Three Potential Challenges in SIEM Maintenance

Three Potential Challenges in SIEM Maintenance

What are the three potential challenges in SIEM maintenance facing enterprises today? How can your enterprise prepare for them, and what other obstacles might you face? 

SIEM possesses a reputation as complicated and expensive compared to other branches of cybersecurity. While this reputation often becomes over-exaggerated, it remains rooted in fact. However, your enterprise can prepare for dealing with these challenges today as you begin the SIEM selection process

Here’s what to watch for in SIEM maintenance and how to ready your cybersecurity accordingly. 

  

Three Potential Challenges In SIEM Maintenance 

1. Lack of Investment (Money and Resources)

According to a Barracuda survey released last month, 40 percent of companies cut their cybersecurity budgets to save costs during the coronavirus pandemic. Often, this means delaying the upgrading of core security systems, including SIEM. Unfortunately, this in turn causes SIEM to age without receiving necessary patches.

Patches don’t just speed up processes. In a SIEM maintenance context, going without patches means solutions can’t optimally ingest or process security data. Additionally, it creates new challenges for processing and maintaining visibility over hybrid and cloud architectures.

At the same time, enterprises sometimes fail to create a cybersecurity team that works to ensure optimal SIEM maintenance and performance. These teams are vital in handling alerts, implementing upgrades, or conducting threat hunting. Without the investment of human resources, you may struggle with maintaining configurations and conducting reviews.  

Part of SIEM maintenance involves allocating the proper resources to SIEM, both in terms of budget and in terms of manpower. Cybersecurity is not a side cost with no value; instead, you need to consider it as you would any other essential work process. Also, you need a fully-fledged cybersecurity team that can deploy patches and follow up alerts with investigations. 

If your enterprise struggles with either, consider outsourcing your cybersecurity with a managed security services provider.

2. Weak Incident Response

As illustrated above, SIEM solutions don’t operate in a vacuum. Instead, they operate within the context of a human cybersecurity culture. Therefore, a necessary component of SIEM maintenance involves preparing for the worst in terms of data breaches and cyber-attacks. 

This involves having an adequate, practiced incident response plan for your business. Your employees and security team should know how to communicate during a security event, whom to communicate, and what actions they should take. Further, the channels of communication between security operatives and departments like legal and public relations should be clearly outlined. 

Critically, the key to effective incident response is consistent practice and evaluation. An incident response plan kept in a binder on the shelf helps no one. You need to practice it the way you practice on-premises fire drills. Moreover, you need to make sure your incident response plan matches your business’ needs and workforce. Any gaps or issues should be addressed before a cyber-attack occurs.       

3. False Positives

No problem with SIEM maintenance compares with that of false positives. A false positive refers to a security alert generated by an activity that on further inspection indicates a normal action or an unusual but not malicious action.

By itself, it doesn’t seem like a serious problem. However, each false positive requires an investigation, which eats up valuable time and resources. Multiply a false positive by hundreds or thousands, and legitimate alerts vanish under a sea of noise. 

Therefore, you need to make sure that SIEM maintenance includes checking on the rules configurations of your solutions. Remember, SIEM follows your rules, and if your rules don’t match your workflows or goals, you suffer the consequences. Additionally, you should ensure that your solution offers contextualization. This capability provides preliminary information your security team can use to eliminate false positives before investing time in investigations. 

How to Learn More About SIEM Maintenance 

Download our SIEM Buyer’s Guide for more on the top vendors and capabilities. 

    

Ben Canner

Ben Canner is an enterprise technology writer and analyst covering Identity Management, SIEM, Endpoint Protection, and Cybersecurity writ large. He holds a Bachelor of Arts Degree in English from Clark University in Worcester, MA. He previously worked as a corporate blogger and ghost writer. You can reach him via Twitter and LinkedIn.
Ben Canner