Microsoft Sentinel – History of SIEM
Last Updated: 02/10/2024
Microsoft Sentinel is the relatively new kid on the block when it comes to SIEM. SIEM has been around for a few decades now. Let’s look at the history of SIEM.
The concept and idea of SIEM emerged in the 1990s, stemmed from the requirement that organisations needed to centralise logs from various sources to analyse and correlate for suspicious activity.
First gen SIEMs started appearing in the 2000s, and these solutions focused on log collection and storage, allowing an organisation to centralise security events from different sources. They provided basic reporting and search capabilities, enabling security analysts to investigate security incidents more effectively.
As the threat landscape evolved and how cyber-attacks became more sophisticated, SIEM solutions began to evolve too. Second Gen SIEM solutions introduced real-time event correlation and analysis capabilities by using rule-based engines and pattern matching to surface potential security incidents to analysts.
Because of the advanced capability of being able to analyse large amounts of logs, SIEM solutions began to integrate additional functionality such as vulnerability management and user activity monitoring. This allowed organisations to have a more thorough understanding of their security posture and be more proactive in identifying vulnerabilities.
The next issue became the amount of data security solutions and services were generating. This quickly caused scalability challenges with the current gen of SIEM solutions. The volume and amount of data generated by networks, applications and endpoints grew exponentially, especially with the introduction of EDR and NDR technologies. To address this, third gen SIEM solutions emerged and leveraged technologies like machine learning and cloud computing. This provided a more scalable solution that has robust analytics and anomaly detection.
Today, SIEM solutions play a vital role in an organisations security strategy as they allow for proactive threat detection and security incident response. However, the biggest challenge right now is the skills gap…Having a SIEM solution alone will not provide an organisation with their desired response capability. The people and processes elements are required to ensure that security incidents are investigated, qualified and responded to. Many organisations are looking toward managed services -or- Managed SOC to provide them with this service and delivering the desired response capabilities to threats.
Whilst not a full history, this should help show and summarise the history of SIEM, from the beginnings of being a simple log aggregator for analysts, to provide an integrated security platform capable of responding that we see today in the likes of Microsoft Sentinel.