Automation and Machine Learning Processes in Security Information and Event Management

Security information and event management (SIEM) is certainly not a new concept, but it is one that withstood the trials of time. It became an integral piece of enterprise cybersecurity with few changes over the last few years. Most of these changes concern enhancement of its analysis abilities, further modification of product interfaces, refinement on process of data logs collection, and adjustment of interoperability capabilities.

Despite marketing campaigns of machine learning (ML) startups combating traditional and obsolete SIEMs, the reality is SIEMs are not that easy to overlook. It should be noted, however, that simple log-based detection scored very poorly against modern cyberthreats, typically due to past major hacking incidents, as it failed to detect incoming threats. Nonetheless, SIEMs are still as relevant as ever given their unique capacity for monitoring, detection, and incident response capabilities across a multitude of hosts. Yet, it seems SIEMs are to receive a critical upgrade: the automation of log gathering, detection, analysis, and incident response.

Intel (McAfee), IBM (QRadar), HP (ArcSight), RSA (NetWitness), and LogRhythm are some of the biggest players that rank highly for enterprise SIEM solutions, but high cost and overall TCO pushes SIEM implementation further down the list of priorities for mid- and low-tier companies. This makes perfect sense for companies that cannot afford the hefty cost of US$50,000 to US$100,000 (and higher) to incorporate a SIEM for their monitoring needs across the enterprise. Although more cost-sensitive and SIEM-like solutions like Solarwinds and Splunk are already showing promise, SIEM implementation is lagging behind; however, most companies do not possess a security operations center (SOC) or SOC-related procedures.

Nonetheless, the breadth and complexity of security alerts is a major factor pushing companies toward such an endeavor, with procedural automation as an added feature to up the ante. Among constantly evolving security protocols in enterprise cybersecurity and critical infrastructure, automation can easily find prosperous ground in modern SIEMs (among other solutions) and provide a significant boost for understaffed (and overworked) IT professionals.  

So, what would the application of automation in SIEMs entail?

Looking at some of the primary operations, it can have direct application in:

• Automating datalog gathering based on pre-configured customization options—depending on enterprises’ needs—with the ability to “break the loop” in case external data sources are also required (thus, entering the realm of autonomous security measures).
• Application of newer unsupervised learning, deep learning, and cognitive computing approaches to enterprise security.
• Automation of certificate acquisition and related processes (required for high interoperability between other non-SIEM products for added intelligence gathering capabilities).
• Automating detection for both known (signature-based, malware and mutation extrapolation, blacklisted IPs, etc.) and unknown threats, network security, and APTs-based on predetermined variables.
• Automation of incident response, as well as continuous learning of what qualifies as an appropriate trigger for such a response.

While the increased frequency and complexity of cyberattacks is pushing the industry toward a more “mandatory” upgrade of security infrastructure, and despite the major incidents that were made public over the last years, many companies are still not convinced that the perceived benefits outweigh the high cost of ownership of certain security solutions. The advent of ML and automation in the cybersecurity sphere, however, brings forth brand new variables to consider, as the cost of maintaining such a solution can also provide an answer to the “human talent gap” and, therefore, bridge the gap with an upgraded SIEM solution. Given the lack of security analysts, which is expected to surpass the million mark within a few years, can this transition to ML and automated security be an option for most companies?