Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Analytics //

Security Monitoring

08:03 PM

Next Generation Of SIEMs? Ease Of Use, Analyze More Data

Companies looking for better SIEM tools do not require more technology, but systems that can quickly become operational and useful

The next generation of security information and event management (SIEM) systems will inevitably include new features, but security companies are currently focused on solving their customers' problems in managing and operating the current crop of products.

While SIEM systems have been around for more than decade, companies continue to have trouble deploying and maintaining the systems. More than half of businesses need at least a pair of full-time analysts to operate the systems, while 44 percent required more than a few weeks to deploy their SIEM systems, according to a survey by security management firm EiQ Networks.

Those problems have made creating an easy-to-use SIEM system the most requested feature for the future, says Nicole Pauls, director of product management for IT management firm SolarWinds.

"We are trying to adapt to an evolving threat space, and it does not require that we cobble together new tools," she says. "What it really requires is that we make the tools better, so we can adapt to the threat space faster."

With security experts recommending that companies continuously monitor their networks to gain better visibility into potential threats, more businesses are considering SIEM systems or have already embarked on network-monitoring projects. No wonder: The deployment of security-intelligence systems continues to be the top strategy for reducing the costs of a breach, correlating with a $4 million reduction in breach costs, according to the Ponemon Institute's Cost of Cybercrime study released this month.

Yet SIEM deployments are difficult. The complexity of integrating a variety of different data feeds requires knowledgeable security analysts. Add to that the problems in getting all of the necessary stakeholders in a company to cooperate, and plenty of SIEM projects have stalled, says Mark Nicolett, managing vice president of network security for business intelligence firm Gartner. Unfortunately, vendors typically tow a marketing line of easy deployment, rather than frankly discuss the difficulties of deploying the analysis environment.

"I don't think it is possible to ask the vendor the right set of questions to determine how difficult the deployment is going to be," Nicolett says, adding that -- without easier deployments -- adding more features is a nonstarter. "It is all fun to talk about what is coming next, but if it is not operational useful, who cares?"

[A high rate of false positives is a problem that affects many types of security systems, but a few proactive steps can help cut them down to size. See 3 Steps To Keep Down Security's False-Positive Workload.]

While the marketing lines for most security intelligence product makers may not change, executives know they must tame the unruly learning curves of their SIEM products or risk falling behind in the market.

"There is still a lot of the vision of SIEM that has yet to be realized -- things like behavioral analysis and better correlation of events," SolarWinds' Paul says. "We need to give customers better analysis out of the box."

To deliver better analysis, SIEM vendors and service providers are aiming to allow companies to easily incorporate more data, threat-intelligence feeds, and other information into the SIEM systems. Yet the products also have to take into account the context of the data and the risks that a company faces, says Vijay Basani, president and CEO of EiQ Networks, a security management services provider.

"We can take gobs of data and spit out lots of information, but we don't know what is important for your company," he says. "I think that is going to change very dramatically. Approaches like focusing on best practices will help companies focus on the right questions."

A large part of the move to incorporating more data in future SIEM offerings is pairing the appliances and services with a threat-intelligence feed. A number of vendors have launched threat information sharing exchanges and forums where security experts can work together on the analysis. AlienVault has the Open Threat Exchange, CyberSquared has developed Threat Connect, and HP recently announced Threat Central. The services combine malware analysis and open-source intelligence tools with social networking and crowdsourced analysis to create a virtual space for learning about the latest threats.

Whether Balkanized analysis environments will deliver the features needed to fuel better SIEM products is another question. Eric Schou, director of product marketing for enterprise security products at HP, believes the crowdsourced model will work because it gives each participant more value than they typically put in.

"If there isn't that value, and if they don't feel like it improves their security posture, then they won't take part," Schou says.

Yet the crowdsourced model and a mountain of threat data may not improve the effectiveness of SIEMs, warns Gartner's Nicolett. More data is not necessarily a good thing when you cannot even properly analyze what you have, he says.

"We are not suffering from a lack of data," Nicolett says. "We are suffering from a lack of intelligence in analyzing it."

If next-generation products can deliver that combination of intelligence and usability, only then will companies benefit.

Have a comment on this story? Please click "Add Your Comment" below. If you'd like to contact Dark Reading's editors directly, send us a message. Veteran technology journalist of more than 20 years. Former research engineer. Written for more than two dozen publications, including CNET News.com, Dark Reading, MIT's Technology Review, Popular Science, and Wired News. Five awards for journalism, including Best Deadline ... View Full Bio

Comment  | 
Print  | 
More Insights
Oldest First  |  Newest First  |  Threaded View
User Rank: Apprentice
10/21/2013 | 12:28:10 PM
re: Next Generation Of SIEMs? Ease Of Use, Analyze More Data
From someone that has lived and worked in the trenches, I agree with Robert. SIEMs are complicated beasts. They capture data from multiple devices so the person setting up the rules needs to understand the relationship between databases, networks, web servers, load balancers, firewalls, AD, etc.... The biggest problem I've seen is training. Companies will purchase a nice vehicle to move a company forward and then won't pay to teach one of two employees how to drive it. Then when it crashes, blame the IT group.

Even if the SIEM is just capturing the data, a company has made progress. The forensic and troubleshooting capabilities are significant. There have been several times when I've solved issues by going to an "unused SIEM" or logging device. For what to correlate, the SANS Institute has written several papers on what to look for.

Jeff Jones
Abacus Solutions
User Rank: Apprentice
10/21/2013 | 11:09:31 PM
re: Next Generation Of SIEMs? Ease Of Use, Analyze More Data
You'd think after this long in the market, SIEMs would have become easier to use. Although, as the story notes, the marketing line with SIEMS has always been the opposite.
User Rank: Apprentice
10/22/2013 | 8:42:50 PM
re: Next Generation Of SIEMs? Ease Of Use, Analyze More Data
I don't think I want a plug and play SIEM solution. The complexity of all the interconnected parts in unique environments is not something that I am comfortable with a SIEM understanding. It is important that someone in the organization understand how these pieces work together whether a SIEM is implemented or not.

A SIEM solution is a TOOL. It makes the job easier, but it's still a hard job. Knowledge is still required. They used computers in 1969 to put a man on the moon. The people designing the systems and working at mission control still had to know the pieces and parts. They still had to know what they were doing.

The problem is that most people want to purchase a solution that they can install and forget. A SIEM takes care and feeding on a regular basis. A properly installed and configured SIEM requires tuning regularly. However, most SIEM implementations I've seen have had the proverbial "kitchen sink" worth of logs thrown at them day one or week one. It takes time to do this properly. You have to add one feed at a time and spend some time getting to know it and tuning it, then move on to the next log feed.

I believe you could make the argument that anyone wanting a plug a play SIEM should outsource their security operations. The fact of the matter is that real, effective security requires knowledgeable, dedicated, warm bodies. Most organizations are unwilling to accept that.
Cyberattacks Are Tailored to Employees ... Why Isn't Security Training?
Tim Sadler, CEO and co-founder of Tessian,  6/17/2021
7 Powerful Cybersecurity Skills the Energy Sector Needs Most
Pam Baker, Contributing Writer,  6/22/2021
Microsoft Disrupts Large-Scale BEC Campaign Across Web Services
Kelly Sheridan, Staff Editor, Dark Reading,  6/15/2021
Register for Dark Reading Newsletters
White Papers
Current Issue
The State of Cybersecurity Incident Response
In this report learn how enterprises are building their incident response teams and processes, how they research potential compromises, how they respond to new breaches, and what tools and processes they use to remediate problems and improve their cyber defenses for the future.
Flash Poll
How Enterprises are Developing Secure Applications
How Enterprises are Developing Secure Applications
Recent breaches of third-party apps are driving many organizations to think harder about the security of their off-the-shelf software as they continue to move left in secure software development practices.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2021-06-24
A vulnerability in agent program of HelpU remote control solution could allow an authenticated remote attacker to execute arbitrary commands This vulnerability is due to insufficient input santization when communicating customer process.
PUBLISHED: 2021-06-24
A smart STB product of ZTE is impacted by a permission and access control vulnerability. Due to insufficient protection of system application, attackers could use this vulnerability to tamper with the system desktop and affect system customization functions. This affects: ZXV10 B860H V5.0, V83011303...
PUBLISHED: 2021-06-24
In OpenEMR, versions 5.0.0 to are vulnerable to weak password requirements as it does not enforce a maximum password length limit. If a malicious user is aware of the first 72 characters of the victim user’s password, he can leverage it to an account takeover.
PUBLISHED: 2021-06-24
A vulnerability in the system Service Menu component of Avaya Aura Experience Portal may allow URL Redirection to any untrusted site through a crafted attack. Affected versions include 7.0 through 7.2.3 (without hotfix) and 8.0.0 (without hotfix).
PUBLISHED: 2021-06-24
Stored XSS injection vulnerabilities were discovered in the Avaya Aura Experience Portal Web management which could allow an authenticated user to potentially disclose sensitive information. Affected versions include 7.0 through 7.2.3 (without hotfix) and 8.0.0 (without hotfix).