Over past decade we have seen the evolution of
SIEM from simple log management to Next Generation SIEM. During this evolution,
OEM's have invented and used lots of buzz words like SIM, SIEM, SOC-in-the-box,
NextGen SIEM, etc.
Remember those days when simple monthly report
generation was nightmare. We also witnessed SIEM database starting from
structured to unstructured and currently use of big data platforms.
What Next....
There is proliferation of new threat vectors
and they will grow much more in upcoming years. With this shift, technology
must evolve and address the issues. To address these issues SIEM tool will need
to have larger data inputs from entire pile of technologies. As there will be
growth in volume and velocity of data inputs, big data platforms will be used
in most of the places.
Existing SIEM platforms may get a new layer on
top of them to address growing security needs. These layers will
consist of Machine learning, Behavioral Analytics, Anomaly detection,
security orchestration, custom/focused threat intelligence IoT’s &
Automation. We may see chat-bots used for gathering information from systems.
For example, an analyst may ask chat bot to fetch system patch level or
currently logged on users. Vendors/OEM/Service Providers will be collaborating
these technologies under one frame work.
Machines learning may be used to learn typical
responses by analysts to specific patterns observed over network and provide
alert/alarms as and when patterns are matched. Tools may try to have
visibility over network traffic and capture meta data for more granular
detection.
I can foresee that L1 level analysts may be
replaced by automation tools. Automation tools will be used to identify
and respond to majority of auto generated triggers. For example, a known
blacklisted IP addressing trying to probe into my network, automation
kicks in and blocks on perimeter device. With automation possibility of use
case are many, SOC & IR team will be going to love this faster way of
incident response.
L1 Analyst team may be replaced but you may
see emergence of Hunt team, reverse malware analyst and forensic teams for
post breach analysis. There is shortage of people with these skills. Existing
SOC people/team better start developing skills around these areas and be market
ready.
Below are few questions CISO, SOC Managers,
CIO or Management should answer to see SOC at more matured state.
1-
Have you done
security posture assessment?
2-
What are the gaps
identified and remediation plan?
3-
What are the
objectives SOC must accomplish to solve the current problems?
4-
What are your
mile stones short - term and Vision for long-term?
5-
How your risk
posture line up with business objectives and Vision?
6-
What (people,
process, technology, governance, etc.) do you need to achieve the objectives?
7-
What should be
done internally and what can be outsourced?
8-
What is the
required initial investment, on-going costs of running/developing/maturing a
SOC?
9-
How will you prove
the value of the SOC?
Overall SIEM or specifically Security
operation center are going to get more mature with many tactical equipment integrated
together. It’s time for Security Orchestration, Automation and Response.
Please provide your feedback and suggestions.
Thanks.
Ameya