On-Demand Webinar

The Future State of SIEMs — Part 3 (“The How”)

Future SIEM
On-Demand Webinar

The Future State of SIEMs — Part 3 (“The How”)

Detection Strategies

If you read Part 1 and Part 2, of this topic series, then you are ready to learn how the revolution should happen in the SIEM and surrounding SOC stack such that relevant, high-efficacy, ready-to-deploy content will stream into the SIEM and result in highly actionable alerts leading to high rates of automation in downstream systems. This is not an evolutionary “how” rather it introduces a new paradigm that not only makes highly accurate detection content available to SOCs thereby increasing the rate of orchestration and automation but also future-proofs SOCs against the changing threat landscape as well as security architecture in that they will no longer be centrally dependent on a single SIEM.

There are several key elements in this new architecture of a Content Platform, including a content repository and frameworks but the most important is the capability to empower security experts to build necessary content (=detection logic) without needing to be tool experts or code developers. Such a flexible, code-less, UI wizard-driven content builder utilizes content objects that have gone through the frameworks and are ready to be linked together to form high efficacy scenario detections that result in fewer but more accurate, actionable alerts for SOC teams to triage.

The above architecture will be underpinned by a secure collaboration channel, which allows SOC teams to collaborate with one another, both internally within the SOC as well as externally with peers in other enterprises, optionally. Collaboration is possible at the code level, wherein actual code can be exchanged, or at the comments and best-practice levels which are more free-form text exchanges. Code-level exchanges are only possible because of the embedded standardization frameworks in this architecture.

This concise description of the next-gen SOC content platform architecture is imperative and will split the monolithic SIEM stack such that Content will no longer be a part of the SIEM, rather it will be supplied by the framework-led, collaborative content platform which will serve all enterprise rules engines, such as a central SIEM, several micro data lakes, endpoints etc., resulting in the future.

Get the Latest Resources

Leave Your Data Where You Want: Detect Across Snowflake

Demo Series
Leave Your Data Where You Want: Detect Across Snowflake
Watch

MonteAI: Your Detection Engineering & Threat Hunting Co-Pilot

Demo Series
MonteAI: Your Detection Engineering & Threat Hunting Co-Pilot
Watch
White Paper

The Future State of SIEMs — Part 3 (“The How”)

Future SIEM
June 23, 2020

The Future State of SIEMs — Part 3 (“The How”)

Future SIEM

If you read Part 1 and Part 2, of this topic series, then you are ready to learn how the revolution should happen in the SIEM and surrounding SOC stack such that relevant, high-efficacy, ready-to-deploy content will stream into the SIEM and result in highly actionable alerts leading to high rates of automation in downstream systems. This is not an evolutionary “how” rather it introduces a new paradigm that not only makes highly accurate detection content available to SOCs thereby increasing the rate of orchestration and automation but also future-proofs SOCs against the changing threat landscape as well as security architecture in that they will no longer be centrally dependent on a single SIEM.

There are several key elements in this new architecture of a Content Platform, including a content repository and frameworks but the most important is the capability to empower security experts to build necessary content (=detection logic) without needing to be tool experts or code developers. Such a flexible, code-less, UI wizard-driven content builder utilizes content objects that have gone through the frameworks and are ready to be linked together to form high efficacy scenario detections that result in fewer but more accurate, actionable alerts for SOC teams to triage.

The above architecture will be underpinned by a secure collaboration channel, which allows SOC teams to collaborate with one another, both internally within the SOC as well as externally with peers in other enterprises, optionally. Collaboration is possible at the code level, wherein actual code can be exchanged, or at the comments and best-practice levels which are more free-form text exchanges. Code-level exchanges are only possible because of the embedded standardization frameworks in this architecture.

This concise description of the next-gen SOC content platform architecture is imperative and will split the monolithic SIEM stack such that Content will no longer be a part of the SIEM, rather it will be supplied by the framework-led, collaborative content platform which will serve all enterprise rules engines, such as a central SIEM, several micro data lakes, endpoints etc., resulting in the future.

Build Detection You Want,
Where You Want

Build Detection You Want,
Where You Want