If you Google “SIEM Content Engineer,” “SIEM Threat Content Engineer,” or “SIEM Content Developer,” you will see a bunch of ads, job listings and very little other content. I believe this is because the concept is new, and it appears SIEM Content Engineer is emerging as a new job title that HR departments in large companies have latched onto for a role/job that, in reality, has been around for years.
For at least a decade, Anton Chuvakin of Gartner has been discussing SIEM roles and responsibilities. This new term is likely to set off even more discussion.
SIEM Content Engineer Role & Responsibilities
The SIEM Content Engineer role seems to be defined with quite a range of responsibilities, according to the job listings I reviewed. Here are some samples plucked from researching the term and checking out jobs:
- Analyzing, designing, developing and delivering solutions to stop adversaries
- Identifying threats
- Incident response
- Risk reviews
- Vulnerability management
- Event monitoring, including log management and SIEM
- Defining how logs should be parsed
- Writing new correlation rules
- Coordinating and conducting event collection, log management, event management, compliance automation, and identity monitoring activities
- Writing custom active lists, queries, and rules
- Care and content of SIEM platforms
- Developing custom content based on threat intelligence
- Ensure SIEM technologies are integrated & utilized to protect cyber related assets
The qualifications that were required varied quite a bit, most desiring a technical college degree and hands-on experience with SIEM. Some were quite specific, including things like knowledge of basic networking protocols and addressing schemes, e.g., TCP/IP functions, CIDR blocks, subnets, addressing, communications, etc.
Do All SIEMs Require SIEM Content Engineers?
SIEM is one of the core capabilities of AlienVault’s Unified Security Management (USM) platform. And yet, despite having worked at AlienVault for four years now, this title “SIEM Content Engineer” was totally foreign to me.
I was curious about this new buzzworthy job title, so I asked my colleagues if they were familiar with it. One of my colleagues in Product Marketing who had worked for/with other SIEM vendors in the past was aware of the job title. He explained to me that even now, legacy SIEM products aren’t ready “out of the box” – they are far from a quick implementation. In order to function well, those SIEMs often require a dedicated team, or at least one person, to solely focus on writing custom correlation rules and queries. It seems as though those big, custom data analytics solutions still require quite a bit of human intelligence and effort to work properly.
For example, it can be tricky for IT security practitioners to integrate emerging threat intelligence with the SIEM correlation engine so a SIEM Content Engineer may be required. I’m going to have to brag about AlienVault a bit, as the AlienVault Labs Security Research Team handles 100 percent of that task for USM users. In addition to other research methods and sources, this team analyzes and validates the shared threat data in the Open Threat Exchange (OTX), which is contributed by a global, collaborative community of threat researchers and practitioners. Basically, with USM, you get the power of a dedicated labs team as well as a growing community of security researchers and practitioners. As new threats emerge, our security researchers write and update SIEM correlation rules, which are delivered automatically and regularly to USM.
The reason AlienVault can send SIEM content and correlation rules out from a centralized place is not because we have better researchers or care more, it is because we control the underlying technology. Most other SIEMs come with default content and correlation rules, which are useless because they aren’t aware of what data is coming from the environment. Since our product includes our intrusion detection, asset discovery, vulnerability assessment, and behavioral monitoring in one cloud platform, we can make more effective correlation rules that are applicable across our environment. We have the advantage of knowing where the data is coming from, letting us write correlation rules that will work out of the box. USM also eliminates the work of integrating and maintaining multiple point security products (crossing that off the to-do list of the SIEM Content Engineer job description.)
What’s the Alternative to SIEM Content Engineers?
Well, somebody still has to run that SIEM. The term we hear more often at AlienVault is Security Operations Center (SOC) which may be one person in a smaller company or a lean team within a larger organization. The SOC is typically thought of as more of a daily security operations team, one that monitors and responds to threats from across multiple security technologies, not only the alerts raised in a SIEM. This aligns better with the security visibility that USM provides.
SOC duties are more like this:
- Setting up your security monitoring tools to receive raw security-relevant data (e.g. login/logoff events, persistent outbound data transfers, firewall allows/denies, etc.). This includes making sure your critical cloud and on-premises infrastructure (firewall, database server, file server, domain controller, DNS, email, web, active directory, etc.) are all sending their logs to your log management, log analytics, or SIEM tool.
- To use these tools to find suspicious or malicious activity by analyzing alerts; investigating indicators of compromise (IOCs like file hashes, IP addresses, domains, etc.); reviewing and editing event correlation rules; performing triage on these alerts by determining their criticality and scope of impact; evaluating attribution and adversary details; sharing your findings with the threat intelligence community; etc.
I remember working on an early SIEM product at eSecurity in 2001 when we were struggling with the definition of SIEM. We have come a long way, but it appears SIEM isn’t the only technology we need to achieve better threat detection in typical company environments. In fact, the old standalone SIEMs create a whole lot of work and may only be suitable in very large environments wherein heavy customization and an integration effort with other necessary technologies and ongoing threat intelligence integration is affordable. Contrast that with newer SIEMs that are not just SIEMs but provide a unified solution that includes critical security capabilities and features that are easier to deploy and manage with fewer staffing requirements and enable faster threat detection and incident response. So jobs like "SIEM Content Engineer" could soon be a thing of the past for all but the largest enterprises and governments. My theory is, as with mainframe computers, there is a place for technologies like legacy SIEM systems in the future. The rest of us will take a more pragmatic approach.