As enterprises strive to improve their protection mechanisms against cybersecurity threats, Security Information and Event Management (SIEM) solutions can provide benefits to accomplish their security objectives through log analysis, log aggregation and log correlation.
Related post: How Effective is your SIEM Solution?
Unfortunately, many organizations believe that their SIEM solutions are working effectively without realizing their potential limitations.
In the previous article, we explained why having a SIEM doesn’t automatically mean that your organization is secure. Several SIEM limitations were discussed in detail.
However, there are several possible solutions that can help organizations address their SIEM limitations.
According to the Netwrix SIEM Efficiency Survey (2016), “86% of enterprises who integrated their SIEM with IT auditing solution claimed that it assisted them to overcome SIEM drawbacks. Besides, 55% of them preferred to cope with SIEM drawbacks by hiring additional staff, while 41% respondents opted for strengthening their SIEM with additional solutions in order to overcome the limitations”.
Extracted from the survey, the chart below demonstrates how SIEM users are typically dealing with SIEM limitations.
On the bright side, SIEM limitations are not insurmountable. Applying additional security controls with a SIEM can help your organization mitigate threats and vulnerabilities by leaps and bounds.
Continuous 24/7 SIEM maintenance is also indispensable to ensure that all components are working effectively.
Misconfiguration occurs when a secure configuration is changed either accidentally or by oversight.
Once misconfiguration takes place, the malicious actors can find porous holes to penetrate your “secure” network. Sometimes, the “bad guys” misconfigure systems deliberately to introduce vulnerabilities or to keep suspicious activities undetected.
A security configuration management system such as Tripwire's should be considered to monitor critical systems and report misconfiguration events. Tripwire is an open-source security software and data integrity tool used to monitor and alert Network Administrators when a specific change on a file or a system occurs. Several other useful tools include PowerShell DSC, Docker, SaltStack, Chef, Puppet, and CFEngine.
As per the Cisco Security Capability Benchmark Study (2017), “only 28 percent of investigated security alerts turn out to be legitimate”.
Some Managed Security Service Providers (MSSPs) are still using a traditional approach and hire a larger team of experts to review every alert. However, this approach doesn’t work well as there can be thousands of alerts per day, and managing them one by one can turn out to be an unachievable undertaking.
MSSPs and SIEM vendors need to adopt a more sophisticated approach to manage their SIEM to thwart or eliminate a plethora of false positives.
Sometimes, even a single rule can trigger hundreds of false positives. Therefore, your Security Analysts must review and disable irrelevant rules that may increase your SIEM vulnerabilities.
It is also imperative to fine-tune configurations either by SIEM consultants or in-house.
For instance, a threat feed can rank the range of IP addresses as “high-severity” threats if they belong to the known hacker cell. Your SIEM can also use geolocation data to either increase or decrease a criticality based on the destination of your network traffic. By using geolocation data, your SIEM will be able to automatically know the difference between foreign network traffic, remote network traffic, and inter-office network traffic.
Be careful using low-quality threat feeds as they can accelerate false positives exponentially.
The Netwrix SIEM Efficiency Survey (2016) has revealed that “83% of SIEM reports involve too much noise data. However, most enterprises who successfully integrated their SIEM with IT auditing solutions became more satisfied with the reporting capabilities because reports contained less noise.”
In the research paper “Successful SIEM and Log Management Strategies for Audit and Compliance”, the SANS Institute recommends that especially during audits, “providing an unambiguous definition of what constitutes threats can rapidly reduce much of the noise of common logs”.
The more accurate security events are, the more noise will be reduced. Since noise is directly correlated with false positives, reducing false positives will help reduce noise significantly.
Log Types and Relevance
Most SIEMs collect all log data without considering that innumerable logs can be useless or irrelevant. To understand the relevance of logs, you need to be aware of the different log categories and then determine which log type is relevant to the organization’s security posture.
Most important log categories:
Irrelevant logs can certainly contribute to making a pesky noise in a usually silent working environment. Under such circumstances, your SIEM should collect only the logs that are relevant or may help in detecting the aggressive attacks.
This requires your SIEM to have strong “Log Management” capabilities. An MSSP could provide this log monitoring capability as well.
Processing data which is not related to security could seriously affect your SIEM performance.
Various SIEM solutions often receive a broad spectrum of noise such as performance data, compliance data and IP packet traffic, all of which creates unnecessary burdens and becomes resource-exhausting activities on your systems.
To overcome this issue, log categorization and standardization could play a vital role. If your SIEM is only processing security-related data, then you will notice a significant change in the Events Per Second (EPS) ratio.
It’s imperative for the SIEM to be configured in a way that only processes security-related data, rather than wasting resources for non-security-related data.
Many organizations still have misperceptions about SIEM solutions and assume that SIEMs are protecting their IT environments effectively. Unfortunately, this is not always true. SIEM solutions do have some limitations that must be addressed to help secure organizations.
However, SIEM security experts have also discovered various solutions for SIEM limitations in order to make it more effective.
These solutions involve the 24/7 maintenance of your SIEM and the deployment of some additional controls that would help your SIEM to be more reliable when dealing with cybersecurity threats. Organizations with proper maintenance and additional controls in place will certainly defend cyber-attacks in a more effective and timely manner.