by Ramon Krikken | May 22, 2012 | Comments Off on SIEM Future – Would You Like Some Context With That?
This is a sister post to Anton Chuvakin’s “Our SIEM Futures Paper Publishes!” from yesterday. We collaborated on a “Security Information and Event Management Futures” note [subscription required], in which we discuss how we believe the technology will evolve in response to current and expected trends. Although Anton is now the primary GTP analyst to cover SIEM, I still have a strong interest because its place in the greater monitoring and security data analysis space.
If you look at the table of contents, you will notice the first of our “big 5 trends” relates to context data. As I’ve written in the past, context comes in several forms – some of it can be automatically derived or created by IT systems, while some of it has to be provided by humans (i.e., where humans have to “teach” the system what the meaning of certain context is). State data (e.g., the location of a person as derived from a physical access control system) is context, and events themselves can be context, too. Context is vital, because without it we would end up drowning in false positives and false negatives.
Right now, most SIEM treat context (and especially state data) differently from events. They are able to pull in state data as context for events, but performing analysis on the state data itself can be incredibly challenging. Using SIEM for multi-dimensional analytics over events and state turns out to be well-nigh impossible … as some customers-that-must-go-unnamed have explained to me in light of using SIEM for “non-traditional” use cases. This needs to change.
Although I still have reservations about “big data analytics for security” (mostly because it will for the foreseeable future be difficult to separate the wheat from the chaff in vendor claims and solutions), I do believe the need for better data processing and analytics is getting greater. Whether this is general SIEM evolution, a split in the SIEM market, or an entirely new class of technology parallel to top-tier SIEM remains to be seen. And, perhaps more importantly, how well this can be commoditized (i.e., have low requirements for involvement of data analysts and such) is a big question mark for me.
View Free, Relevant Gartner Research
Gartner's research helps you cut through the complexity and deliver the knowledge you need to make the right decisions quickly, and with confidence.Read Free Gartner Research
Comments or opinions expressed on this blog are those of the individual contributors only, and do not necessarily represent the views of Gartner, Inc. or its management. Readers may copy and redistribute blog postings on other blogs, or otherwise for private, non-commercial or journalistic purposes, with attribution to Gartner. This content may not be used for any other purposes in any other formats or media. The content on this blog is provided on an "as-is" basis. Gartner shall not be liable for any damages whatsoever arising out of the content or use of this blog.