The effectiveness of security information and event management (SIEM) has been assailed a number of times. A few days ago, the CEO of a well-known cybersecurity firm even called for the elimination and replacement of SIEM, arguing that there are better solutions available.
However, before considering the abolition of SIEM as part of standard security posture building, it is worth revising the reasons why it does not work for some organizations. Organizations may find it surprising that there are things they are not doing right that lead to failures. Addressing these missteps can change the outcomes considerably.
#1 Using the wrong platform
Not all SIEM platforms are created equal. This sounds cliche, but it needs to be emphasized. Various providers offer different sets of features and approaches. Plus, legacy SIEM solutions continue to be offered and picked especially by organizations that are only after compliance. There are no strict parameters as to what a SIEM platform should be like. As such, it is essential to be meticulous in examining options.
The ideal SIEM platform should be capable of addressing current threats and anticipating emerging ones. It is a modern security solution that is usually analytics-driven and designed to leverage advanced technologies to achieve greater effectiveness and efficiency.
An effective SIEM platform takes advantage of artificial intelligence to automate threat detection and prevention. AI makes it possible to quickly correlate various interrelated alerts or security information to accurately determine the proper action against them and systematize threat detection, investigation, and response.
On the other hand, artificial intelligence is useful in dealing with the information overload that comes with SIEM operations. With security data coming from a wide range of security controls, endpoints, sensors, and other sources, it is not uncommon for security teams to be overwhelmed by all the alerts, notifications, and incident reports that supposedly require immediate attention. AI helps prioritize critical security data that require the urgent attention of a human security analyst and prevents less important information and false positives from concealing critical alerts.
Additionally, the right SIEM solution to use has to enable optimum security visibility, facilitate the seamless integration of security data from different sources, and provide an intuitive interface to efficiently respond to security events or threat alerts. It is not going to be easy to evaluate options according to these criteria, so it may be necessary to ask for the assistance of experienced cybersecurity professionals.
Moreover, scalability and flexibility should be part of the package. With organizations dealing with different IT infrastructures and changing scales of operation, being fixed and suited for a specific environment or infrastructure is certainly a bane for a SIEM platform. The inability to adjust to changing needs and deploy from anywhere can spell the failure of a SIEM platform.
#2 Not using the solution, or only partially using it
IBM Security Program Director Jackie Lehmann shared a curious story about SIEM use among organizations recently, and it is not encouraging. Lehmann shares that many organizations buy security information and event management solutions that they only end up "placing on the shelf." They do not use these security solutions; they only obtain them for compliance.
Some organizations only rely on log managers to oversee their cybersecurity situation. They reportedly find this preferable because SIEM platforms are allegedly difficult to learn. Some find these platforms are too complicated that they prefer the old practices they have become accustomed to.
Given the kind of threat landscape organizations are faced with at present, it is advisable to harness the capabilities of modern security information and event management solutions. It may be true that there is a learning curve organizations have to scale to get the optimum benefits of SIEM, but the effort is going to be worth it. As Lehmann asserts, "a modern SIEM should and will make an analyst's job easier."
If organizations have already spent funds for the acquisition of a SIEM platform, there are no compelling reasons or excuses not to use it unless it is just some "token platform" purchased for the sake of compliance.
There is also a problem with partial or improper SIEM too implementation. Half-baked or half-hearted efforts to undertake SIEM operations do not yield benefits. They may even create vulnerabilities in an organization's security posture. Improper or haphazard configuration and the failure to connect the right data feeds, for example, create security gaps that can be exploited by threat actors.
#3 Confluence of skills shortage, poor administrative support, and lack of dedication
The third major reason why SIEM platforms fail can be attributed to an organization's management. Refusing to hire the right people to manage SIEM operations, extend adequate administrative support, and commit to operating the SIEM platform at its optimum create a barren ground for security information and events management success.
It is understandable that organizations have a hard time getting proficient and experienced cybersecurity professionals now because of the lingering problem of cybersecurity skills shortage. However, it is vital to at least have a competent administrator to be responsible for the SIEM platform's implementation.
This administrator is responsible for updating the different components to make sure there are no obstacles to their optimum performance. The administrator also performs routine system health checks, storage projections, log volume, and performance analysis, log collection analysis for new and non-reporting systems, and the addition and configuration of users, dashboards, and alerts. Additionally, the administrator produces regular status reports, standardized reports, and system integrity validation reports.
Getting the right people is one indication of an organization's commitment to making SIEM operations a success. However, an organization's management should be playing a key leadership role instead of completely relegating the responsibility to the administrator or security team. There are actions that require administrative approval and active oversight. Complaints on SIEM vendor issues, for instance, are unlikely to be resolved by the administrator alone. There has to be full management support, especially if infrastructure or system changes are necessary.
It is also worth noting that security teams are often overworked, partly due to the skills shortage problem. They are unlikely to be enthusiastic about addressing problems on their own without support from the management, especially when it comes to the acquisition of the right technologies and the implementation of major changes in the way security operations are undertaken.
In conclusion
It would be inexpedient to hastily dismiss a SIEM platform as ineffective or problematic without trying to uncover the issues first and making troubleshooting attempts. It helps to take a step back and examine possible issues first before moving to a different platform or looking for a SIEM alternative.