All Articles

What is Next-Gen SIEM?

Mark Stone

As organizations struggle to keep up with a rapidly-evolving threat landscape and exploding volumes of log data, legacy SIEM (on-premises and some SaaS solutions) won’t cut it anymore. 

Even solutions delivered as a SaaS were not re-architected to fully leverage the advantages of the cloud. Because at their core they are still server-based, and therefore require significant operational overhead to manage which impedes scalability and drives costs exponentially as data volumes grow.

Why legacy architecture is falling short

Most legacy SIEMs were created to address log management and compliance requirements more so than real-time threat detection and response. But, as threats have evolved and an organization’s attack surface has expanded, the core use cases for SIEM have shifted to be threat detection and response. However, legacy SIEMs were never designed with those use cases as the priority. 

When you add exploding data volumes to the mix, they simply can’t provide the speed or scale needed for threat detection and response for modern applications and infrastructure.

For security teams, many variables necessitate the deployment of a next-gen SIEM: the move to the cloud, an explosion of data, and advanced adversaries, to name a few.

As such, the market for next-gen SIEM is proliferating to meet the organizational demand for better security, compliance management, and expanding need for faster detection and prevention of cyberattacks.

Next-gen SIEM defined

Next-generation security information and event management (SIEM) systems can ingest and analyze large volumes of data quickly and efficiently to identify threats. Next-gen SIEMs are designed to provide actionable intelligence that can be used to improve security posture and protect assets. 

At a very high level, the key features that distinguish next-generation SIEMs include the ability to: 

  • Detect anomalous activity across multiple networks and systems
  • Identify malicious actors and their activities
  • Monitor changes in network traffic patterns
  • Ingest terabytes of data quickly and efficiently

The features of a next-gen SIEM platform like Panther

Make no mistake: the features above are the table stakes. But for a modern SIEM to truly address the needs of today’s security team, vendors must tick the following boxes:

  1. Detections-as-code Security teams need to equip themselves with the skills to write elegant, tested, and robust detections. Typically, the best next-gen SIEMs leverage widely-accessible languages like  Python so that teams can more easily express and maintain logic to flag attacker behavior. As attacks become more complicated, detection platforms must also compensate for this change. 
  2. SIEM as a modular data platform Next-gen SIEM should be capable of shifting to a robust data analytics platform and accommodating multiple logic streams. This means security teams gain data enrichment via integration of threat intelligence sources.
  3. API access With automation, security teams can greatly reduce overhead by using code to take action on repetitive tasks (pinging users, enriching/context fetching alerts, and other manual analyst workflows). The best next-gen SIEMs must reach out to APIs and allow other systems to communicate with the SIEM to support better workflows. Examples might include automatically closing alerts, configuring new inputs and updating detections. This also enables more savvy security teams to craft their own custom automation and leverage the rich data and capabilities within the SIEM. 
  4. CI/CD integration Security teams need to write flexible, powerful detections using standard CI/CD workflows to give them the alerts they need, all while reducing noise. Integrating into CI/CD pipelines also complements the idea of both automation and API access by enabling security teams to use source control for detections. 
  5. Advanced alert routing To complement detections-as-code, routing alerts to the proper queue or right person can help the security team collaborate with multiple internal teams within an organization or ensure the correct severity is assigned (depending on the values of the log). Programmatically adding context to alerts is essential to support intelligent routing, which ensures that the appropriate action and urgency are applied to each finding. 

Legacy vs. Panther 

As mentioned at the beginning of the article, traditional or legacy SIEM platforms have not kept pace with the demands of today’s mushrooming cloud workloads. With legacy SIEM, security teams struggle with poor performance, exorbitant licensing costs, and heavy operational burdens. The results: friction, rigidity, and excessive effort. 

Let’s break down the comparison using seven criteria: data ingestion, log aggregation, threat detection, investigation speed, detection fidelity, licensing costs, and operational costs. 

Data ingestion

Next-gen SIEM allows for effortless ingestion with built-in integrations for dozens of high-priority data sources and easy data mapping for custom log sources. With legacy SIEM, security teams must take on overhead to build and maintain a log-ingestion pipeline, with manual effort required each time a new log source must be added. 

Log aggregation 

Next-gen SIEM enables you to gain full security visibility by collecting, normalizing, and storing all security-relevant data in a cost-effective and high-performance data lake. Legacy SIEM, however, forces you to tolerate undue risk by picking and choosing which logs to ingest just to manage cost and performance. 

Threat detection

With next-gen SIEM, you can detect threats in real-time by analyzing logs as they are ingested, giving you the fastest possible time to detection. On the other hand, delaying detections until data is at rest is common for legacy SIEM, which only extends the time that attackers have to pivot and exfiltrate data.

Investigation speed (performance)

Next-gen SIEM provides answers quickly as you can run queries over terabytes of data in minutes, instead of hours or days.  It’s also important to note that cost-effective storage is essential so that data can be retained for one year or more to support investigations without breaking the bank. Otherwise, you have to deal with cold vs. hot storage in order to make data accessible for querying in an investigation.

Detection fidelity

With Next-gen SIEM, you can write flexible, powerful detections using Python and leverage standard CI/CD workflows to give you the noise-free alerts you need. Why accept the limitations of legacy SIEM, with proprietary detection languages that make writing, testing and maintaining complex detections challenging and inefficient?

Licensing cost

Next-gen SIEM reduces SIEM costs dramatically and boasts lightning-fast query speeds with an efficient, highly scalable serverless architecture. With legacy SIEM, organizations typically pay skyrocketing costs to keep up with cloud app data and maintain expensive legacy server-based architecture.

Operational cost

With no operational overhead, next-gen SIEM allows security teams to focus efforts on security instead of devoting time and energy to infrastructure management, burdensome system administration, DevOps, and capacity planning.

A cloud-native approach to SIEM

Panther’s next-gen platform takes an entirely different, novel approach to solving the problems of threat detection and response. While Panther could be considered a next-gen SIEM, a key differentiator for the platform is that it is fully cloud-native. 

Panther enables organizations to transform the way they approach security from an ad hoc process to one in which software development principles are applied to detection. What makes Panther different is that it enables that kind of workflow process.

At the end of the day, Panther solves the same problems that a SIEM solves, but with far less friction, cost, and effort. Whereas Next-gen SIEM can be considered a tool, Panther is a true threat detection platform, because it allows you to construct workflows that are unique to your organization.

Why security teams are moving to Panther

The “everything-as-code” evolution is bringing developer-centric approaches to security operations. Modern security teams want to operate more like software development teams and want tools built to embrace continuous development workflows.

With Panther’s serverless approach to threat detection and response, your security team can detect threats in real-time by analyzing logs as they are ingested, giving you the fastest possible time to detection. You’ll also craft high-fidelity detections in Python and leverage standard CI/CD workflows for creating, testing, and updating detections.
Want to learn more? You can check out the differences between Panther and Traditional SIEMs, or book a demo to find out why Panther is loved by cloud-first security teams.