evolution of the modern siem
DESCRIPTION
SIEM has come a long way over the years, evolving from a relatively simple point solution, to a more powerful, complex, and integrated security tool. We thought it would be interesting - and fun - to put together an infographic to try and make sense of it all.TRANSCRIPT
Next Generation SIEMThreat and anomaly detection
Policy-aware compliance
User behavior & context
Analysis before, during, afterattack
Security Intelligence Platform
Risk ManagementDevice con�guration &topology
Pre-exploit analysis &simulation
Prioritized vulnerabilities
+ +FutureOpen Systems & SDKs
Increasing levels of context
Full integration of securityprocess & work�ow
Deeper vulnerability analysis
Network BehaviorAnomaly DetectionNetwork activity monitoring;virtual, physical
Full packet capture
Integrated Architecture | Database Rapid Search & Query | Correlation, Analysis, Normalization | One-console Security
1st Gen SIEMMonitor traditionalsecurity telemetry
Visibility into servers and security systems
Security Information Management (SIM)Log ManagementReporting AnalysisCompliance reporting
Security Event Management (SEM)Real-time monitoring of eventsSecurity and network devicesApplicationsEvent correlationIncident response
Perimeter defense, log consolidation and correlation
Deeper reporting and analytics, log consolidation, real-time detection, forensics
Log management, compliance, threat detection, application monitoring, risk management, user activity monitoring
Small numbers of sources supported out of the box.
Larger variety of log data sources. All relevant security data across the enterprise.
Dozens to hundreds Hundreds to thousands Unlimited, based on unique scaling requirements of each deployment
1,000 to 5,000 10,000 + Unlimited, based on unique scaling requirements of each deployment
Hundreds of gigabytes Terabytes Unlimited, based on unique scaling requirements of each deployment
Event �ltering, basic event correlation
Advanced correlation, analytics limited by data type (log only)
Advanced analytics including network and infrastructure events (VPN, IDS/IPS, etc), network and application context, user data via IAM products.
Perimeter security team (web services)
IT security and compliance teams IT security, compliance, opera-tions, auditor, networking and line of business
Slow, manual gathering of data and device info. Can take years to discover.
Often takes months or years to discover. Faster, but limited analytics prevent quick response.
Real-time / near-real-time discovery of breaches, often with same-day remediation.
Manual analysis. False positives/negatives. Limited log �le formats. Not scalable, small number of supported devices.
Limited data analytics. Data outside of logs cannot be collected. Performance issues with large data sets. False positives and negatives.
Standards governing bodies not yet formed. Integration with third-party products/sources still labor intensive.
Security management was an integrated solution. Deeply embedded into existing systems.
Maturing of log management and security analytics. Distributed architecture.
Less intrusive and separated from data center. Network �ow included in analytics. Single console.
2000-2004 2005-2009 2010 - present
Objective
Timeframe
Architecture
Data sources
Num of devicesmanaged
Events per second
Storage
Analytics
End users
Breach response
Major limitations
Evolution of the
Phase 1 - Perimeter Phase 2 - Logging & Compliance Phase 3 - Security Intelligence
MODERN SIEM
Phased Evolution to Security Intelligence
First Generation SIEM Matures to Anchor Security Intelligence
Targets of Opportunity Targets of Choice
** Phase 1 and Phase 2 data source: Enterprise Strategy Group, Security Management Evolution
Copyright 2011 Q1 Labs, Inc. All rights reserved. EMS-IG0911Total Security Intelligence