The traditional enterprise network has seen a tectonic shift in recent years thanks to cloud, mobility and now IoT. Where once enterprise data was confined to the office network and data center, it’s now expanded past its traditional perimeter. For instance, in a hospital, traditionally data resided in the data center, laptops, and desktop machines. Now, data can be resident in the x-ray machines, PCs connected to blood test analyzers, HVAC chiller units, etc. In franchise restaurants, one sees the rapid advent of digital menus, self-serve kiosks, customer Wi-Fi, and more. These digital assets have come into the market and onto the network very quickly, so that businesses can keep pace and compete for customers.
Correspondingly, the threats have also migrated — hackers now attack that less secure digital drink dispenser to then go lateral to the POS network. Often in the rush to market, securing these new assets that are now on the network has been an afterthought.
The techniques to protect and monitor these new assets are not so different. Secure the configuration, limit access, watch over logs for patterns. The ubiquity and scale of these assets, though, is tenfold, and so, traditional SIEM technology struggles with deployment, cost, and scale. Traditional SIEM was designed for large enterprise with assumptions on lots of bandwidth, CPU, and staff. These are all belied in the brave new world where all are in short supply.
Now that organizations have a 10x increase in the number of devices on the network – but most of these devices are lower value, simpler assets, with fixed networks and a limited scope of attacks that they are susceptible to — those can be managed in a more automated sense.
SIEM Will Evolve in Functionality and Ubiquity
The progression of today’s SIEM platform has seen dramatic changes. Mature platforms that have their roots in centralized log management have proven to be the species best suited to evolve, adapt, and match today’s advanced cybersecurity demands. We see this trend continuing. SIEM’s ability to centralize and aggregate billions of event logs from devices makes it a natural choice to house advanced threat lifecycle management capabilities. We’ve already seen the beginnings of SIEM taking on functionality that was originally viewed by some as a different animal—those being User and Entity Behavior Analytics (UEBA) and Security Orchestration and Automated Response (SOAR). After a quick rise in interest surrounding UEBA and SOAR solutions, these concepts have become rightly absorbed into SIEM platforms.
In terms of ubiquity, as the Internet of Things (IoT) explosion continues to unfold, right-sized SIEM functionality will be brought to these simpler, yet very numerous, devices. Case in point, in 2017, Netsurion brought SIEM to the point-of-sale (POS) market to answer the restaurant data breach epidemic. By folding the POS into the enterprise cybersecurity scope, the days of a data breach siphoning credit card data going undetected for months would no longer be the case.
By then coupling SIEM with IoT and branch location connectivity technology, like SD-WAN, the evolved capabilities of SIEM will be able to reach every edge of the highly-distributed enterprise.
Bringing It All Together
With SIEM platforms evolving to encompass machine learning concepts and orchestration capabilities, plus spreading to the furthest ends of the digital enterprise, we must also look at the most appropriate delivery model. By intertwining connectivity, threat, and compliance management, the delivery model that might work best for some organizations would be that the SIEM, or IT security, is delivered from an organization’s preferred ISP or managed IT service provider (MSP). The fully evolved SIEM platform will be able to deliver advanced functionality, wide integration, and lastly, MSP-friendly deliverability.