SIEM problems pose a distinct challenge to enterprises looking to improve their overall cybersecurity posture in an increasingly dangerous digital marketplace. On the one hand, enterprises continue to express struggles with SIEM deployment and maintenance. Yet at the same time, enterprises inflate the severity of SIEM problems, possibly to avoid having to select a solution at all.
The facts are clear. Enterprises need the log management, threat detection, and compliance SIEM provides to best mitigate and re-mediate modern threats which can penetrate their network perimeter. Focusing on SIEM problems instead of recognizing how your enterprise can solve them precludes you from reaping its benefits.
We read “Unified Security Management (USM) vs. SIEM” a whitepaper by SIEM provider AlienVault. It outlines the top 3 SIEM problems and what enterprises can do to mitigate them.
One of the most recurrent SIEM problems enterprises cite is its cost. The initial upfront costs to a traditional SIEM solution include the licensing costs, implementation costs, and renewal costs. Additionally, your enterprise needs to consider the training costs for your employees to properly maintain the solution.
However, these costs shouldn’t prove extravagant compared to other cybersecurity solutions such as identity management and endpoint security. However, AlienVault contends two issues contribute to the perception of SIEM as being costly:
- Enterprises continue to sink money into legacy solutions which can’t perform compared to the modern threat landscape.
- Enterprises don’t invest the resources, time, or energy to maintaining their SIEM solution in the long term.
In many ways, the perception of cost as one of the SIEM problems to handle creates self-fulfilling prophecy. Enterprises believe SIEM will be too expensive to work with, and therefore become gun shy about investing in it properly.
Consider SIEM as a major long term investment in your overall cybersecurity and provide it with the time and energy it thus deserves. Additionally, the training SIEM requires will supplement your IT security team’s strengths across the long term.
2) Poor Correlation Rules
Part of the SIEM problems enterprises face is failing to maintain it with the proper security event correlation information. SIEM solutions do not operate in a vacuum; they draw on threat intelligence to detect potential threats dwelling on the network and create an alert your security team can investigate.
Not feeding your SIEM solution enough threat intelligence and correlation rules means it will miss serious and evolving threats. However, feeding it too much information means your security teams may become overwhelmed with security alerts; moreover, many of these alerts prove false positives, which waste time and energy in investigations.
Therefore, you should have your IT security team carefully examine any update you make to your network and digital assets to ensure the correlation rules still make sense. They also do so when you make any update to your other cybersecurity solutions, your servers, and applications.
Furthermore, you need to choose your threat intelligence feeds carefully. Not every enterprise faces the same types of digital threats; preparing your SIEM solution to search for more unlikely cyber attacks results in more false positives down the line. However, as threat intelligence feeds change, so should your correlation rules.
3) Ease of Use
Complexity remains on of the most commonly referenced SIEM problems. Compared to endpoint security and identity management, SIEM certainly appears intimidating. With the ever-encroaching cybersecurity staffing crisis, that appearance looks even more daunting. How do you feed the SIEM solution proper correlation rules? How do you examine its security alerts? How do you follow them up? How does it compliance compilation capabilities work?
The solution to this problem is to find a SIEM solution which possesses a user interface which works best for your IT security team and your IT environment. Don’t select a solution blindly or to rashly solve a problem; consult with your security team, request to see a product demonstration, and choose a solution you can see yourself working with long term.
You can learn more in the “Unified Security Management (USM) vs. SIEM” white paper by AlienVault.
Latest posts by Ben Canner (see all)
- Forecast: The Gartner 2019 SIEM Magic Quadrant - May 17, 2019
- LogRhythm Releases LogRhythm Cloud—a Cloud-Based SIEM Solution - May 16, 2019
- The 20 Best Cybersecurity Books for Enterprises in 2019 - May 14, 2019