How to Avoid the Six Most Common SIEM Pitfalls

SIEM PitfallsSIEM (Security Information and Event Management) solutions are essential to enterprises for managing logs and workflow, real-time analysis of security alerts, and support against attacks. According to Gartner analyst Oliver Rochford, while SIEM solutions are undeniably valuable for cybersecurity, there are a few common pitfalls that can occur. Avoid the following to ensure your network will run smoothly.

Lack of Planning: Every solution is different, which is why it’s good to examine your company’s needs before settling on one. Some solutions cater to large businesses or offer more sophisticated features, a wider variety of software execution possibilities, etc., which make them the most appealing. However, choosing a solution for the wrong reasons can lead to implementation problems, or failure to satisfy your company’s needs. It is best to follow a formalized approach when making your selection.

Failing to Define Scope: You must identify your primary objective (i.e. compliance, alerts, threat management, etc.) in order to employ the right security technologies and associated use cases.

Unrealistic Scoping: Many companies believe their SIEM solution will properly monitor straight off the bat. However, the process takes time. Implementing technologies must be done homogeneously and in a phased manner for optimal performance and troubleshooting.

Failure to Monitor Events: Rather than collecting every log and storing it, SIEM depends on correlation rules that rely on specific events and logs to most efficiently detect threats. Haphazardly collecting logs hinders performance and detection. A selective case-by-case basis yields the most effective results.

Lack of Context: By themselves, event types can be hard to analyze. For example, a user accessing a server might not seem like a risk, but if the user is from a marketing department is accessing a server in research and development, it may falsely report malicious activity. Organizational context should be integrated into the SIEM to prevent this.

Inadequate Staffing: SIEM software requires around the clock real-time monitoring. Your employees must keep an eye on the log management logs, and regular reviews and reports. Ideally, at least four employees should be responsible for this. Should this exceed your available budget, a managed security provider would be most helpful.


Widget not in any sidebars
Doug Atkinson
Follow Doug

Leave a Reply

Your email address will not be published.