Security monitoring and detection is a critical element of having a secure environment. You need visibility into what is happening on your network, so you can respond to all kinds of attacks, exploits, anomalies, or insider activity. In an attempt to gain such visibility, organizations often purchase an expensive Security Incident and Event Management (SIEM) system where they can point their logs and run some alerting rules. As a result, they hopefully find attacks and data breaches based on the SIEM assessment. Unfortunately, every organization who purchases a SIEM discovers that detecting attacks and breaches is much more difficult than it sounds.
Some of the largest companies can make SIEMs somewhat functional, because of their well-funded and well-staffed security teams. For the rest, getting adequate value from a stand-alone SIEM is nearly impossible. The only way to maximize your threat detection investment is by implementing a Managed Security Service Provider with an effective MDR solution to support your threat detection with procedures, staff, analytics, and automation.
Here are 4 Inherent Problems with SIEMs:
The Data Problem
The Alert Problem
The “Right Question” Problem
The People Problem
The Data Problem
Arguably the biggest problem with simply implementing a SIEM is the amount of data being fed into it. Organizations are producing more data than ever and every device is producing logs. Average size companies are generating millions of logs per day that need to be sent to the SIEM for both log storage and analysis. A SIEM simply cannot process and analyze all that data to find the data breach, so it quietly removes data from the analysis of your network. In addition, SIEM solution pricing is based on the number of logs, and most companies cannot afford the fluctuating usage costs, so they tend to prevent some devices from reporting and miss out on precious system-wide visibility. The data problem is the also the underlying issue for the next three SIEM problems.
The Alert Problem
One of the best and most common strategies for finding the proverbial “needle in the haystack” data breach is creating alert rules. Any standard SIEM system is going to come pre-loaded with standard alerts that will generate once you have the system set up and the right logs flowing in. But the alert problem is really two fold – an issue of quality and quantity.
Most pre-loaded alerts are a mix of high and low fidelity. However, they are not holistic in finding most threats, they often do not correlate with each other (i.e. tie seemingly disparate events together to identify a real threat), and they rarely perform behavioral analysis where they baseline normal behaviors overtime and alert when behavior is anomalous. This leaves significant gaps in breach detection.
The other issue with alerts is one of volume. With so many logs being generated and the amount of activity performed across the enterprise on the network, thousands to hundreds of thousands alerts are going to be generated. For average-sized security teams, it is near impossible to triage all of them, even if they are already classified as critical, high, moderate, or low. Just the number of daily critical and high alerts are often too much for a team to even read through.
The “Right Question” Problem
Clearly, then, the problem is that the alerts are too generic and are not asking the right questions. There is not really one “right” question that we need to ask of the data, but we need to be able to determine what alerts will provide the best information, have a process for building and implementing them, and be moving to a point where the system can evolve to advanced analytics and machine learning. The system needs to be constantly tuned and improved so that the right questions are being asked of the data so that you can hone in on threats that are the most relevant. For the most part, only you can determine what the right questions are. SIEMs lack the ability to come up with new questions and query the data to find what it doesn’t already know.
The People Problem
This leads to arguably the biggest challenge: people. There is too much data to sift through, too many alerts being generated, and too much tuning and development that needs to be done and not enough people to do it all well. As alluded to at the beginning, most organizations have a fairly small team and do not have the bandwidth to do all of this. They bring in a SIEM to help give them visibility and assign one of their security engineers to be responsible for it and respond to alerts. However, that engineer also has many other tasks to perform on a day-to-day basis. The reality is that getting any value from a SIEM by itself is a full-time job in and of itself and that is just to get through the alerts.
It also takes a wide range of expertise to get your money’s worth from a SIEM. There are a variety of alerts being generated focused on the network, assets, and users. One engineer may be an expert on network activities, but a novice on user activity. Others are needed to provide development support for building analytics, dashboards, metrics, etc. There is simply too much to do for a team of people, yet most companies who purchase SIEMs plan to have one person work on it for a small percentage of their time. This low staffing reality makes the expensive SIEM tool so very ineffective and of little use to the organization.
As you may imagine, setting up and supporting your own SIEM or threat detection solution can be very expensive. To overcome this challenge, organizations are increasingly outsourcing their threat detection to a managed security service provider (MSSP) who already have the infrastructure, defined processes, and staff in place that ensures your logs are being processed efficiently, alerts are both minimizing false positives and are asking the right questions of the data (and I should add, any good MSSP – like how we operate at SOD – will work closely with you to understand your environment and make sure they know what you need to know and are asking the right questions).
Additionally, great MSSPs will integrate threat intelligence, threat hunting, allow you to see and view your own data and alerts, and be continually improving their analytics, correlation, and technology. By partnering with a MSSP, you get a fully managed, tuned, and staffed threat detection solution that goes far beyond basic SIEM capabilities. In addition, many MDR solutions include behavioral analytics, advanced log analysis, and some have anomaly detection that can find the unknown threats in your environment. To ensure proper coverage, we recommend that your Managed Security Service Provider has a 24×7 Security Operations Center with round-the-clock threat monitoring that incorporates multiple people, different skill sets, and continuous improvements in alert and analytic development. Security Operations Centers can provide you with even more value if they integrate with threat intelligence, threat hunting, incident response and vulnerability management capabilities.
The reality is that buying and implementing a SIEM by itself will not solve your security monitoring and detection problems. Yes, there is some value provided, but rarely will that value be worth the money and time you are spending on it. Implementing holistic managed security solutions with effective security operations is critical if you are serious about detecting attacks and decreasing the impact of a data breach on your network. Working with an MSSP is a great option for controlling costs and receiving all the functionality you need.
About Security On-Demand
Security On-Demand (SOD) provides full-spectrum threat management and advanced cyber threat detection services for hundreds of businesses and government agencies globally. SOD’s patented, behavioral-analytics ThreatWatch technology enables the detection of advanced threats to protect brand value and reduce the risk and mitigate the impact of a data breach. SOD is headquartered in San Diego, CA with international R&D offices and a Security Operation Center in Warsaw, Poland.