A few weeks ago, Gartner named Splunk Enterprise Security a Leader in the 2022 Gartner® Magic Quadrant™ for SIEM. This is the ninth consecutive year that Splunk has been placed in the Leader’s quadrant. We’re honored to be recognized and we believe our placement is a testament to our commitment to delivering a data-centric security analytics solution that accelerates threat detection and investigations.
But all this recent hubbub about security analytics and SIEM has us security folks here at Splunk waxing philosophical about the technology and its applications. What does a SIEM do? How is it used? What problems does it solve? Let’s take a look.
Short for security incident and event management, a SIEM is an essential security tool that any modern security operations center (SOC) needs to efficiently and effectively protect their organization. Exactly what does a SIEM do? Let's look at this.
(Read our in-depth introduction to SIEM.)
Here’s a quick list of six must-have SIEM capabilities.
A modern SIEM can collect, analyze and monitor any data from any source, in any structure, at any time scale from across an ecosystem of teams, tools, peers and partners. This can give any SOC a unified view into what’s going on across the security stack in real time. It also provides the ability to:
Organizations need to be able to detect and respond to threats in record time. Security monitoring from a modern SIEM helps you accomplish this. To pinpoint and identify different types of malicious and/ or anomalous behavior, a SIEM retrieves and maintains contextual data around users, devices and applications (e.g., asset and identity data) from across on-premises, cloud, multi-cloud and hybrid environments.
By monitoring and ingesting data from a diverse set of sources across different types of deployments, security teams can get a comprehensive view of potential security events. A leading SIEM should provide:
(Understand incident severity levels.)
Chances are your security team spends too much time investigating low-value alerts with too little context. Improperly defined detections can lead to a high volume of false positives and a lot of extra noise, quickly overwhelming and overburdening anyone on the front lines. A modern SIEM is able to:
Risk attribution can also help optimize threat hunting and reduce the volume of alerts — thereby increasing true positives — while surfacing more sophisticated threats, like low and slow attacks
Threat intelligence is often too noisy, with your security analysts having to manually curate data to make use of it. With manual input, context gets lost during the investigation process. Making it even harder for your analysts, the most valuable security data is often locked inside silos in and across companies.
Fortunately, thanks to the rapidly growing intelligence marketplace, modern SIEM solutions can integrate threat intelligence into every stage of the incident response flow, as well as across an ecosystem of teams, tools, peers and partners. Threat intelligence comes integrated into most modern SIEM solutions or as cloud native SaaS that integrates seamlessly with a modern SIEM platform. The intelligence provided usually includes information that that you can leverage for faster detection and response to attacks, including:
In traditional cybersecurity alerting, there are one or more tools that forward data into a SIEM to detect potential issues and create alerts. The security team writes the detection logic or leverages prepackaged vendor content, alerting on suspicious activity that may be indicative of attacker behavior.
Unfortunately, this creates a massive volume of alerts that are overwhelming SOCs. Analysts can’t process every alert, every day. This leads to:
However, risk-based alerting enhancements can effectively transform large volumes of noisy alerts into fewer high-fidelity incidents, prioritized by risk attribution. By correlating related events into a single incident, you can drive faster investigation and resolution, giving you time back in your day and more control over your security operations. Risk-based alerting can:
Alerting happens only when there are enough interesting observations correlated to the same object.
Security operations is tedious and time-consuming. Analysts spend hours manually performing investigative and response tasks. To expedite investigations and response actions, automation has become an essential function for SOCs.
Many SIEM platforms are integrating automation functionality into security analytics. Or, at the very least, vendors are offering compatible SOAR (security orchestration automation & response) solutions that automate investigations and response actions against detected events identified by the SIEM.
Security automation lets your team work smarter, respond faster and strengthen your organization’s security defenses. By automating repetitive tasks, security analysts can reduce dwell times and focus their time and attention on the incidents and actions that matter most.
Some security product vendors out there have declared, “SIEM is dead!” Hyperbolic statements like that feel more like clickbait than anything to hang your hat on. Sure, legacy SIEM solutions that haven’t innovated for five years should be left by the wayside.
Data-centric SIEMs, however, have continued to innovate and today they:
SIEMs that do these things are not dead — they’re thriving. To see how Splunk Enterprise Security fared in the 2022 Gartner Magic Quadrant for SIEM, read the report. To dig deeper into product capabilities, check out our guided product tour.
See an error or have a suggestion? Please let us know by emailing [email protected].
This posting does not necessarily represent Splunk's position, strategies or opinion.
The Splunk platform removes the barriers between data and action, empowering observability, IT and security teams to ensure their organizations are secure, resilient and innovative.
Founded in 2003, Splunk is a global company — with over 7,500 employees, Splunkers have received over 1,020 patents to date and availability in 21 regions around the world — and offers an open, extensible data platform that supports shared data across any environment so that all teams in an organization can get end-to-end visibility, with context, for every interaction and business process. Build a strong data foundation with Splunk.