Rethinking SIEM requires rethinking visibility

2021-05-31 05:30

While the underlying tenets of not relying on a single vendor and taking advantage of best-of-breed expertise for each system or tool is still valid, it has become obvious that data needs to be combined to understand the complete attack surface and progression of the kill chain.

SIEM was created over fifteen years ago to integrate security data for providing real-time analysis of security alerts generated by applications and network hardware.

Sometimes full packet data is necessary, but often header information or extracted meta data is sufficient.

One value of integrating and correlating data within a SIEM or alternative processing center is that small signals or data that alone may seem inconsequential can be compounded to provide better insight and higher accuracy.

This requires having all relevant data available quickly and in the same time frame.

In rethinking the SIEM or bringing in a new center to integrate, correlate and analyze data from across the network, consider all the aspects of visibility as well.

News URL

http://feedproxy.google.com/~r/HelpNetSecurity/~3/eZ-cSP72Qw0/

#siem