LogSentinel’s vision is to provide a security monitoring solution to any organization that needs it and thus reduce their risk of security breaches. That vision requires many innovations and here we’re sharing our high-level roadmap for the next 2 years. Each part of LogSentinel SIEM roadmap is accompanied with a detailed list of stories in our backlog so that can be easily brought to market.
Our roadmap focuses on 5 main pillars: 360-degree security monitoring, AI-based self-healing, more built-in content, security orchestration and automation, managed service friendliness.
360-degree security monitoring
SIEM has recently been challenged as being to narrow in terms of value delivered. As a result of that, vendors (we included), bundled much more functionality, including UEBA, network traffic analysis, security automation. But that’s still not enough.
We see the SIEM of the future as an all-in-one, 360-degree security monitoring platform, with built-in vulnerability scanning, endpoint monitoring and protection, website monitoring, infrastructure monitoring, darknet monitoring, intrusion detection, phishing detection, leaked credential monitoring (we already have the last couple of items). In other words, anything that can be monitored in a security context should be an integral part of the product.
Why not simply aggregate the results of other products that already do these things? Well, we already do that. And while this is certainly a good option for a large enterprise, mid-market companies and SMEs can’t cope with managing, procuring, maintaining a few dozen security tools. They buy an office suite, not separate applications for documents, presentations and spreadsheets – why should they be burdened to navigate the complex space of cybersecurity?
Such a unified security monitoring platform will greatly simplify the security monitoring landscape and as a result, deliver more value and improved security for a large number of organizations.
So far we have refrained from actively marketing our machine learning anomaly detection as “AI”, even though in many cases throughout the industry “AI” is just a linear regression. But we envision actual specialized AI for cybersecurity that goes beyond classification and categorization tasks.
We plan to build an automated response system that allows us to make the customer infrastructure self-healing – in case of threats, vulnerabilities or incidents, we’ll have our agent go and fix things proactively without prior scripting or instructions. This would address the shortage of trained security people and let them focus on implementing security policies rather than chasing alerts.
We have already done a preliminary assessment, reviewed scientific literature and have started prototyping. Why would such a system be part of a SIEM? Because the SIEM already has access to all systems it monitors and can detect the events that would lead to an intervention – blocking, suspending, restarting, upgrading, patching, etc. It makes sense to extend those capabilities with automated decisions. That’s a natural extension and next frontier to SOAR, which provides playbooks/scripts for what to do in certain scenarios.
More built-in content
Built-in content is never enough – we plan to add more correlation rules to the existing several hundred, more pre-built reports, more standard saved searches, more threat intelligence sources, more ready-to-use connectors.
This has to be done with the clear understanding that more content increases complexity for organizations that rarely need all of it, so it will be easy to navigate and use.
Security orchestration and automation
AI self-healing, like any AI and machine learning solution, can never be a solution to everything. Self-driving cars would still require occasional human intervention (for repair, towing, troubleshooting, maintenance). This is why we’ll continue to focus on our orchestration and automation functionality, by providing a built-in case management system and workflows and extending our current automated response capabilities to more 3rd party systems (e.g. next-gen firewalls, CASB proxies, etc.)
The same argument holds as with 360-degree monitoring – yes, we integrate with existing ticketing and orchestration systems, but everything becomes simpler (and for smaller organizations – better) if it’s bundled together.
Managed service friendliness
Managed detection and response will continue to rise as a way for smaller enterprises to solve their security problems. That’s why we want to power managed security service providers with the best tool for that job, aligned with our vision to provide security for every organization, directly or indirectly.
We’ll work on making our multi-tenant and white-labelled deployment easier and more customizable and on providing improved managed-service reporting functionality (i.e. how did the managed service provider perform their duties), as managed service customers often want to see how their provider is coping with the threat landscape.
LogSentinel SIEM roadmap is focused on our vision, but it is also driven by requests from our partners and customers. We have been able to efficiently balance these trends in order to quickly provide what partners and customers demand today with how we want to see the security monitoring landscape tomorrow.
We started with cryptographic innovations on log integrity and log privacy and plan to continue pushing forward – not for the sake of the innovation itself, but for the sake of delivering better security for every organization, large and small, that is increasingly under threat.
Bozhidar Bozhanov is a senior software engineer and solution architect with 15 years of experience in the software industry. Bozhidar has been a speaker at numerous conferences and is among the popular bloggers and influencers in the technical field. He’s also a former government advisor on e-government, transparency, and information security.