Security Information and Events Management (SIEM) services are a key part of any modern business. Computer systems are talkative things, with various apps and devices exchanging thousands of bits of information every day.
Log files are the record of this activity, and they contain a wealth of information that is essential for understanding what is happening across an organisation's digital environment. Next-Generation SIEM analytics have transformed how organisations process and interpret this data, moving from simple log aggregation to sophisticated real-time analysis. Cloud computing has been instrumental in this transformation, providing the processing power and storage capacity needed to analyse the vast volumes of data that modern networks generate. Many organisations now rely on Unified Threat Management (UTM) packages that combine multiple security functions into a single platform, but the SIEM layer provides the intelligence that ties everything together.
How SIEM is Evolving
To explore the evolution of SIEM and where it is heading, Jonathan Sharrock sat down with Alastair Miller from Spark NZ and Simon Howe from LogRhythm for an in-depth conversation.
Jonathan Sharrock: SIEM has come a long way from being a single pane of glass for log management. How would you describe the evolution of SIEM over the past decade?
Simon Howe: The evolution has been dramatic. SIEM started as a way to aggregate logs in one place so that analysts could search through them. That was valuable, but it was essentially a reactive tool — you had to know what you were looking for. The next generation of SIEM moved into advanced analytics, where the platform itself is identifying patterns and anomalies that a human analyst might miss. Real-time monitoring and alerting became the standard, and the platforms became far more capable of correlating events across different systems and data sources.
Alastair Miller: I would add that the shift from simple visibility to automation and orchestration has been one of the most significant changes. Early SIEM was about giving you a view of what was happening. Modern SIEM is about taking action. When a threat is detected, the platform can trigger automated countermeasures — quarantining infected users, blocking malicious IP addresses, isolating compromised systems — all without waiting for a human to make a decision.
Jonathan Sharrock: That level of automation raises an interesting question about affordability. A full security operations centre has traditionally been something only the largest organisations could afford. Has SIEM changed that?
Simon Howe: Absolutely. The automation capabilities of modern SIEM platforms are essentially taking work off the analyst. Instead of an analyst manually reviewing thousands of alerts, the SIEM uses playbooks to handle the routine cases automatically and escalates only the events that genuinely require human judgement. This means you can run an effective SOC with a smaller team, which fundamentally changes the economics of security operations.
Alastair Miller: Playbooks have been transformative. They codify the knowledge and decision-making processes of experienced analysts into automated workflows. When a specific type of alert fires, the playbook defines exactly what steps should be taken — what additional data to gather, what systems to check, what actions to take. This consistency and speed of response is something that manual processes simply cannot match.
Behavioural Analytics and AI
Jonathan Sharrock: Behavioural analytics seems to be a major area of advancement. Can you explain how this works in practice?
Simon Howe: Behavioural analytics is particularly important for detecting two categories of threat that traditional signature-based detection struggles with: insider behaviour-based attacks and zero-day attacks. With insider threats, you are not looking for known malware or known attack signatures — you are looking for a legitimate user behaving in an unusual way. Behavioural analytics works by building a baseline of normal behaviour for each user and then identifying deviations from that baseline.
Alastair Miller: One of the powerful techniques is comparing a user's behaviour to their peers. If an accountant suddenly starts accessing engineering documents at 2am, that is anomalous compared to both their own historical behaviour and the behaviour of other users in the same role. The system can flag this without needing a specific rule or signature — it understands what normal looks like and alerts on the abnormal.
Simon Howe: Cloud computing power has been essential for making this practical. Analysing large datasets to build behavioural profiles and detect anomalies in real time requires significant computational resources. The availability of cloud-based processing has made it possible to run these analytics at scale, which in turn has dramatically reduced false positives. The more data the system has to work with, the more accurately it can distinguish between genuinely suspicious activity and harmless variations in normal behaviour.
Jonathan Sharrock: Where does artificial intelligence fit into this picture?
Simon Howe: AI and machine learning are the engine behind modern behavioural analytics. There are two main approaches: supervised learning, where the system is trained on labelled datasets of known good and known bad behaviour, and unsupervised learning, where the system identifies patterns and anomalies without pre-existing labels. Both have their place. Supervised learning is excellent for detecting known categories of threat with high accuracy. Unsupervised learning is better at finding the unknown unknowns — the novel attack techniques that have not been seen before.
Deployment and Value
Jonathan Sharrock: For organisations considering a SIEM deployment, what does the process look like and when can they expect to see value?
Simon Howe: The deployment cycle for a modern SIEM is typically three to five days for the initial technical setup — getting the platform installed, connecting data sources, and establishing basic monitoring. However, you should expect roughly a month before you start seeing real value. That initial period is when the system is ingesting data, building baselines, and tuning its analytics to your specific environment.
Alastair Miller: I would strongly recommend defining your use cases before deployment. What are the specific threats and risks you are most concerned about? What compliance requirements do you need to meet? Starting with clear use cases ensures that the deployment is focused on delivering the outcomes that matter most to your organisation, rather than trying to monitor everything at once.
Simon Howe: Compliance-related requirements are often a primary driver. Organisations subject to PCI DSS for payment card security, or ISO 27000 series for information security management, have specific logging and monitoring requirements that a SIEM can address directly. Having these requirements mapped out before deployment streamlines the process significantly.
Compliance and the Future
Jonathan Sharrock: How are regulatory changes driving SIEM adoption?
Simon Howe: Regulatory pressure has been a significant driver. The Notifiable Data Breaches (NDB) scheme in Australia, the Privacy Act, and the GDPR in Europe have all created legal obligations around data protection and breach notification that make robust monitoring essential. If you cannot detect a breach, you cannot notify regulators within the required timeframes. SIEM provides the detection and evidence-gathering capabilities that these regulations demand.
Alastair Miller: The major security frameworks — NIST, ISO, PCI — are increasingly being built into SIEM platforms as pre-configured compliance modules. This means organisations can deploy a SIEM and immediately start generating reports against these frameworks, rather than having to manually map their logging and monitoring to each set of requirements.
Simon Howe: Looking to the future, we will see more sophisticated analytics, driven by increasing cloud computing capacity and the refinement of behavioural and heuristic analytics. AI and machine learning will continue to accelerate, making threat detection faster and more accurate. The platforms will become more autonomous, handling an increasing proportion of incident response without human intervention, while still escalating the complex and ambiguous cases that require human judgement.
Interview conducted by Jonathan Sharrock, Cyber Citadel.