Having problems with your account or logging in?
A lot of changes are happening in the community right now. Some may affect you. READ MORE HERE

What is SIEM Anyway? How the evolution of threats has changed Security Operations

JasonSchmitt Absent Member.
Absent Member.
2 1 2,044

How the evolution of threats has changed Security Operations:

What does “SIEM” mean to you? The SIEM, or security information and event management, is a decade-old term coined by Gartner analysts to describe the state of the art at the time for real-time monitoring and correlation of alerts that help organizations detect and respond to security threats. The SIEM is just one tool in the arsenal of modern Security Operations, where the sophistication, frequency and danger of threats has greatly exceeded what first-generation SIEM technologies of yesterday could handle. It might be the beginning of an effective security operations strategy, but it’s not the end. ArcSight has been leading the Security Operations market for more than 15 years, since before the advent of the SIEM term, and continues to thrive in the world’s largest, most hostile security environments.

With the publication of the latest Gartner Magic Quadrant (MQ) for Security Information and Event Management (SIEM), it has been important for us to reflect on our position in this particular view of the market. For the first time in the history of the SIEM concept, according to Gartner ArcSight is not a leader in the SIEM market. Has ArcSight truly missed the market and fallen out of our enterprise leadership position in Security Operations? Or has the Security Operations market evolved beyond a narrow view of the utility of the standalone SIEM technology and its effectiveness in the face of advanced threats to large enterprises?

I have been involved in a dozen MQ cycles as a security vendor over the years, across four different security markets, and in general the exercise ends up providing the buying public with a comprehensive view of a market for the neophyte. It is rare for the large enterprise customers that we deal with to use this as a primary buying criteria, but it’s certainly an influential and effective tool for short-listing and justifying investments during procurement processes when someone is making an initial entry into that particular technology. In my dozen MQs over the years, this is the first time that I’ve seen the perspective of the publication miss the enterprise market reality that we experience and the evolution that we see on the ground, battling adversaries alongside our thousands of enterprise customers every day.

Jason Blog.jpgJust as the threat landscape is rapidly evolving, global Security Operations has shifted beyond the basic SIEM capabilities suitable for small and mediums sized businesses. For large enterprises, the architectures have been forced to change. To keep pace with the amount of data and threats in today’s complex and hybrid IT environment, enterprises need a modular and open architecture that provides them with the speed and scale to quickly detect and address sophisticated attacks. The SIEM needs to be the foundation and central hub of an intelligence-driven Security Operations strategy that provides organizations with the flexibility to connect and normalize the data from their many security tools and data lakes across multiple vendors. Security Operations must have the full visibility across traditional, cloud, mobile, IoT and ICS, beyond what a SIEM can see. It must strike a balance between detecting known threats in real-time with a SIEM, while supporting advanced investigation, hunt and incident response processes to identify and act fast against the more dangerous unknowns of the enterprise. Powerful analytics, based on security experience from thousands of successful deployments across the largest and most complex organizations in the world, are necessary to enable these higher maturity security operation capabilities. 

ArcSight Delivers Customer-Centered Innovation

We’ve seen this shift in the threat landscape and customers’ requirements have changed, so we have introduced a transformative ArcSight suite designed for the enterprise Security Operations team.

The award winning ArcSight Data Platform (ADP) provides the foundation of the intelligent Security Operations Center (SOC) and opens up the data layer so that you can pull data from anywhere and send it to any location. Data is no longer trapped within the SIEM, giving you the flexibility and visibility to manage and monitor your entire environment, as well as respond to the most pertinent threats. Pair this with the integrated Kafka-based Event Broker that allows for the consumption of up to 1 million events per second, and now MSSPs and SOC have a solution that delivers the speed and scalability to manage today’s risk environment. 

More than 400 customers have adopted this new ArcSight architecture and we’ve already seen strong customer and industry validation. According to Eric Parizo, Global Data, “ArcSight Data Platform, the next-generation data collection and storage component of the ArcSight Platform, has been revamped to better integrate with third-party systems for data collection, data export, threat-hunting, and analytics tools from Micro Focus and third-party vendors. Now ArcSight is positioned to compete for a place in security operations centers (#SOC) for years to come.”

In continuing the theme of an open environment, we have continued to build a strong partner ecosystem. With more than 70 MSSP partners, as well as more than 130 integrations/partnerships through our Technology Alliances program and more than 400 Connectors, we help our advanced customers get the most out of their investments and ensure ArcSight is the central hub of their security operations strategy.

Earlier this year we also introduced ArcSight Investigate, a threat investigation and advanced analytics solution that enables you to proactively hunt for unknown threats. Powered by Vertica, one of the most powerful analytics platforms in the world, ArcSight Investigate delivers intuitive natural language search, intuitive visualizations and advanced detection analytics for supporting hunt team and investigation workflows without leaving the ArcSight platform. ArcSight Investigate helps address the talent shortage in the SOC and the opportunities provided by a true analytics platform to speed up and simplify the investigating and hunting process for both beginners and experts.

Evolving Beyond SIEM

The ArcSight portfolio has also entered an exciting new chapter as part of the new Micro Focus. Our security portfolio has expanded with the inclusion of NetIQ identity and access management solutions and the Sentinel SIEM, also featured in this MQ. We’re only at the beginning of leveraging these rich, innovative identity-centric security technologies for enriching security operations with real-time user context, as well as combining the best of the Sentinel SIEM platform to further enhance the power and scale of the open ArcSight platform.

As attackers continue to evolve, so too must our security solutions. A SIEM-centric view of Security Operations, while important for smaller, less mature organizations, misses out on the most important evolutions that our customers have come to trust ArcSight for. We believe today’s Security Operations begin with a “SIEM” that is scalable, and open, with integrated analytics and provides the full visibility needed to respond to both known and unknown threats in real-time. However, effective, mature Security Operations requires you to partner with an organization that has proven success in the most demanding environments, at massive scale. We invite you to turn away from the SIEM-centric past and experience the new ArcSight for yourself.

1 Comment
pbrettle Acclaimed Contributor.
Acclaimed Contributor.

I havent been posting in the community for a while, which is my fault, but I cant agree with these comments enough! Thank you Jason for putting fingers to keyboard and getting this done. 

There are a few things that have dismayed me recently and the report from Gartner is one of them. While I might be putting my own professional reputation (did I ever have one) on the line here, I have always been a pretty strong critic of how many of these comparitive reports are done. They are a snapshot of a time against some criteria that arent shared. Simple things like, what are the areas that were tested and what weights were placed against them should be transparent and clear, but are rarely published. Its a shame, but I get it, it does open the analyst to potentially unfair criticism.

However, what is clear is that the modern SOC is so much more than it was even 18 months ago! Maybe 10 years ago, a SOC had maybe a few core tools / solutions that it needed. In many cases it was little more than a NOC (network operations center) or at least closely tied to it. These days the SOC has 20+ tools and what was the cornerstone before is no longer these days. This is a pretty generic comment I know, but lets be more focused with an example. Even up to 5 years ago, a SOC analyst probably spent most of their time in the SIEM tool. Alert triage, investigation, case tracking; all there in the interface. These days, they probably spend 20% of their time in the SIEM with the rest of the time spent in workflow tools, case management or wiki / tracking tools. And thats before we start talking about supporting tools, technologies and intelligence sources to make their lives simpler! Jason is 100% correct, the market has moved on and while SIEM vendors race to add new features, they miss that the average SOC analyst needs to do more and manage more.

To further elaborate on this for a second, think of things around the idea of SOA or Security Orchestration and Automation (again, a Gartner term). This is a massive growth area and one that many SIEM vendors are trying to address. But we need to understand what this means and what a SOC analyst does. it would be simple to think that they can just click a button, compare activity and close an alert (thats the classic SIEM demo from many vendors). But in reality they need to pivot to threat intelligence, compare to previous cases, check internal systems and tools (in many cases bespoke) and then document this in their own tracking systems. SOA tools look to take these MANUAL processes and automate them with scripts, tools and frameworks. This is just one illustration of how things have dramatically changed and that the average SOC analyst doesnt spend their day in an SIEM tool any more. This is why I think that Gartner is missing the point here.

So what does this mean to ArcSight? Have they missed the mark? Actually no, not at all. The shift to a more flexible collection layer (Event Broker) is key. The ability to bring TRUE analytics to play is critical (Investigate) and we cant forget the ability to do correlation IN REAL-TIME (that will be ESM) has never changed. There are vendors who spin all sorts of stories around the ability to search, have fancy displays or even to magically make sense from nothing. But the core competancies havent changed, only that the importance in key areas has shifted. The modern SOC is very different to what it was 5 years ago and we need to be very critical of any marketing that we see, even if it comes from an analyst company.

The opinions expressed above are the personal opinions of the authors, not of Micro Focus. By using this site, you accept the Terms of Use and Rules of Participation. Certain versions of content ("Material") accessible here may contain branding from Hewlett-Packard Company (now HP Inc.) and Hewlett Packard Enterprise Company. As of September 1, 2017, the Material is now offered by Micro Focus, a separately owned and operated company. Any reference to the HP and Hewlett Packard Enterprise/HPE marks is historical in nature, and the HP and Hewlett Packard Enterprise/HPE marks are the property of their respective owners.