How SIEMs Work with Security Platforms to Deliver More Value

Security information and event management solutions deliver powerful capabilities. Learn how they satisfy modern cybersecurity requirements when working in conjunction with other technologies supported by security platforms.

As we've taken you through our discussion of integrated security platforms, we've explored why connected and integrated security is the future of cybersecurity, the many benefits of a connected security platform, and features to look for when evaluating connected, integrated security platforms for your business.

As customers get acclimated to these new concepts and terminology, though, it's important not to confuse 'connected security platforms' with SIEM solutions. Each plays its own distinct role, and they can even work together to deliver customers more value. 

SIEM stands for security information and event management. When SIEM tools first appeared on the market, they were billed as delivering the power of two security systems in one, combining logs and analytics with event management. As time went on, more advanced SIEM tools added UEBA (user entity behavior analytics) and integration with SOAR (security orchestration, automation, and response) to analyze behavior and respond to incidents automatically, taking a significant manual burden off security professionals. 

When considering its breadth of capabilities and the amount of customer use cases it can support, one may suspect that SIEM delivers very similar functionality when compared to a security platform. Let's dive into some of the aspects that make both SIEM and integrated security platforms distinct – and, when used in combination, invaluable to today's security teams.

Open to new experiences

Openness is one characteristic that customers should demand from their security platform. Although some SIEM solutions embrace open standards, most are proprietary, with most of the log management and event notification systems built into the core tool. Some SIEMs allow plugins, but only when specifically coded for the SIEM in question.

SIEMs, for all their functionality, are closed systems. While a single SIEM may present a unified dashboard for cybersecurity operations, it gets a bit trickier when you have two or more SIEMs in a given environment, which isn't as rare as it might seem.

Here's a classic scenario. Your company is acquiring two other companies this year, and each is running its own SIEM product. 

What makes things even more challenging is that the SIEM at the second company is a very popular one, and it's been in the headlines all year because it was hacked and helped distribute malware. 

Given the forthcoming acquisition, you need to integrate these two companies and their existing technologies into your own threat detection and response environment. With an integrated and connected security platform, you can use the two SIEMs as two additional data sources, and all their information can be plugged into your unified solution without having to lift and replace any tools.

Additionally, since one of the SIEMs is suspect, you'll also be able to double-check the endpoints that it manages and phase it out with less headache.

Threat detection and response continue to evolve

Moving beyond the acquisition example, security organizations are in a continual drive to become more efficient, make better use of limited resources, save more time, and reduce total cost of ownership (TCO). This is not an aspiration, but a strategic imperative for the business. Therefore, many customers are looking to get more value from their SIEM solutions – an aspiration that can be achieved through an open approach that delivers more functionality with more efficiency.

A connected security platform is open, giving you access to all the log and event data from a SIEM along with a wide range of other sources, ingesting feeds from endpoint protection tools, threat intelligence providers, and even SIEM source data.

This provides a level of future-proofing, as well. There's no doubt the threat landscape will change, new challenges will emerge, and new vulnerabilities will be discovered by your adversaries. The faster you can integrate that new knowledge, the smaller the attack surface you present and the more you'll be able to protect your organization.

Let's go back to the acquisition example. It's now a year later and all the operational teams have been consolidated under a connected security platform. An analyst gets a ping. What happens?

The consolidated interface means analysts can be trained on one tool without an additional learning curve. Research into alerts can be much faster, because search is federated among the data sources. The analyst can dig into data sources throughout the extended organization without first having to wait for data movement. A connected security platform may also investigate alerts automatically, analyzing case artifacts and mining open knowledge bases in order to prioritize incidents for human intervention. 

This is where workflows and automated responses kick in. Any clues about a potential infection will trigger workflows that present the analyst with any relevant information. Mitigation options are presented, and automated actions may be triggered to contain the threat.

Case management becomes consolidated, as well, along with incident sharing and analytics that allow our security professional to see that there are other analysts working on a variant of the problem. Workflow features escalate relevant data to all the analysts working on related incidents.

A connected approach leads to new analysts training up quickly on enterprise-wide monitoring, automated workflows that surface relevant data, federated search and data sources, and reduced noise. These, in turn, reduce time to insight and time to mitigation.

An open security platform that extends the value of your SIEM

IBM Cloud Pak for Security aims to deliver the end-to-end visibility and control we've described. It provides a central, integrated, open approach to managing cybersecurity through a unified interface, enabling you to drill into the point solutions, leverage the data they gather, and aggregate data into new tasks and automations – bringing together disparate security teams – from data security specialists to Security Operations Center (SOC) analysts. 

According to the IBM website, IBM Cloud Pak for Security is, "The security platform that connects all current and future security tools and aggregates the data that each generates, leading to deeper insights and enabling automated responses."

If you have too much data to organize and sift through, if you're missing incoming threats or taking too long to respond to high-risk events, if your security teams are overwhelmed with events and notifications, and if you have data scattered in silos, IBM Cloud Pak for Security can help.

To learn more about IBM Cloud Pak for Security, please visit www.ibm.com/products/cloud-pak-for-security.