7 SIEM Situations That Can Sack Security Teams
SIEMs are considered an important tool for incident response, yet a large swath of users find seven major problems when working with SIEMs.
![](https://eu-images.contentstack.com/v3/assets/blt6d90778a997de1cd/blt02e444272be9b749/64f0d7251c68871ff443a1b9/Page-1.jpg?width=700&auto=webp&quality=80&disable=upscale)
Infosec professionals working with security information and event management (SIEM) systems may find themselves in a love-hate relationship – they love the concept of the SIEM's incident response capabilities, but hate their potential fist-full of problems and surprises, according to a presentation this week at the ISC(2) Security Congress convention in Austin, Texas.
More than half of SIEM users are displeased with the intelligence they glean from the technology, according to a presentation by Cyphort, which sponsored a SIEM survey by the Ponemon Institute and one from Osterman Research. Both surveys collectively represented nearly 1,000 enterprise SIEM users, says Franklyn Jones, Cyphort's chief marketing officer, who gave the presentation.
Here are seven major problems SIEM users face, according to Cyphort's presentation and, based on interviews with Dark Reading, solutions offered by a Forrester Research analyst, and various SIEM vendors.
Businesses assume a SIEM is a simple tool to use, but do not realize a person with a special skill set is needed to manage the SIEM, Jones says. The survey found 69% of respondents agreed they needed additional staff to get the most out of their SIEM and respond to its data.
He added that 78% of survey respondents say they have less than one full-time person to manage the SIEM.
Solutions
Some SIEM technologies have pre-packaged threat analytics that can be leveraged. This allows a security team to leverage the vendor for threat analytics build/update activities, thereby reducing some of their own staffing needs, says Brazdziunas.
Security automation and orchestration (SAO) tools help to increase staff productivity, making processes more efficient, Blankenship says, adding, some SIEMs also offer a degree of automation as a feature of the SIEM.
Fifty-four percent of surveyed SIEM users say they generate too much noise with the volume of alerts and event notifications that they produce.
"Users say, 'we want accurate information and want the visibility that gives the name of the person and location, instead of only their IP address,'" explains Jones, who points to survey results that show 70% of SIEM users want information that is more accurate and prioritized, and meaningful alerts, with 61% of respondents saying they want better context regarding users and devices tied to their SIEM events.
During focus group meetings, Jones says he learned that of the 29% of survey respondents who say SIEMs are not noisy, the vast majority felt that way because they were turning off part of their SIEMs.
Solutions
Every company is different in the types of systems, applications, users, networks, and general behaviors that it uses, so a company needs to apply context to the SIEM, Carder says. He adds that enterprises should also apply some business context to their SIEM up front, so they can reduce the number of alerts on the back end.
"Many of the alarms companies see are the same, day in and day out. Perform the investigation once and then automate that investigation moving forward. This reduces the overall 'noise' with alerts and only bubbles up what are legitimate or the most critical," says Carder.
Blankenship advises IT security teams to pay attention to rules that cause the most false positive alerts or have proven to be of little value, Blankenship says, adding, "Alert triaging, based on risk, will also make sure analysts are focusing on the most critical alerts first."
Seventy-one percent of IT professionals working with SIEMs say they need better visibility of traffic moving across their organization's network. The top three areas where they say visibility is needed the most include Web traffic, email traffic, and cloud applications.
In addition to wanting improved visibility from their SIEM, users also cite a need to improve advanced threat detection inside the network and the ability to consolidate security events as one incident view.
Solutions
"It's not unusual to see partially deployed SIEMs that are only monitoring parts of an environment. SIEMs may also only be deployed to monitor network devices, looking for external threats. For better visibility, bring in logs from inside the network, including endpoints, hosts, and applications," says Blankenship. "Focus on parts of the network where critical data is stored."
Nearly half of surveyed SIEM users say they store event and log data for approximately two months. But 76% of respondents say they would prefer the option to store this information for more than two years, Jones says.
"SIEMS that are used for compliance will hold onto users' information for 30- to 60 days. But a number [of users] are telling us they want to store the data for three to five years," Jones says.
Solutions
Some SIEM vendors have moved to big data architectures that are more scalable than the relational databases of earlier SIEM versions, Blankenship observes. He advises working with vendors to see if they would support big data storage that is either deployed by the vendor as part of their solution, or will work with the customer and use their own big data archive.
Infosec professionals working with security information and event management (SIEM) systems may find themselves in a love-hate relationship – they love the concept of the SIEM's incident response capabilities, but hate their potential fist-full of problems and surprises, according to a presentation this week at the ISC(2) Security Congress convention in Austin, Texas.
More than half of SIEM users are displeased with the intelligence they glean from the technology, according to a presentation by Cyphort, which sponsored a SIEM survey by the Ponemon Institute and one from Osterman Research. Both surveys collectively represented nearly 1,000 enterprise SIEM users, says Franklyn Jones, Cyphort's chief marketing officer, who gave the presentation.
Here are seven major problems SIEM users face, according to Cyphort's presentation and, based on interviews with Dark Reading, solutions offered by a Forrester Research analyst, and various SIEM vendors.
About the Author(s)
You May Also Like
CISO Perspectives: How to make AI an Accelerator, Not a Blocker
August 20, 2024Securing Your Cloud Assets
August 27, 2024