State of SIEM: A Look at 2021 Ransomware Attacks and 2022’s Promise

Industry insiders and commentators are highlighting 2022 as the year when cybersecurity comes home.

State of SIEM: A Look at 2021 Ransomware Attacks and 2022’s Promise
Photo by Mohammad Rahmani on Unsplash

In 2021, more than a few cybercrimes made headlines from around the world.

In May 2021, Colonial Pipeline was hit by a ransomware attack, causing the US government to declare and temporarily alter logistical regulations across the nation.

In that same month, the services of the Irish Health Service Executive were also locked up and held for ransom.

In July 2021, the REvil ransomware crew hit over 1000 businesses, locking them out of their IT systems after exploiting their service provider.

And, let’s not forget the ongoing Log4j vulnerability debacle which could become one of the biggest security vulnerabilities in history.

Unfortunately, the list goes on, with major ransomware attacks having occurred almost every month. Even outside of the news, it was recently estimated that up to 60% of all organizations have experienced one or more cyber attacks in the past two years.

The outlook for 2022 isn't much rosier. With hackers becoming more daring and organized, we can likely expect headline breaking hacks to once again occur throughout the calendar year. It's only left to be seen whether the latest targets will be major corporations, government bodies, small businesses, or even the Fifa World Cup.

Fortunately, not everything in the IT sector is doom and gloom. If anything, the rise in cyber attacks has also showcased the need for Security Information and Event Management (SIEM) solutions and chief information security officers (CISOs) to report directly to company CEOs.

What SIEM trends can we expect to see in 2022?

In many ways, industry insiders and commentators are highlighting 2022 as the year when cybersecurity comes home. In light of the increasing threats and vulnerabilities, organizations will need to invest in solutions to secure their data and platforms (which is increasingly important as many organizations currently employ remote or hybrid working policies for their employees).

Until now, thousands of mid-tier enterprises have struggled to justify investing in cohesive cybersecurity resources and platforms. However, with the increased urgency and demand, we are likely to see a jump in developments from the SIEM providers' side.

Automation has been a key component of successful solutions and likely, in the near future, we will see a wider rollout of AI-driven automation to augment human actions and keep pace with the ever-changing variables of cybercrime. As such, automation will continue to be one of the biggest drivers.

So, why automation? Here are four reasons why we foresee automation playing a greater role in security moving forward:

  1. Information overload: Many organizations struggle to effectively manage high volumes of security alerts. Automation alleviates much of this burden and frees up resources within the organization.
  2. Bigger attacks: As cyber threats increase in size, we will be seeing the emergence of more specialized players and startups to tackle specific potential vulnerabilities. The more SIEMs compete in the security space with other solutions, the vendors will turn in a greater number of solutions to integrate both bother and legacy SIEMs. As more decentralization means more misconfigurations, organizations will need solid solutions to ensure their components are well orchestrated.
  3. Ongoing talent crunch: While notorious, the industry is collaborating on various fronts to fill the gap. Nevertheless, the problem needs to be addressed on multiple fronts. While the talent gap is widening, automation is the short-term fix. It also helps prevent burnout among the scarce pool available.
  4. Emergence of XDR: One of the biggest challenges of SIEM has been the time it takes to deploy, hence the reason we saw a huge surge in XDR offerings from all leading security companies:

i. Crowdstrike acquired Humino for $400 million to offer its XDR services.

ii. Cybereason XDR launched in November 2020 and also acquired Empow.

iii. McAfee MVision XDR debuted in October.

iv. Microsoft Defender 365.

v. Palo Alto Cortex XDR.

vi. Sentinel Singularity Platform, acquired cloud-native data analytics platform Scalyr for $155 million.

And, the list goes on (and on that topic, we will be covering the State of XDR and automation in a future blog).

In effect, what we are likely to see is more decoupling rather than unification in this sector. As a recent Forbes article suggested, the next step will likely involve seeing analysis tools built on top of SIEM data platforms, giving companies the tools to focus on more scalable solutions.

What does this mean for the ecosystem?

As the attack surface grows, we will see businesses build cybersecurity into business products and processes, and SIEM will continue to play its critical role. However, it would be critical for every security application to integrate with the major SIEMs. In addition to established SIEM providers like Splunk, Exabeam, Sumo Logic, QRadar, LogRhythm, and Microsoft, we are also seeing the emergence of cloud-native SIEM providers like Devo and Chronicle by Google.

Metron has experience integrating SIEMs with multiple security platforms. If you are considering any custom solution, please send a note to connect@metronlabs.com.