Next Generation SIEM

SIEM has existed for quite some time, but it is not yet well understood. Also, the fact that technology has evolved significantly in recent years doesn’t help shed some light. Today we see where we are, trying to understand the Next Generation SIEM and the managed systems offered as services that make use of the latest generation SIEM (SOCaaS, for example). Let’s see what all this means for companies.

Being a fundamental part of the SOCaaS offered by SOD, it seems appropriate to explain in detail what a Next Generation SIEM is and what its functions are.

A brief history of SIEM

Before examining what a Next Generation SIEM is, it is right to briefly review the history of this technology and its beginning.

The term Security Information and Event Management (SIEM) was coined in 2005 by Mark Nicolett and Amrit T. Williams of Gartner. The word is the merger of Security Event Management (SEM) and Security Information Management (SIM).

Its original definition given by the creators of the term is: a technology that supports the detection of threats and the response to security incidents, through the collection in real time and historical analysis of events from a wide variety of sources of contextual data.

SIEM was born out of the need to address the huge number of alarms issued by intrusion prevention systems (IPS) and intrusion detection systems (IDS) that were overwhelming IT departments. By helping organizations aggregate events and better analyze those within the network, SIEM has helped organizations improve threat detection. It has also led organizations to take a more proactive approach to security. Preventive security technologies are no longer sufficient on their own.

The difficulties of SIEMs in the early years

Eager to improve their cybersecurity situation, many enterprise-wide organizations have rapidly adopted SIEM technology. Over the years, however, inherited problems have emerged from the past:

1. The datasets were inflexible, so some SIEMs were unable to process the required data, which meant their effectiveness was limited
2. They were difficult to maintain and manage, which added complexity and drained staff resources
3. SIEMs produced a high number of false positives, creating even more work for the security teams
4. With the advancement of technology, SIEMs have struggled to keep up with the evolution of threats and therefore the IT risk for companies has grown

The Next Generation SIEM arrives

Many advanced threats are now polymorphic rather than static. That is, they are able to constantly modify their behavior to evade detection. As such, Next Generation SIEM systems must not only process more data, but also become much more capable of recognizing new patterns within them.

Given the difficulties and limitations of inherited SIEM systems, many thought they would disappear over time. But this did not happen, SIEM still remains a key technology used by companies. However, technology has had to evolve.

While SIEM once relied on only a handful of data sources, the “Next Generation” of SIEM systems was developed to process a greater volume and variety of data, as well as correlating it in a timely fashion.

Gartner reported that the SIEM market is continuously growing. One reason for this growth is that Next Gen SIEM systems are now used by midsize organizations, not just large enterprises.

Next Generation SIEM on the Cloud

Next Generation SIEM takes advantage of the use of the cloud for data collection

What are the capabilities of Next Gen SIEM?

Next Gen SIEMs, sometimes referred to as analytical SIEMs or SIEM 3.0, have brought new capabilities to organizations and their security teams.

Allow faster integration into a corporate infrastructure through an open architecture to cover cloud, on-premise and BYOD resources
Include real-time visualization tools to understand the most important and high-risk activities
Use scenario and behavior analysis to “photograph” well understood scenarios and highlight significant changes in behavior
Integrate and use Threat Intelligence information from customized, open source and commercial sources
Provide a flexible framework that allows for the implementation of a tailored workflow for key organizational use cases
Measure status against regulatory frameworks (e.g. PCI DSS) for prioritization and risk management

Security Orchestration, Automation and Response

Security Orchestration, Automation and Response (SOAR) is a growing security area that Next Gen SIEM vendors are exploiting to contribute and take advantage of the latest features. In its essence, SOAR has two fundamental aspects:

1. It allows to bring more data to a Next Gen SIEM for analysis

SOAR is helping SIEM technology to become smarter and big data oriented, thus enabling security teams to make faster and better informed decisions. Broader intelligence means more reliable threat identification and fewer false positives.

2. Help automate incident response

Another important way SOAR is influencing the evolution of SIEM Next Gen is to help standardize incident analysis and response procedures. The goal is to partially or completely automate response activities in order to reduce the potential harm and inconvenience that breaches can cause. Such response activities could include blocking compromised user accounts and blocking IP addresses on a firewall.

By automating routine actions, SOAR helps security teams become more efficient and frees them up time to focus on threat hunting and patch management.

User Behavior Analysis (UEBA)

Another important feature of Next Generation SIEMs is the use of User and Entity Behavior Analytics (UEBA). UEBA does not track security events or monitor devices, but instead focuses on monitoring and analyzing the behavior of an organization’s users.

UEBA can be extremely useful in helping organizations identify compromised accounts, as well as insider threats. It works using advanced machine learning and behavioral profiling techniques to identify anomalous activity such as account compromise and abuse of privileges. By not using rules-based monitoring, the UEBA is more effective in detecting anomalies over time.

The challenges for a modern SIEM

Despite unquestionable advances in detecting complex cyber threats, SIEM Next Gens can still, if not used and maintained properly, generate a large number of alerts. For organizations without IT resources and dedicated security personnel, researching these alerts to distinguish true network security problems from false positives can be extremely complex and time-consuming.

Even when real threats are identified, knowing how to respond to them can be just as challenging.

Getting the most out of SIEM to help address growing security challenges will also depend on better trained personnel who can use the systems more effectively and validate alarms. For organizations that lack in-house knowledge or skills, it therefore makes sense to work with an external vendor who can cover or augment security capabilities.

A full SOCaaS service, including Next Generation SIEM and UEBA for threat hunting, is the ideal choice. Not only does it save time in terms of validating and checking alarms, but also in economic terms, not having to face installation costs and staff training.

If you are interested in learning more, do not hesitate to contact us, we will answer your questions.

[btnsx id=”2931″]

Useful links:

SOC as a Service

Security: Pentest and verification of vulnerabilities

What is a Network Lateral Movement and how to defend yourself

Is SOCaaS useful for your business?

Computer network security: PT vs. VA

MITRE Att&ck: an overview

SIEM in computer science: history

SIEM software: what it is and how it works


SIEM - Raccolta e analisi dei dati

Evolving beyond its roots in log file management, today’s security information and event management (SIEM) software vendors are introducing AI, advanced statistical analysis and other analytical methods into their products. . But what is SIEM software and what are its uses?

SIEM software

Acronym for Security Information and Event Management, it is a product that provides cyber security professionals in companies with an overview and a track record of the activities within their IT environment.

The technology used has been around for more than a decade, and has evolved from the practice of managing log files. It combined security event management (SEM), which analyzes log and event data in real time to provide threat monitoring, event correlation and incident response, with security information management (SIM) that collects, analyzes and reports log data.

How does it work?

SIEM collects and aggregates log data generated across the organization’s technological infrastructure, from host systems and applications to network and security devices such as firewalls and virus filters. Then, it identifies and categorizes incidents and events, as well as analyzing them.

The software has two main objectives, which are: to provide reports on incidents and events related to cyber security, such as successful and unsuccessful logins, malware activities and other possible malicious activities, and to send alerts if the analysis shows that an activity ‘goes against established rules, indicating a potential security problem.

According to experts, corporate demand for more security measures has pushed the market to expand in recent years. Today, large organizations look to SIEM as a basis for the creation of a security operations center (SOC).

Analysis and intelligence

One of the main factors underlying the use of SIEM software for security operations is represented by the features offered.

Many products offer threat intelligence feeds in addition to traditional log file data. Some SIEM software also has security analysis capabilities and examines network and user behavior to provide more information on whether or not an action indicates malicious activity.

Generally speaking, SIEM tools provide:

1. Real-time visibility through an organization’s IT security systems
2. Event log management that consolidates data from numerous sources
3. A correlation of collected events from different logs or security sources, using rules that add important information to the raw data
4. Automatic notifications of security events. Most SIEM systems provide dashboards for security issues and other direct notification methods

The SIEM operation process

In practice, the operating process of a SIEM system can be divided into the following steps:

1. Data collection: All sources of network security information (eg servers, operating systems, firewalls, anti-virus software and intrusion prevention systems) are configured to send event log files. Most modern SIEM tools use agents to collect event logs from business systems, which are then processed, filtered, and sent to the system.

2. Policy: A policy profile is created by the administrator. This defines the behavior of business systems, both under normal conditions and during predefined security incidents. We provide predefined rules, alerts, reports and dashboards that can be adjusted and customized to your specific security needs.

3. Data Consolidation and Correlation: These software consolidate, analyze and control log files. The events are then categorized based on the raw data and correlation rules are applied that combine the individual events.

4. Notifications: If an event or set of events triggers a SIEM alarm, the system notifies the security personnel.

It is clear that a SIEM stops at the analysis of threats and subsequent notification. Following these, someone needs to intervene, both by checking the reports and taking measures to mitigate any threat. This can only happen if there is a team of trained technicians behind the software 24/7 to carry out maintenance and intervene when necessary.


While these solutions offer various benefits to businesses of all sizes and shapes, they also have limitations and vulnerabilities that should not be ignored.

Security Information and Event Management

A SIEM requires constant 24/7 monitoring of logs and alarms, regular maintenance and configuration, as well as a dedicated security team responsible for managing the software. Most of the work begins after the SIEM implementation. Therefore, organizations cannot rely on these solutions alone to protect critical IT infrastructures.

Even with such a system in place, security professionals must ensure that they have adequate resources, tools, budget and time to be able to exploit the features and ensure complete protection against potential security threats.

From this point of view, the most interesting solution for companies is that of a SOCaaS, which includes SIEM and other suitable tools for a complete management of a company’s cyber security.



[btnsx id=”2931″]

Useful links:

SOC as a Service

Security: Pentest and verification of vulnerabilities

What is a Network Lateral Movement and how to defend yourself

Is SOCaaS useful for your business?

Computer network security: PT vs. VA

MITRE Att&ck: an overview