The Value Most Organizations Get Out of Their SIEM Deployment is Far Lower Than it Used to Be
Almost all security organizations of a certain size have a substantial and costly SIEM deployment. Historically, the SIEM has played a central role in security operations and incident response for a number of reasons. But as time has gone on, the security operations workflow has grown more sophisticated and complex. So much so that the value that most organizations get out of their SIEM deployment is far lower than it used to be.
I’m not suggesting that organizations suddenly give up on their SIEM deployments or rip them out entirely. In fact, quite the opposite. What I’m suggesting is that organizations challenge their legacy SIEM providers to meet the operational needs of 2018, rather than those of 1998. And, in the event that those legacy players can’t meet today’s needs, perhaps the time to be open to other options has come.
In this spirit, I present “10 reasons to break up with your legacy SIEM”:
1. Attacks aren’t linear: Most SIEMs present the data they ingest line by line. In other words, linearly - just as it was ingested. Unfortunately, attackers and attacks aren’t at all linear. Staring at a list of events isn’t going to help uncover suspicious or malicious activity.
2. Focus on data value, not data volume: You are certainly welcome to collect every data source you can get your hands on. But have you thought about whether or not that data source you have access to provides value to security operations? If not, is it worth warehousing? Each piece of data retained both shortens the retention period available with existing storage capacity and degrades performance when performing investigation and analysis. Collect smarter, not harder.
3. Too many tools: The number of security tools that most security organizations have is simply astounding. With so many tools, the time has come to demand that each tool address multiple different operational requirements. As security operations has matured as a field, the requirements for the SIEM have grown well beyond the capabilities found in most of the legacy providers.
4. Internal traffic: Many security solutions, SIEMs included, lean heavily on perimeter traffic for visibility. Unfortunately, there is also a lot of important stuff going on inside the perimeter. Things like lateral movement, misuse of internal applications, and credential theft generally happen deep inside the organization. Unfortunately, that is an area where many organizations struggle to gain adequate visibility. Organizations can’t simply turn a blind eye.
5. Slice and dice: Most of the security analysts I know are talented, clever, and creative. They need tools that allow them to build sophisticated queries to slice and dice data in ways that enable them to investigate suspicious activity and identify other activity requiring attention. Further, speed and performance are key here. No one should have to wait hours to know whether or not a given type of activity has been seen before.
6. Correlation: Security teams need their tools to help them connect the dots between related events. At a minimum, security tools need to aid, rather than fight the analyst in making these connections. Beyond that though, modern tools need to connect some of the relevant dots automatically, before the analyst ever sets eyes on them.
7. Context: Building the narrative around an event or events allows the security team to make timely and accurate decisions. This involves putting together a delicate puzzle of supporting evidence from a variety of different data sources to bring important context to otherwise context-less events. Tools that don’t support this level of investigative freedom, or better yet, do some of it automatically, just don’t make the grade in 2018.
8. Smarter content development: No matter how good an organization is at keeping up with the latest and greatest detection techniques, there is always room for improvement. If you’ve got a smart team with great ideas, they are likely frustrated by the analytical limits and query power of legacy SIEMs. Perhaps it is time to allow them to unleash their creativity on modern tools that empower them to discover and implement new detection techniques percolating inside their heads.
9. Smoother investigation: If you’ve ever tried investigating an incident using a legacy SIEM, you likely learned very quickly that the whole process was not exactly smooth. Today’s investigations require tools designed with enough flexibility and power to allow for incisive querying across a large volume and variety of data.
10. New approaches: Manually developing alert logic is an extremely important activity, but it can be an extremely bandwidth-limited activity as well. Automated analytical approaches have matured to the point where they can (if implemented correctly) add value to the security operations workflow by producing value-added alerts. Of course, there are tools that do not have enough analytical rigor and produce a large volume of false positives and noise. However, there are a select number of tools that can produce a reasonable volume of high fidelity, reliable alerting that might not have been identified by a human. Slowly but surely, this capability is becoming a must have for the modern security team.