Why Many Security Teams Can’t Master SIEM
Security information and event management (SIEM) platforms can be remarkably powerful defensive tools, but their power is tempered by long list of challenges that, as often as not, make them as much of a hindrance as a benefit. To be clear, a properly tuned SIEM run by properly staffed security department is an enormous boon to an organization’s detection and incident response capability.
In other words, SIEMs are awesome in a perfect world, but few of us live in a perfect world.
In the real world, SIEMs are inherently challenging, and the challenges are pretty easy to enumerate: SIEMs are expensive, their operation requires highly specialized workers, set-up is time-consuming, they’re often distracting, and reporting is inflexible and, frequently, esoteric. At the end of the day, many organizations simply do not have the time, money, or resources to support the various aspects that go into running SIEM.
SIEM problems are intrinsically related to each other in a lot of ways, but we’ll try to address them in distinct sections below.
1. Let’s Start with the Costs
SIEMs are expensive. Very expensive. And the costs aren’t altogether clear. According to a Ponemon Institute study, 25 percent of SIEM costs are tied up in the initial purchase, while the remaining 75 percent go toward installation, maintenance, and staffing. More specifically, SIEM costs are various and disparate. There’s the initial licensing costs, implementation, ongoing management, renewal, integration of data sources, and training of personal to actually run the SIEM. Some 78 percent of respondent organizations told Ponemon that they have just one staff member dedicated to their SIEM, and, despite this, 64 percent reported paying more than $1M annually in SIEM related costs.
To this point, in a different survey conducted by a company called Netwrix, 69 percent of respondents expressed a desire to reduce their SIEM costs, a problem complicated by consumption-rate-based pricing models that lead to unexpected costs down the line, which are the norm among SIEM providers.
2. Configuring the SIEM is Kind of a Nightmare
A SIEM does essentially nothing out of the box on its own. Of course, an organization can buy a preconfigured SIEM at extra costs, but these preconfigured SIEMs are often distractingly noisy and devoid of context. Furthermore, a preconfigured SIEM almost certainly isn’t—and really can’t be—tailored to the unique threat model, maturity, and needs of an organization. As such, inherently built into the already-substantial-cost of the SIEM is the slightly-less-exorbitant-but-still-significant cost of hiring an employee or consultant with the requisite skills to not only build out your SIEM but also generate the correlation rules for it going forward. And by the way, we’re suffering from a pretty serious skills shortage gap in the cybersecurity industry. Alternatively, you could pay for a threat intel feed to populate your SIEM, but this is also costly, not too mention noisy, which is another problem in an of itself. Noise aside (we’ll get to that later), it could take weeks or months feed your various data sources into your SIEM. The more disparate the data sources, the more complicated this task becomes.
Similarly, the Netwrix survey suggested locating data in the SIEM can be very challenging, with 65 percent reporting that they found it difficult locating requested data in their SIEM. Beyond this, you have to constantly track what is and isn’t communicating with your SIEM, because things just abruptly stop feeding the SIEM. Sometimes this hard to miss; other times it’s not abundantly clear that a data source has been cut off.
The Ponemon Institute’s founder sums up SIEM configuration and management issues nicely:
“The root of their dissatisfaction seems to be related to the complexity of the SIEM itself,” explained Dr. Larry Ponemon, chairman and founder of the Ponemon Institute. “In fact, 75 percent of respondents said there is significant, or very significant, effort involved in configuring their SIEM for their organization. Obviously, this complexity can make it very difficult to extract the value they want and need.”
3. SIEMs Require Highly Specialized Employees
In a 451 Research survey, 44 percent of organizations responded that they lacked the requisite staff expertise necessary to properly run a SIEM. In the Netwrix survey cited earlier, 55 percent of organizations said rely on SIEM specialists to operate their SIEM.
4. SIEMs are Just Too Darn Noisy
The Netwrix research claimed that 81 percent of respondents complained that their SIEMs generated too much “noise data.” In its SIEM survey, Rapid7 learned that more than half of organizations can only investigate between one and 10 alerts per day, whereas nearly three quarters of respondents’ SIEMs generate more than 10 alerts per day.
5. SIEMs Often Fail to Provide Context Around Alerts
Since SIEMs simply aggregate system logs and merely alert analysts when something bad may have happened, they often lack context and actionable data, which can leave analysts wondering how to respond to an alert from their SIEM. Less than half of respondents to the Ponemon Institute study reported that they were satisfied with the actionable intelligence they were getting from their SIEMs.
6. SIEMs Have a Reporting Problem
SIEM reporting is simply inflexible. Again from Netwrix: 63 percent of survey respondents said that they had difficulty understanding the reports output by their SIEM and a further 53 percent reported that they had to manually tweak their SIEM reporting so that non-tech stakeholders could understand.
The Big Picture
451 Research analysts Daniel Kennedy summarizes the issues with SOCs pretty nicely:
“SIEM solutions hold a lot of promise as the centralized solution for unlocking all the secrets held in the logs of enterprise systems and marrying them with the use of threat intelligence”, said Kennedy. ”That promise comes at a cost, SIEM solutions still retain a reputation for being difficult to set up, difficult to add new feeds to, and difficult to tune. That said, their value to the enterprise security manager is increasingly understood, and while many SIEM implementations may have started out as a compliance check mark, they have transcended those roots.”