ABSTRACT
Security information and event management (SIEM) is a technology used for security incident response and threat detection through a real-time acquisition and historical analysis of security events from a broad spectrum of contextual data sources. In fact, this technology is an intersection of two closely related technologies coined security event management (SEM) and security information management (SIM). Nowadays, many organizations find themselves at a distinct disadvantage when it comes to keeping their data safe and secure. As threats grow smarter and stealthier, attack surfaces grow larger and more difficult to defend. After deploying a SIEM, the SIEM analysts monitor user activity, avert data breaches, identify the root cause of security incidents, mitigate sophisticated cyber-attacks, and therefore help meet regulatory compliance requirements of any organizations.
Also, various hosts have log security events that don’t have built-in incident detection features. These hosts can only observe events and produce audit log entries, instead of analysing the log entries to identify the signs of suspicious activities. In such a case, SIEM has the capability to correlate events across many hosts. It gathers events from different hosts and sees attacks divided into different parts and observed by distinct hosts, and then re-establish a variety of events to identify whether the attack has been successful or not. Thus, SIEM plays a vital role in improving the next-generation quality of data management in an organization against security attacks.
Although traditional SIEM achieves better performance to detect the vulnerabilities in cybersecurity, it has some limitations, as follows:
Since it collects all data regarding security events, this makes it hard to correlate security events, it depend on particular events and logs to detect certain threats, inability to monitor raw security events as they occur throughout the organization, and also it fails to monitor noise due to indiscrimination of useful or useless logs
Doesn’t operate like other security controls such as firewalls, antivirus programs, intrusion detection systems (IDS), and intrusion prevention systems (IPS)
Designed in such a way to utilize log data as recorded by other software tools
Accidental misconfiguration can happen in several ways
Collecting, storing, and analyzing security events are dreaded tasks that often involve ample money and a good deal of time
Very slow in process and cannot reach 100% target achievement
A legacy of SIEM systems cannot keep up with the rate at which security events need to be examined
Relies on rules to parse all logged data; so it gives false positive alerts that produce an annoying noise across the silent and working environment of an enterprise
SIEMs don’t have log management capabilities
While many organizations have procured SIEMs, most are not properly configured or managed because the above-mentioned limitations are often cited as the main reasons for not deriving benefit from SIEMs. In this chapter and looking ahead, everything is headed toward cognitive innovation. Deep learning (DL) can be utilized to synergize data both from structured data sources and natural language, and that's what organizations want too. DL technology has gained success in the field of cybersecurity and has overcome limitations of SIEM-based vulnerability detection in cybersecurity.
In this chapter, we will present and discuss basic solutions for solving cybersecurity issues through deep learning technique–based SIEM. When well-configured SIEM is paired with DL, SIEMs become even more effective and add significant value by reducing the amount of false positives and noise, which makes security analysts more productive in the security environment. The goal of adding DL to a SIEM is to reduce the time investment to create a baseline and tune with alerting without requiring highly experienced staff.
