right the ship that has been taking on water for years.

            For many organizations, intent classification has remained an impossible task for several reasons:

                 The “Big Rules” problem has kept security teams mired in mundane, tactical work (i.e., writing
                   and maintaining log parsers and correlation rules), leaving no time to focus on higher priority
                   tasks, such as deciphering attack intent.
                 Because  of  complex  infrastructures  and  resulting  Big  Data,  organizations  do  not  have  the
                   resources to decipher the intent of all the different events, clues and signals generated by endless
                   point tools.
                 When security analysts do have time for intent classification, they must analyze suspicious files
                   or behavior manually – a painstaking process that simply cannot keep pace with the rapid volume
                   and variety of machine-generated attacks.

            The good news is that we are seeing new approaches to intent classification automation that arm SIEM
            vendors with the features and functionality needed to automate detection, investigation, remediation and
            mitigation of both known and unknown threats, without rules or manual processes. Three notable areas
            of advancement include:

                 Artificial Intelligence (AI) and natural language processing (NLP) – One of the truest forms
                   of AI, NLP algorithms automatically collect, read and understand threat data, regardless of the
                   source (logs, intelligence feeds, research articles, etc.). Once the meaning of the terms used to
                   describe security-related threats, research results, relevant vulnerabilities, attack vectors etc., is
                   known, their appearances in new sentences will be understood without human involvement.






                                 59