Ashes to ashes, we all fall down: The death of SIEM and rise of SOAR

Security Information and Event Management or SIEM, once upon a time referred to as SEM (security event manager) or SIM (security information management) or SIM/SEM or (replace your preferred acronym here) is a category of software that surfaced to the top in the late 90s with Intellitactics (1996), NetForensics (1999), Arcsight (2000), Q1 Labs (2001), LogRhythm (2003), and Splunk (2003). SIEM solutions would offer hope to security analysts looking to aggregate and correlate all of the log and other event information from different servers and devices on their network into a single place. The efficacy of such a solution was wholly predicated on the power of its correlation engine giving it the ability to see similar indications of compromise (IoCs) generated across different devices and systems in the network in order to eliminate false positives and validate true positives — the concept that A+B+C equals to something bad happening. SIEM solutions became the Syslog-NG on steroids; an open source log server initially released in 1998 as a distributed agent-server log server for centralizing logging in enterprise environments of systems that supported the syslog format. Syslog was developed in the 1980s by Eric Allman as part of the Sendmail project. It was readily adopted by other applications and has since become the standard logging solution on Unix-like systems for both servers and networked devices.

Anecdotally, as I drove in to the office in 2014, I recall a news report that was playing on NPR news that discussed the growing problem of alarm fatigue in emergency rooms. In the case of Boston Medical Center, an analysis found that 7 North was experiencing 12,000 alarms a day on average. A cacophony that was then being referred to as alarm fatigue that referred to the desensitization of the nursing staff to the many noises in the unit, which was causing increased patient deaths.

Unlike central log servers, such as Syslog-NG, SIEM solutions were able through native support, syslog support, APIs, and other plugins to centralize events from not just syslog-enabled endpoints, but also intrusion detection systems, firewalls, antivirus, network access control solutions, and even NetFlow data from routers.

And unfortunately, as history has proven in infamous breaches such as the Target breach whose costs approached $300 Mn in 2017, the alarm fatigue problem has led many Security Operations Centers (SOCs) running SIEM solutions to mistakenly close real alarms as false positives.

A survey by FireEye polled C-level security executives at large enterprises worldwide and found that 36% of respondents receive more than 10,000 alerts each month from their SIEM, of those alerts, 52% were false positives and 64% were redundant costing companies an average of $1.27 Mn every year.

It goes without saying that SIEMs have quickly lost their luster as security analysts continue to take fire from their SIEM of false positives on a daily basis or from the MSSP they had to retain for the daily care and feeding and 24x7 monitoring. It quickly became obvious that a SIEM required daily, round-the-clock tuning by a seasoned staff capable of creating rules for that specific platform in order to lower the amount of noise with no end in sight. The dream of effective centralized monitoring of events in the enterprise would need to be reimagined.

Enter SOAR, Security Orchestration and Response. New startups such as Exabeam, Swimlane, ServiceNow, Siemplify, Rapid7, DFLABS,