Common Problems in SIEM: Should You Switch to Security Analytics?
SIEM is a major component of any enterprise’s comprehensive cybersecurity platform. It’s vital to detecting threats that have bypassed your endpoint security platform. It’s necessary to compiling data from across your network, scanning it for digital security threats, and cataloging them for compliance purposes.
Yet enterprises don’t seem to understand what their SIEM solution actually does and where it may be vulnerable. What problems do SIEM solutions face? And can security analytics solve those problems?
SIEM: Prevalent but Problematic?
Research firm Gartner defines security information and event management—SIEM—“by the customer’s need to analyze event data in real time for the early detection of targeted attacks and data breaches, and to collect, store, analyze, investigate and report on event data for incident response, forensics and regulatory compliance.”
In other words, SIEM focuses on log collection and analysis from multiple data sources and correlation rules written by security experts and executed in real time. As mentioned above, it supports compliance reporting and security incident investigation and response. SIEM is not log management per se. Log management utilizes all the uses of data logs, whereas SIEM focuses on the security uses of those logs.
However, SIEM has some common weaknesses across all solutions. Its analytical capabilities are limited to the information it collects and correlates—which depends on what information the solution can collect across your enterprises’ network.
The first recurring issue is that SIEM’s analysis and alert capabilities are based on the correlation rules written by your security experts. Those rules can be too rigid to adapt to new demands—the thresholds by which they define “normal behaviors” may not account for different users’ actual normal behavior. They might also fail to account for activity time: a rule that looks for a high volume of traffic at an odd time as a threshold of malicious activity might miss malicious activity occurring during normal business hours.
The second problem SIEM faces is almost the opposite to the one above. The data logs the modern enterprises generates—nearly 10 terabytes of plaintext data a month, according to some studies—is overwhelming. SIEM solutions may struggle to keep up with the deluge of plaintext data, or under the rules security experts write-up generate false leads. False leads aren’t just an annoyance. They can waste your security team’s time and money chasing after them, and allow real threats to slip by in the distracting chaos.
A third issue in SIEM is accessing or outright finding all the data an enterprise generates. SIEM solutions may not be capable or programmed to find all data across all endpoints, so essential security data may slip it by.
Could Security Analytics Solve Those Problems?
Some enterprises have turned to security analytics as an alternative to SIEM and its issues. Security analytics are capable of reaching every endpoint in a corporate network and compiling it under a single pane, and supposedly generates fewer false positives.
Yet as Dr. Anton Chuvakin (Research Vice President at Gartner) points out, security analytics may not solve what is really at issue with your SIEM. SIEM is complex and requires serious expertise to maintain and deploy properly. They require resources and knowledge to write good rules. The out of the box correlations rules solutions come with, which some enterprises may rely on to avoid the hard work of deployment, are often not sufficient to cover your enterprises’ needs.
So before switching to a security analytics solution, consult with your IT security team about the rules they have in place, if the SIEM solution your enterprise uses reaches where it needs to, and what can be done to ensure the best results.
Widget not in any sidebars