Are Information security event management (SIEM) and artificial intelligence (AI) a marriage made in heaven or just more sales hysteria in the industry? The reality, of course, is that security and system/application event correlation systems have been around for quite a long time. The term SIEM was first promoted by analyst firm Gartner in 2005. The lingering question is, are the analytics available in SIEM products identical to AI, or is AI only rebranded for sales purposes with analytics?
SIEM systems
You can find more than a few SIEM tools if you do an internet search without trying too hard.
SIEM product analysis correlates incidents from various sources obtained over a relatively short period of time (typically hours and days, not months, quarters, or years) and a prioritized warning should be exceeded when compared with the baseline of an infrastructure.
A number of regular and weekly reports can also be produced by SIEM products and it can take more than a month to six weeks to bed down and tune a new SIEM system to set up the baseline of an infrastructure. This, in essence, means setting up a system to modify the noise of normal operation and over time, some retuning of the SIEM system might be required, particularly if there have been improvements or other adjustments to the IT infrastructure of a business.
Part of SIEM tuning is the adjustment of system event logging. This involves setting up what needs to be documented in an IT infrastructure by each system or process and then setting the Syslog parameters that are needed. Certainly, SIEM solutions do not suit and forget.
Artificial intelligence for IT Operations
Another new word, artificial intelligence for IT operations, or AIOps, was coined by Gartner in 2016.
This reflects processes that store event data collected in a database over a long period of time, maybe years, and then apply analytics to that data.
What these analytics can do is adjust the baseline of the infrastructure and adjust alerting thresholds over time, as well as perform some remedial measures automatically based on associated incidents.
The ability to detect very slow or stealth events on a network that would otherwise be ignored or overlooked as a one-off is a valuable advantage of using Big Data.
A security team is in the position to take action before a major security incident happens by identifying these sluggish or stealth activities.
Benefits of AIOps enabled SIEM systems
So is an AI/AIOps-enabled SIEM system a useful instrument for the security team of a company? The response depends on a variety of factors, including the size of the business, the sophistication of the IT infrastructure of a company, and the value of its data.
The cost of an AI-enabled SIEM would probably be prohibitive for businesses with a relatively limited and/or simple IT infrastructure while providing little or no benefit when combined with good security hygiene, and there is a good selection of SIEM products to choose from, some of which are open source.
The cost of an AI-enabled SIEM can well be justified for a business with a broad and complex IT infrastructure, but beware of the snake oil salesman and conduct a thorough evaluation of the products available. For a long time, the SIEM system and many of their vendors were around and their skills did not stand still.
Wrapping up
Efforts to change Syslog logging parameters across the entire IT infrastructure should not be ignored, nor should simple security hygiene be ignored, as it is easy to flood Syslog events.
CYBERAL, the Cognitive STEM powered by the latest next-gen technologies, offers a complete, sophisticated threat intelligence SIEM system with integrated User and Entity Behavior Analytics (UEBA) and User Behavior Analytics (UBA), which detects insider threats, targeted attacks and possible financial frauds through AI. Connect with us to know more about our innovative threat detection and investigation capabilities.
