Security information and event management (SIEM) solutions have been around for many years now. Early adoption of the technology was driven by mandates like HIPAA, SOX and PCI DDS, since SIEM solutions provided the monitoring and reporting that enterprises needed to establish and prove their compliance. But with cyberattacks getting more sophisticated and more damaging all the time, organizations are turning to SIEMs as a way to improve security.
Unfortunately, this strategy doesn’t always work out very well. All too often, the SIEM spits out so many alarms that security teams are overwhelmed rather than empowered, and costs spiral so far out of control that the organization feels it has no choice but to dial back monitoring to just a few “critical” systems — leaving critical gaps that attackers can exploit to get into the network, move laterally undetected, and steal data or disrupt operations.
Why does this happen, and how can you maximize the value of your SIEM in your security strategy? To answer these questions, we need to start with a clear understanding of the purpose of SIEMs and how they work. Remember that SIEMs are “event management” solutions — their basic function is to collect and manage event data from various sources in your IT environment. The data collection part seems simple enough, but the details are actually important. Most SIEM tools use agents to gather log data from a variety of sources, such as servers, workstations, applications, and network and security devices such as firewalls, antivirus filters and intrusion prevention systems (IPS). The agents then forward the events to a central management console.
Once the data is collected, the SIEM needs to proceed to the “event management” function. That means, essentially, looking through all the data for anomalies that could indicate a threat. Different SIEMs look for suspicious activity in different ways. Some use rules-based systems or a statistical correlation engine to establish relationships between event log entries. More advanced SIEMs use machine learning, advanced statistical analysis, user behavior analytics (UBA) and other techniques to make more accurate assessments about what activity is actually a threat. Once the likely threats are identified, it’s time to take action. The best SIEMs offer integration with other enterprise security controls so they can call for them to increase logging, generate an alert or block the activity, for instance.
That all sounds great, right? So, where do the issues I mentioned earlier — high costs and tons of alerts — come in? Well, while it’s no secret that IT ecosystems are busy places, but it’s worth quantifying that a bit. Even in a moderate-size environment, every day, there are literally millions of events that could potentially be security-related. For example, while a particular user might face a password prompt only a handful of times a week, Active Directory is a busy little bee behind the scenes all the livelong day, constantly performing authentication and authorization as the user attempts to access data, run applications and do just about anything else in the IT realm. Similarly, your firewall, gateways, routers, wireless access points, switches, hubs, repeaters and other network devices are a hotbed of activity, almost all of which could be relevant for security. In short, the number of events adds up fast.
Since many SIEM vendors charge based on the volume of data processed, forcing your SIEM to drink from that firehouse of event data can quickly jack up your bill. To reduce the amount of information that has to be transmitted and stored, sometimes the agents on the various endpoints perform some preprocessing to weed out data that’s unlikely to be useful. Still, many organizations end up simply shutting off data collection on machines and systems they consider less critical to reduce the flood of input data and keep their monthly bill in check.
Even so, the SIEM will likely spit out far more alarms than the security and compliance teams can ever hope to investigate. What’s more, the results will have both false positives and false negatives. After all, no SIEM can flag events it doesn’t know about, and it can’t properly analyze the data it does have if it has only an incomplete picture of what’s happening across the IT ecosystem. As a result, activity that is clearly innocuous when all the facts are in can get flagged as suspicious, while malicious behavior on unmonitored systems can be missed. As a result, security analysts have to try to sift through the noise, connect the dots, prioritize security incidents, and provide feedback to continuously educate the SIEM about the environment — driving up costs again.
You might be thinking that my conclusion here is that SIEMs are simply of no value in an enterprise security strategy. Not at all! I actually know full well that SIEMs can be a valuable tool — the trick is to use them properly, in accordance with what they were designed to do best. For many organizations, that means rethinking the larger data collection and processing model: Instead of trying to run every single event you collect through your SIEM, feed it a much smaller diet of higher quality input data, so you can improve security and regulatory compliance while controlling costs.
To learn more about this model and how it can benefit your organization, check out our new white paper, "SIEM Integration Best Practices: Making the Most of Your Security Event Logs." You’ll discover how SIEMs can work most effectively with the other components of your security infrastructure, including not just native logs but your IDS, DLP, PAM, PSM and UBA solutions and your enterprise storage repositories. You’ll also learn which types of events are the most critical to collect, and what to look for in tools to help get the comprehensive security solution your organization need.