SIEM: the many shades of success and failure

It’s no secret that there’s difficulty in implementing, operating and deriving business value from SIEMs. Service providers love to promote FUD (fear, uncertainty and doubt) with baseless claims insinuating inevitable failure when trying to sign a prospect to a service contract that may not be necessary. Like many things in life it’s not always black or white, there are many shades of grey in between.

During the research phase of our recent service launch of esLOG, I sorted a mountain of statistics on the success and shortcomings of SIEM adopters. One thing became clear: there are factors that lead to varying levels of success and failure from a security point of view. Let’s start with the lay of the land to better understand these factors. According to Ponemon’s SIEM challenges report:

• 76 percent of respondents agree that a SIEM is important in their efforts to monitor and respond to attacks
• Only 48 percent of those respondents are satisfied with the accuracy and actionable intelligence generated by their SIEM to address security issues

What does this mean? A SIEM is important, but less than half of adopters are essentially deriving value. What’s causing the disparity? Further research painted a clear picture on risk factors that have the greatest correlative effect upon success:

• Visibility
• Staffing
• Correlation and advanced analytics
• Prioritization and response

Let’s look at these at a high level to understand their context to the bigger picture.

Visibility

Digital transformation is pushing visibility requirements well beyond the traditional perimeter. On-premises, cloud, or somewhere in between, most organizations are somewhere on the spectrum of hybrid IT transformation. In a recent study^[2], SIEM users ranked greater visibility of network traffic as the second greatest challenge. While the section on visibility could continue for pages, two points emerge that organizations must take into consideration:

1. Data ingest: more data flowing into the SIEM increases your visibility. However, more data increases storage costs, adds maintenance complexity and requirements on staff (see below), and elevates the need for advanced analytics and correlation (see below). It’s a double-edged sword that must be taken into consideration.
2. Cloud: cloud data adds complexity that traditional SIEMs weren’t built to handle. In addition as microservices/containers are spun up, the need for visibility and ingestion of unstructured data multiplies complexity and factors to consider.

Staffing

When it comes to dedicated personnel for SIEM administration and maintenance, according to Ponemon’s Study, 43 percent of organizations have less than one person, 36 percent have one person and only 22 percent have more than one. Interestingly, the third and fourth response in the same study said more staff were needed to optimize the SIEM to understand the data and remove complexity. However, organizations on average report they need 40 percent more security personnel. Unfortunately, when it comes to allocation of SIEM investments, 33 percent of costs are attributed to human capital. For most organizations, understaffing is a contributing factor to the delta of satisfaction. For organizations that are limited by headcount restriction, do not assume existing personnel can take on a challenge of this magnitude. Many enterprise-sized organizations have five or more dedicated personnel to continuous SIEM maintenance. If you are worried, look to augment until you have in-house capabilities.

Advanced analytics

According to Ponemon, the most important feature ranked by SIEM users today is detection of threats through advanced analytics. In addition, the third most important feature is correlation of events into single incidents. While many SIEMs come pre-built with big data analytics, machine learning, UBA, etc., the challenge of parsing data, configuring rules, alerts, etc. remains. Modern SIEM solutions were designed to look for known actions that are indicators of compromise, but they are not effective at detecting the unknown. This is partly because SIEM solutions are adept at handling traditional log data, but not other data types such as network packet, threat intelligence, asset context, and endpoint data, which often provide greater detective visibility when correlated with data from a SIEM. If your organization lacks these capabilities this could be an augmentation area.

Prioritization and response

In another Ponemon Study, enterprise organizations reported on average their SIEMs produced 17,000 alerts on a daily basis, while their IR teams could only investigate four percent of them. That’s 16,320 incidents that were marked as potentially malicious or in violation of policies that were ignored. SOC and IR teams are usually understaffed and overwhelmed. Chasing false positives ends up consuming precious time while trying to find a needle in the haystack. For SIEM users this problem has emerged to be the second and third priority to remedy in the next 12 months as organizations seek to automate manual tasks that consume SOC and IR teams and increase accuracy of security events. This factor can become the biggest contributor in the delta of SIEM satisfaction as detection and alerts on events are one thing, but the ability to quickly investigate and remediate is ultimately the difference between a blip on the radar and a business-disrupting event.

While these four factors are not the only influencers that affect success, they each have major implications in decision making for current and potential SIEM adopters. While many organizations have the resources and capabilities to meet these challenges, evidenced by the 48 percent of respondents who said they are satisfied in the SIEM Optimization Ponemon Study, there remains a delta that must be addressed for the other 52 percent. Otherwise organizations put themselves at additional risk.

For some, this means using managed SIEM providers to augment staffing. For others, it could mean outsourcing to an MSSP for staffing, management and alerting or an MDR provider to augment additional visibility, staffing, management and advanced detection and response. Wherever you are in your journey, look at your capabilities and ask yourself where you sit and the capabilities you need to augment to derive the most value if you were to adopt a SIEM right now. Measuring against these factors will help determine your expectations and roadmap for future success.