Security monitoring and detection is a critical element of having a secure environment. It gives you visibility into what is happening on your network; without it you are blind to all kinds of attacks, exploits, anomalies, or insider activity. In an attempt to gain such visibility, enterprises often go out and purchase a high-priced SIEM system that they can then point their logs to, run some alerting rules against, and hopefully find attacks and data breaches. Unfortunately, discovering attacks and breaches is harder than it sounds.
With the exception of a few of the largest companies with well-funded and well-staffed security teams, it is almost impossible to adequately get value from a stand-alone SIEM. If you really want to maximize your SIEM return on investment, you need to implement security operations in which your SIEM is the technology anchor that is supported by procedures, staff, analytics, and automation.
The Data Problem
Arguably the biggest problem with simply implementing a SIEM is the amount of data being fed into it. Organizations are producing more data than ever and every device is producing logs. Average size companies are generating over a billion logs per day that need to be sent to the SIEM for both log storage and analysis. It is simply too much data to sift through to find the data breach that is quietly siphoning data off of your network. It is this data problem that really underscores the other three problems with relying on a standard SIEM solution.
The Alert Problem
One of the best and most common strategies for finding the proverbial “needle in the haystack” data breach is creating alert rules. Any standard SIEM system is going to come pre-loaded with standard alerts that will generate once you have the system set up and the right logs flowing in. But the alert problem is really two fold – an issue of quality and quantity.
Most pre-loaded alerts are a mix of high and low fidelity. However, they are not holistic in finding most threats, they often do not correlate with each other (i.e. tie seemingly disparate events together to identify a real threat), and they rarely perform behavioral analysis where they baseline normal behaviors overtime and alert when behavior is anomalous. This leaves significant gaps in breach detection.
The other issue with alerts is one of volume. With that many logs being generated and the amount of activity performed across the enterprise on the network, thousands to hundreds of thousands alerts are going to be generated. For average-sized security teams, it is near impossible to triage all of them, even if they are already classified as critical, high, moderate, or low. Just the number of critical and high alerts are often too much to go through.
The “Right Question” Problem
Clearly, then, the problem is that the alerts are too generic and are not asking the right questions. There is not really one “right” question that we need to ask of the data, but we need to be able to determine what alerts will provide the best information, have a process for building and implementing them, and be moving to a point where the system can evolve to advanced analytics and machine learning. The system needs to be constantly tuned and improved so that the right questions are being asked of the data so that you can hone in on threats that are the most relevant. For the most part, only you can determine what the right questions are.
The People Problem
All of that leads to arguably the biggest challenge: people. There is too much data to sift through, too many alerts being generated, and too much tuning and development that needs to be done and not enough people to do it all well. As alluded to at the beginning, most organizations have a fairly small team and do not have the bandwidth to do all of this. They bring in a SIEM to help give them visibility and assign one of their security engineers to be responsible for it and respond to alerts. However, that engineer also has many other tasks to perform on a day-to-day basis. The reality is that getting any value from a SIEM by itself is a full-time job in and of itself and that is just to get through the alerts.
It also takes a wide range of expertise to get your money’s worth from a SIEM. There are a variety of alerts being generated focused on the network, assets, and users. One engineer may be an expert on network activities, but a novice on user activity. Others are needed to provide development support for building analytics, dashboards, metrics, etc. There is simply too much to do for a single person, let alone for one or more working on it for a small percentage of their time.
The best way to overcome this is to adopt and invest in security operations. Security operations is a process that incorporates multiple people, different skill sets, and continuous improvements in alert and analytic development. Security operations function much like a network operations center. It provides 24-hour coverage, integrates with threat intelligence, threat hunting, incident response and vulnerability management, and has the responsibility for detecting threats quickly and launching mitigation when necessary.
As you may imagine, doing this in house can be very expensive. It is increasingly popular for organizations to outsource this function to a managed security service provider (MSSP). This is highly advantageous as the costs are considerably lower than building your own security operations center (SOC). MSSPs have the infrastructure, defined processes, and staff in place that ensures your logs are being processed efficiently, alerts are both minimizing false positives and are asking the right questions of the data (and I should add, any good MSSP – like how we operate at SOD – will work closely with you to understand your environment and make sure they know what you need to know and are asking the right questions). Additionally, great MSSPs will integrate threat intelligence, threat hunting, allow you to see and view your own data and alerts, and be continually improving their analytics, correlation, and technology.
The reality is that buying and implementing a SIEM by itself will not solve your security monitoring and detection problems. Yes, there is some value that is provided, but rarely will that value be worth the money you are spending on it. Implementing holistic security operations is critical if you are serious about detecting attacks and decreasing the impact of a data breach on your network. Working with an MSSP is a great option for controlling costs and receiving all the functionality you need. More often than not, it is a much better approach than building a SOC in house.
About Security On-Demand
Security On-Demand is an industry pioneer and recognized innovator within the managed security space. We are leading the industry in threat detection through behavioral analytics and machine learning.