By Matt Moore
Security information and event management (SIEM) products and services have been a major tool in the business world’s cybersecurity arsenal for about a decade and a half. SIEMs – available as local, cloud-based or hybrid platforms – can be used to collect, correlate, and analyze security alerts when a company uses multiple cybersecurity tools. But while some SIEMs can now detect attacks using machine learning, they are only as good as the tools, events, and security data they ingest.
SIEMs are used primarily to collect data, but they still require care and maintenance. Some companies may buy a SIEM, install it, and then move on to other things. But SIEMs are not a set-it-and-forget-it product; they are not turnkey purchases. In today’s cybersecurity landscape, they require human intervention. Companies need to continue to invest in the product and reconfigure it as attacks evolve and change.
To get the best use of a SIEM, companies need a comprehensive security landscape, including endpoint and network security, firewalls, access control solutions, and data loss prevention tools.
A noisy tool
When working with companies wanting to optimize their security landscape, I often see a handful of issues after an organization installs a new SIEM product.
The first challenge that companies face is the amount of information that the product generates, specifically the sheer number of security alerts or events. A SIEM at a large organization can generate dozens, or even hundreds, of security alerts each day, and those alerts need to be analyzed and quickly addressed by the organization’s security team.
In some cases, after an organization implements a new SIEM, its security team is drowning in information and looking for outside help. Vendors often explain the basics of what the product can do, but they don’t always talk about the amount of data SIEMs can generate. Simply put, SIEMs are noisy out of the box.
On top of being noisy, SIEMs are functionally complex, especially for new users. Modern SIEMs can have an expansive list of features, and they also include many pre-canned use cases and rules that can be turned on. But it requires a certain level of understanding and experience to decide what functionality to turn on and what to leave switched off.
Then, once an organization has turned a SIEM on – assuming, of course, that it has installed the product correctly and has onboarded all the right logs, sources, and hosts – the security team has to decide what to do with that information. And now, we’re back to the issue of noise.
A building full of data
In some ways, a SIEM is like a person owning a massive library full of thousands of books. The library contains tons of information, but if the owner doesn’t have a system or the ability to read all of those books or find the right book, the information in them isn’t useful.
When a SIEM is generating over 500 alerts a day, it’s critical to have a triage plan in place. A huge element of successfully implementing a SIEM is about the organization figuring out if it has the ability to consume all the data generated.
In some cases, organizations are hiring massive numbers of people to manage their SIEMs, while others are looking to managed service providers or consultancy agencies to help them make sense of the firehose of data coming at them.
Expert help is available
For a lot of companies, an outside management service may make sense. It remains difficult to hire and keep top-notch cybersecurity professionals because of high demand and skills shortages, and in many cases, companies may not be able to hire fast enough to keep up with the ever-growing number of threats and the expanding amount of data to protect.
In some cases, building out the internal cybersecurity team may make sense, depending on the needs and the goals of the company. Whether developing an in-house team or working with a service provider, it’s important to understand that SIEM alone is not a silver bullet. A full view of the threat landscape with intelligence and an incident response plan in place are key for a strong and holistic approach to cybersecurity operations.
There’s help on the horizon in terms of automation as well. Some vendors are making progress toward using automated playbooks to help filter SIEM-generated alerts and using artificial intelligence to blend threat intelligence and other capabilities into a nested SIEM environment, with certain responses automated. Even with these important advances in automation, SIEMs still require significant human attention.
The bottom line? SIEMs are great at what they do, but they don’t do everything that an organization will need to keep its data and networks safe. Companies looking to add a SIEM to their cybersecurity environment should be aware of their strengths, and their limits.
For more information on managed SIEM with cyber threat detection, visit here.