SIEM 4.0: The Essentialist Evolution
The disciplined pursuit of fewer alerts, logs, and bills.
We are undoubtedly living through a transitionary period in technology, and I don’t need to tell you again how AI is changing the world (but… it is!).
SIEM is set to advance beyond its 3rd-generation tooling, marked by the widespread use of UEBA and risk-based systems that aimed for a more proactive and less deterministic approach to correlation. But has this approach been effective? Are security practitioners still investing in black box detection? What enhancements will SIEM 4.0 introduce?
Market forces today promote an essentialist mindset in businesses, influencing many purchasing decisions within business units. Consequently, security teams are adapting to this trend and utilizing technology to address challenges with the current generation of SIEM tools.
SIEM 4.0 is emerging as the "Essentialist's SIEM." In this approach, we deliberately collect, store, and create alerts, strategically involving humans to focus time, money, and attention on the most important tasks. This blog outlines five predictions of what to expect in SIEM 4.0, some of which are already unfolding.
Less focus on 100% ATT&CK coverage
Security teams are beginning to prioritize impactful MITRE tactics and techniques relevant to their threat models versus pushing for 100% coverage. MITRE ATT&CK coverage has been a vanity metric for the last few years flaunted by vendors when, in actuality, monitoring for every single technique and tactic only results in more distracting alerts. Over time, this can cause an increase in underlying data processing costs and a lack of focus. Instead, an intentional approach should be taken by working backward from our “critical threat” playbooks. This yields the best end-to-end quality of alerting while also ensuring teams focus on what matters most.
Transitioning from "stream of consciousness" atomics to risk-based alerts
Adopting a mindset focused on analyzing groups of subsequent actions through the kill chain and less on individual behaviors could substantially reduce alert volumes. For example, If an employee logs in at 3 AM, even though it’s unusual, should we wake up the on-call? Definitely not. But if that activity is followed by other suspicious or malicious signs, it becomes more significant, and the risk increases. Atomic behaviors, regardless of where they come from, must be used in context to be helpful. The next wave of SIEM correlations will more thoughtfully combine atomics into higher-order alerts.
Opening up the data lake
Vendor consolidation, cost savings, and the desire to utilize GenAI will drive SIEMs from monolithic platforms to open data platforms. The new evaluation criteria will be based on analytics capabilities, data integrations, log transformations, and cost efficiencies at scale. Until a new winning platform is chosen, major players will try to become the de-facto, end-to-end solution across security verticals. This will cause more short-term pain for data centralization because effective detection at scale requires the entire dataset to be quickly queried. Increasingly spread-out data stored in differing formats makes that challenging. Security platforms producing and storing large amounts of security data must make it accessible through open table formats like Iceberg or Delta or a great REST API.
Declaring everything as code
Security teams are increasingly using software engineering principles to regain control over low-quality alerts. Although there is a growing divide between hands-on and hands-off SIEMs, many security teams are adopting the requirement of a “Detection as Code” system in a familiar programming language like Python. SIEM 4.0 will be treated like production infrastructure, where system configurations, rules, and playbooks are checked into a version control system (VCS). AI will also make it easier to write and maintain this code with products like GitHub copilot. Similarly, SIEM performance will become more scrutinized by paying close attention to SOC metrics like alert efficacy, volume, and MTTD/R as a key feedback loop into the system's configuration.
Augmenting humans with AI analysts
In SIEM 4.0, AI will take over repetitive Tier 1 tasks such as threat hunting, user confirmation, and other tasks to ensure the reliability of alerts. These tasks will only improve as more powerful models emerge, such as the recent release of OpenAI’s GPT-4o model:
GPT-4o (“o” for “omni”) is a step towards much more natural human-computer interaction. It can respond to audio inputs in as little as 232 milliseconds, with an average of 320 milliseconds, which is similar to human response time in a conversation. - GPT-4o Release
AI tooling like Retrieval-augmented generation (RAG) can also improve the relevance of suggestions and interactions by incorporating information on an organization's threat model into its responses. This will ultimately result in offloading rote tasks from analysts, helping them better sustain high-value work in a highly automated SOC. Human intuition will remain an important element in governing potentially destructive next steps, reinforcing machine learning, and keeping the system in check.
Recap
In this blog post, we covered what the evolution to SIEM 4.0 might look like, characterized by an essentialist approach:
Prioritizing impactful MITRE tactics rather than complete ATT&CK coverage.
Shifting from atomics to risk-based alerts that analyze groups of actions.
Opening up the data lake and introducing new criteria for open data platforms.
Controlling low-quality alerts through the adoption of “as code” principles.
Using AI to automate routine tasks allows humans to focus on high-value work.
