There is no doubt about the fact that SIEM (Security Incident/Information and Event Monitoring) failed in delivering on its promises. Many projects failed entirely, while others started big and ended small. There are also success stories, but finally it turned out that SIEM is a tool, not a solution. In a world of increasing security threats and advanced types of complex attacks, there are too few people who can set up a working solution based on a tool only. This requires too much knowledge.
With the event of a new generation of solution we call Realtime Security Analytics, things start to change. These solutions combine big data techniques and advanced analytical capabilities, both rule-based and pattern-based, with realtime information about new threats and – ideally – managed services. Such managed services allow to provide new configurations and analytics on the fly, constructed and delivered by a few experts. The required skill set in the customer organizations are lower, because the complex understanding of relationships of incidents and events in a number of systems will be provided by the service providers. Such service providers also help handling the – ideally few – filtered events that need manual supervision. Doing Realtime Security Analytics right not only helps customers to increase their cyber security and “cyber-attack resilience”, it also allows software vendors to expand their business models. It makes SOC operations cheaper, by building on a good combination of own capabilities and managed services, while delivering better results.
SIEM is reduced to just one data source in the new world of Realtime Security Intelligence. This allows customers to leverage their investments in SIEM, without relying on a limited toolset. Clearly, the evolution towards Realtime Security Intelligence will bring new players on board and shake out some of the SIEM vendors.
In this session, Prof. Dr. Sachar Paulus of KuppingerCole will explain the difference between traditional SIEM and Realtime Security Intelligence. He will talk about the requirements on Realtime Security Intelligence (RSI) solutions, the criteria for product selection, and the organizational infrastructure RSI needs on both the vendor/provider and the customer side. He will talk about how RSI enables the SOC of the future and integrates with other sources of relevant information, beyond SIEM - for instance Access Governance and User Activity Monitoring.
