Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Comments
Next Generation Of SIEMs? Ease Of Use, Analyze More Data
Threaded  |  Newest First  |  Oldest First
AccessServices
AccessServices,
User Rank: Apprentice
10/21/2013 | 12:28:10 PM
re: Next Generation Of SIEMs? Ease Of Use, Analyze More Data
From someone that has lived and worked in the trenches, I agree with Robert. SIEMs are complicated beasts. They capture data from multiple devices so the person setting up the rules needs to understand the relationship between databases, networks, web servers, load balancers, firewalls, AD, etc.... The biggest problem I've seen is training. Companies will purchase a nice vehicle to move a company forward and then won't pay to teach one of two employees how to drive it. Then when it crashes, blame the IT group.

Even if the SIEM is just capturing the data, a company has made progress. The forensic and troubleshooting capabilities are significant. There have been several times when I've solved issues by going to an "unused SIEM" or logging device. For what to correlate, the SANS Institute has written several papers on what to look for.

Jeff Jones
Abacus Solutions
MarciaNWC
MarciaNWC,
User Rank: Apprentice
10/21/2013 | 11:09:31 PM
re: Next Generation Of SIEMs? Ease Of Use, Analyze More Data
You'd think after this long in the market, SIEMs would have become easier to use. Although, as the story notes, the marketing line with SIEMS has always been the opposite.
mharrison392
mharrison392,
User Rank: Apprentice
10/22/2013 | 8:42:50 PM
re: Next Generation Of SIEMs? Ease Of Use, Analyze More Data
I don't think I want a plug and play SIEM solution. The complexity of all the interconnected parts in unique environments is not something that I am comfortable with a SIEM understanding. It is important that someone in the organization understand how these pieces work together whether a SIEM is implemented or not.

A SIEM solution is a TOOL. It makes the job easier, but it's still a hard job. Knowledge is still required. They used computers in 1969 to put a man on the moon. The people designing the systems and working at mission control still had to know the pieces and parts. They still had to know what they were doing.

The problem is that most people want to purchase a solution that they can install and forget. A SIEM takes care and feeding on a regular basis. A properly installed and configured SIEM requires tuning regularly. However, most SIEM implementations I've seen have had the proverbial "kitchen sink" worth of logs thrown at them day one or week one. It takes time to do this properly. You have to add one feed at a time and spend some time getting to know it and tuning it, then move on to the next log feed.

I believe you could make the argument that anyone wanting a plug a play SIEM should outsource their security operations. The fact of the matter is that real, effective security requires knowledgeable, dedicated, warm bodies. Most organizations are unwilling to accept that.


Edge-DRsplash-10-edge-articles
I Smell a RAT! New Cybersecurity Threats for the Crypto Industry
David Trepp, Partner, IT Assurance with accounting and advisory firm BPM LLP,  7/9/2021
News
Attacks on Kaseya Servers Led to Ransomware in Less Than 2 Hours
Robert Lemos, Contributing Writer,  7/7/2021
Commentary
It's in the Game (but It Shouldn't Be)
Tal Memran, Cybersecurity Expert, CYE,  7/9/2021
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
Black Hat USA 2022 Attendee Report
Black Hat attendees are not sleeping well. Between concerns about attacks against cloud services, ransomware, and the growing risks to the global supply chain, these security pros have a lot to be worried about. Read our 2022 report to hear what they're concerned about now.
Flash Poll
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2022-37452
PUBLISHED: 2022-08-07
Exim before 4.95 has a heap-based buffer overflow for the alias list in host_name_lookup in host.c when sender_host_name is set.
CVE-2022-26979
PUBLISHED: 2022-08-06
Foxit PDF Reader before 12.0.1 and PDF Editor before 12.0.1 allow a NULL pointer dereference when this.Span is used for oState of Collab.addStateModel, because this.Span.text can be NULL.
CVE-2022-27944
PUBLISHED: 2022-08-06
Foxit PDF Reader before 12.0.1 and PDF Editor before 12.0.1 allow an exportXFAData NULL pointer dereference.
CVE-2022-2688
PUBLISHED: 2022-08-06
A vulnerability was found in SourceCodester Expense Management System. It has been rated as critical. This issue affects the function fetch_report_credit of the file report.php of the component POST Parameter Handler. The manipulation of the argument from/to leads to sql injection. The attack may be...
CVE-2022-2689
PUBLISHED: 2022-08-06
A vulnerability classified as problematic has been found in SourceCodester Wedding Hall Booking System. Affected is an unknown function of the file /whbs/?page=contact_us of the component Contact Page. The manipulation of the argument Message leads to cross site scripting. It is possible to launch t...