The term Security Information and Event Management (SIEM) refers to security solutions that allow IT professionals to identify, monitor, record and analyze security incidents or events within an IT environment and store their relevant data centrally.
Related post: How to Address SIEM Limitations
SIEM tools incorporate the interpretation of logs, security alerts, profiling, advanced analytics, data aggregation, dashboards, forensics, and threat intelligence feeds. In fact, this technology is an intersection of two closely-related technologies—coined Security Event Management (SEM) and Security Information Management (SIM). SEM performs collection, aggregation, and real-time monitoring of events and logs, while SIM correlates, normalizes, and then performs a later analysis and reporting on collected security records and logged data.
In this blog, we will evaluate how effective SIEM solutions can be for organizations and reveal some general misconceptions and rumors about its effectiveness.
In a nutshell, SIEMs don’t fully protect your corporate’s IT environment against newly emerging cyber-attacks. Much like other technology solutions, they need continuous 24/7 maintenance and some additional controls to be deployed to work effectively.
As per Gartner’s definition, “SIEM is a technology used for security incident response and threat detection through a real-time acquisition and historical analysis of security events from a broad spectrum of contextual data sources.”
After deploying a SIEM, the SIEM analysts monitor user activity, avert data breaches, identify the root cause of security incidents, mitigate sophisticated cyber-attacks, and therefore help meet regulatory compliance requirements of the organizations.
A SIEM comes in three (3) basic types:
When SIEM technology was introduced, it was considered appropriate and more likely fit for large enterprises, as they involved a big data, numerous devices, and workforce. In addition, larger companies log thousands or sometimes even millions of security events every day.
According to Solution Reviews (Top 6 SIEM Vendors to Watch in 2018), “a Fortune 500 Corporation’s infrastructure can easily generate ten (10) terabytes of plaintext data per month.”
On the other hand, SIEM is also suitable for small and medium-sized organizations. For example, if one person performs several administrative tasks in a small enterprise, he/she could easily detect abnormal behavior and escalation of privileges using a SIEM. Likewise, a medium-sized organization with a busy IT department might benefit from a SIEM service that involves resources to manage and configure the platform efficiently.
Today’s SIEM architectures encompass SIEM software installed on a local hardware, a local server, or a virtual appliance dedicated to SIEM service, and a public cloud-based SIEM.
According to Gartner’s report, “the need for early detection of data breaches and targeted attacks is driving an expansion of existing and new SIEM deployments”.
SIEM offers several benefits to all types of organizations irrespective of their shape and size.
The primary benefits include:
Based on two reasons, SIEMs can detect incidents that otherwise will not be detected.
In addition, using threat intelligence feeds the SIEM can detect any malicious activity and will terminate connection of the host involving such activity so that the attack can be neutralized before it becomes a costly breach for the organization.
This benefit is so significant that numerous organizations deploy SIEMs only for streamlining their compliance reporting via a centralized logging solution. There can be various hosts in an organization and logged security events of each host are regularly transferred to a single SIEM server that generates one report of all logged security events received from such hosts.
Without a SIEM, an enterprise has to collect data from each host manually and prepare a separate report for each host as well. Then, this data and reports are reassembled at a centralized point in order to create a single report. Doing such a task manually is a Gordian knot as it involves numerous people to customize and edit security logs from dissimilar hosts.
Moreover, SIEMs also offer built-in support for several compliance endeavors. The reporting capabilities of SIEMs help organizations meet compliance with reporting requirements mandated by various eminent standards including the Sarbanes-Oxley Act (SOX), the Health Insurance Portability and Accountability Act (HIPAA), and the Payment Card Industry Data Security Standard (PCI DSS).
If they are properly configured and maintained, SIEM tools have the potential to enhance the efficiency of incident handling activities which results in saving resources and time for incident handling folks. More importantly, incident handling has paramount importance as the poor management of incident may trigger the deterioration of essential information such as evidence against malicious actors who compromised the host in question.
Another useful feature of a SIEM is that it provides a single interface to view all security logs from multiple hosts.
SIEM aggregation feature decreases the volume of event data by integrating reporting and duplicate event records on the correlated and aggregated event data in real-time, comparing it to long-term summaries.
Today, SIEM technologies are also embracing new capabilities such as User and Entity Behavioral Analytics (UEBA) that can help organizations detect threats from both people and software and eliminate them before they pose a grave damage.
Deploying a SIEM doesn’t mean your organization is completely secure.
SIEM solutions have certain limitations, which make them ineffective without additional investments in personnel and technology.
It is imperative to understand that a SIEM doesn’t operate like other security controls such as firewalls, antivirus programs, Intrusion Detection Systems (IDS), Intrusion Prevention Systems (IPS), and so on.
A SIEM solution on its own is useless because of its inability to monitor raw security events as they occur throughout the organization. In fact, SIEM solutions are designed to utilize log data as recorded by other software tools.
Secure configuration is indispensable for the overall security of the system.
Misconfiguration is a process of changing the secure configuration either accidentally or by oversight and it might lead to vulnerabilities or undesirable features. Sometimes, malicious actors misconfigure systems deliberately to introduce vulnerabilities or to keep the suspicious activities undetected.
Accidental misconfiguration can happen in several ways. For example, an administrator may turn off a personal firewall on servers or workstations starting the web server service on a system that shouldn’t be running the web server.
To avoid such scenarios, you need to configure your SIEM solution properly to filter on firewalls being turned off and new services being enabled on the systems that shouldn’t be running these services. A configuration management system such as Tripwire should be considered to monitor critical systems and to report misconfiguration events.
Collecting, storing and analyzing security events are simple tasks. However, it can be quite a herculean task to collect, store and run compliance reports, apply patches and analyze all security events occurring on your corporate network’s realm – a dreaded task that often involves ample money and a good deal of time.
Even after completing this task, your organization might not be able to achieve 100% of its targets.
SIEM collects all data regarding security events and this makes it hard to correlate security events in the face of what is taking place across the rest of the corporate IT environment.
“Numerous SIEM folks reveal that their SIEM solutions were very slow or it was a Gordian knot to utilize the search interface to discover anything.” - Justin Henderson (Co-Chairperson at SIEM & Tactical Analytics Summit)
A legacy of SIEM systems cannot keep up with the rate at which security events need to be examined. This snail pace results in the inability of SIEMs to deal with expanding threat vectors due to rapidly evolving on-premise and cloud services.
SIEM solutions usually rely on rules to parse all logged data.
As per Damballa study, an average company’s network has to deal with about 10,000 alerts per day (false positives or not) and the noise produced by the many irrelevant logs not required to detect potential attacks.
When the real-world conditions match these rules, the SIEM generate alerts and notifies the security professionals that IT events need their attention. These rules are drafted by corporate Security Operations Center (SOC) and can have both favorable and unfavorable consequences.
For example, defining only a few rules might lead to missing potential threats. On the other hand, defining too many rules may trigger a sheer overwhelming number of false positives. As a result, these false positives don’t only take lots of time to review but also run the risk of being overlooked, which then represents a risk in itself.
Out-of-the-box alerts and alarms also produce an annoying noise across the silent and working environment of your enterprise. In fact, SIEMs don’t have log management capabilities.
Instead, they tend to rely on the correlation rules that in turn depend on particular events and logs to detect certain threats.
As a SIEM collects all logs, it fails to monitor noise due to indiscrimination of useful or useless logs. That’s why it is essential to collect only logs required to detect potential threats and vulnerabilities as opposed to collecting every type of log from every host.
Failure to monitor annoying noise is not only discouraging for an organization’s management team but also for the staff responsible for security and dealing with alerts.
In order to work properly, SIEM solutions require around-the-clock, 24/7 monitoring of logs and alerts.
Your employees must look at the logs, conduct regular reviews and pull out relevant reports. All these tasks require adequate staffing or having a dedicated team involved, which can be a massive expense for your organization.
Under such circumstances, you may consider outsourcing your 24/7 monitoring by partnering with a Managed Security Service Provider (MSSP) as the best and most cost-efficient solution for your enterprise. Doing so helps you to prevent hiring additional staff and spending extra money and time.
Having a SIEM solution doesn’t automatically mean that your organization is completely secure from internal and external cyber security threats.
Although SIEM solutions offer several benefits to enterprises of all sizes and shapes, they also have various limitations and vulnerabilities that should not be ignored.
A SIEM requires constant 24/7 monitoring of logs and alerts, regular maintenance and configuration as well as a dedicated security team responsible for managing the SIEM. In fact, most of the work starts after the SIEM has been implemented. Therefore, organizations cannot rely only on SIEM solutions to protect their critical IT infrastructures.
Even with a SIEM in place, security professionals need to ensure to have the proper resources, tools, budget and time to be able to leverage SIEM functionalities to guarantee comprehensive protection against potential cybersecurity threats.
