Must-Have Features of a Modern SIEM

23.10.2020 Read
Must-Have Features of a Modern SIEM

Initially, Security Information and Event Management (SIEM) solutions were readily adopted because of their capability to provide actionable insights into the deep corners of an organization’s network. Legacy SIEM systems helped in understanding when and where security incidents are happening in real-time. Soon enough, these SIEM systems faced an avalanche of false positives, and they required a dedicated team to filter out irrelevant alerts.

Following this, we saw the emergence of next-generation SIEM solutions that provide functionalities and features that were not available with legacy or first-generation SIEM solutions. In this article, we demonstrate the features of a modern, next-gen SIEM solution.

1. Big data infrastructure with unlimited scalability

Back in the day when legacy SIEMs dominated the market, platforms such as Hadoop and Mongo did not exist. Given the amount of data collected and processed by a SIEM platform for a large number of clients, a scalable big data architecture is required. Logsign SIEM is supported by a massively parallelized architecture which remains continuously active with zero performance loss. It provides petabyte level big data experience with unlimited scalability, log retention, storage, and number of users. You can download the Logsign SIEM datasheet to check the details.

2. Unlimited log collection and quick ingestion of log data

In 2020, threats can span across multiple data sources. Ideally, a SIEM solution should collect data from every available source and process it for correlation and analysis. Generally, sources of data include cloud data, network data, log data, etc. Your SIEM should support data management from a single point of control.

Logsign SIEM has a dedicated section for data collection and management in the Settings panel. It collects log data from every possible environment and injects quickly into the SIEM platform. It parses unstructured data with the help of free plugin services and providers real-time super enrichment for threat intelligence and vulnerability assessment. Logsign SIEM allows you to extract and control your security data with a flexible data policy manager.

features next-gen SIEM

Figure 1: Dedicated section for data collection/management

3. Visualization

Logsign SIEM has extensive dashboard management features for your organization to utilize. Coming with over 40+ preconfigured dashboards arranged in 11 categories, Logsign streamlines gaining detailed insights into your organization’s security posture in a few clicks. The SIEM platform relies on state-of-the-art data visualization techniques to make it easier for your team to understand the analyzed data.

features next-gen SIEM

Figure 2: A vendor-specific dashboard on Logsign

4. Early detection and threat hunting

After your data is collected, you should expect your SIEM solution to provide a high level of enrichment for yielding useful results from the collected data. For example,

  1. Correlation of user and machine types with activity logs
  2. Asset ownership tracking
  3. Association of IP address with machines, users, and timelines
  4. Dynamic grouping of peers

Legacy SIEM relied on a security model that focussed on discrete events. However, next-gen SIEMs like Logsign SIEM have turned the tables and enabled advanced analysis of security events. Effective organization of information about each incident helps your security experts to understand the full context in minimum possible time. Utilizing Logsign’s big data platform in line with high-performance search results, threat hunting enables your security team in investigating abnormal behaviours in your IT infrastructure.

features next-gen SIEM

Figure 3: User and Asset Context on Logsign SIEM

Statistics show that a majority of successful cyber attacks involve lateral movement in the network. Put simply; the attackers attempt to gain access to higher privileges or evade detection by changing IP addresses, credentials, etc. A SIEM solution must be able to follow and track lateral movements right from the start to the end.

features next-gen SIEM

Figure 4: Logsign SIEM consists of a full-fledged use case for tracking lateral movement

5. Incident triage and advanced investigation

Your SIEM may record more than hundreds of thousands of log entries in a week or a month. An ideal SIEM should eliminate false positives effectively and present events with high or critical risk for robust security, efficient team performance, and reduced costs. Alerts are color-coded on Logsign SIEM to enable your security team to filter through high-risk or critical events quickly. Features like these contribute in early detection of security events and provide your team with advanced investigation capabilities.

features next-gen SIEM

Figure 5: Alerts on SIEM

6. Advanced behavior analysis

For a modern SIEM to support user and entity behaviour analysis (UEBA), it requires to understand what normal behavior looks like. Subsequently, using behavioral modeling, statistical analysis, and machine learning, it can identify unusual or abnormal behavior.

As soon as unusual activity is detected, it assigns a risk score and generates an alert for activities that exceed the well-defined threshold.

For example, there is a user on the Logsign network who usually logs in from our Istanbul office. If the same user logs in from Russia or China, such a login will be detected as unusual.

features next-gen SIEM

Figure 6: Login outside working hours detected on Logsign platform

7. Fast and effective data protection

A SIEM solution continuously monitors incoming log data from your organization’s technical infrastructure in real-time. Logsign SIEM looks out for malicious behaviour and abnormal activity, and as soon as either one is detected, it alerts your security team with relevant actionable information. Using these alerts, your security team can mitigate security incidents before they turn into an impactful data breach.

8. Automated/Semi-automated Responses

Different SIEM vendors use different terminologies or acronyms for this capability of a SIEM solution; however, SOAR is generally preferred over others. Our SOAR offering brings people, process, and technology together. While it can function as a standalone tool, our SIEM platform integrates seamlessly. A SOAR platform allows you to take response and mitigation within your technical infrastructure to a single workbench. It helps your team in creating a coherent security ecosystem, automating repetitive tasks, tracking and prioritizing incidents, driving auto-documentation and communication, increased knowledge sharing among team members, and standardizing workflows.

9. Flexible and easy-to-understand pricing

We understand that SIEM costs are hard to calculate. To make it easier for our prospective customers, we provide multiple pricing methods based on log sources and EPS. At times, it may not be practical for you to visualize your EPS requirements for the future and accordingly, you can choose the log sources based pricing model. Logsign SIEM has a flexible yet easy-to-understand pricing model so that you do not need to cherry-pick your data sources.