Maksim Kabakou - Fotolia

Security Think Tank: SIEM and AI – a match made in heaven?

Artificial intelligence and machine learning techniques are said to hold great promise in security, enabling organisations to operate an IT predictive security stance and automate reactive measures when needed. Is this perception accurate, or is the importance of automation gravely overestimated?

Information security event management (SIEM) and artificial intelligence (AI) – a marriage made in heaven or just more industry sales hype?

The truth, of course, is that security and system/application event correlation systems have been around for quite a long time and in 2005 the term SIEM was promoted by analyst firm Gartner.

So are the analytics available in SIEM products akin to AI, or is AI just analytics rebranded for sales purposes? If you do an internet search, you’ll find more than a few SIEM products and, without trying too hard, I found 16 from the the usual suspects such as Splunk, LogRhythm, McAfee, Solarwinds, Nagios and others, with some even claiming AI capabilities

SIEM product analytics correlate events from different sources gathered over a relative short period of time (typically hours and days, not months, quarters or years) and, when compared with an infrastructure’s baseline, will output a prioritised alert should set thresholds be exceeded.

SIEM products will also generate a variety of daily and weekly reports and it can take upwards of a month to six weeks to bed down and tune a new SIEM system in order to establish an infrastructure’s baseline.

This, in effect, is setting up the system to tune out the noise of normal operation and, over time, it may be necessary to undertake some retuning of a SIEM system, particularly if there have been upgrades or other changes to a company’s IT infrastructure.

Part of SIEM tuning is the adjustment of system event logging. This includes the establishment of what needs to be logged by each system or process in an IT infrastructure and then setting the required Syslog parameters. SIEM solutions are certainly not fit and forget.   

Gartner coined another new term, artificial intelligence for IT operations, or AIOPs, in 2016. This represents systems that store event information being gathered over a long period of time, perhaps years, in a database and then applying analytics to that data.

What these analytics can do is to adjust the infrastructure baseline and adjust alerting thresholds over time, as well as automatically undertake some remedial actions based on correlated events.

A valuable feature of using big data is the ability to detect very slow or stealth activities on a network that would otherwise be missed or be dismissed as a one-off. By detecting these slow or stealth activities, a security team is in the position of being able to take action before a major security incident occurs.

Read more about AI in security

So, is an AI/AIOPs-enabled SIEM system a valuable tool for a company’s security team?  The answer depends on a number of factors, including the size of the company, the complexity of a company’s IT infrastructure and the value of its data.

For companies with a relatively small and/or simple IT infrastructure, the cost of an AI-enabled SIEM would probably be prohibitive while offering little or no advantage when coupled with good security hygiene, and there is a good range of SIEM products to choose from, some of which are open source. 

For an enterprise with a large and complex IT infrastructure, the cost of an AI-enabled SIEM might well be justified, but beware the snake oil salesman and undertake a detailed evaluation of the products available. SIEM products and many of their suppliers have been around for a long time and their capabilities have not stood still.

Basic security hygiene should not be ignored, nor should the effort to adjust Syslog logging parameters across the entire IT infrastructure, because it is easy to be swamped by Syslog events.

Read more on IT risk management