What's Security Information and Event Management Technology? - SIEM Part 2
Beginning of article a previous post
SIEM Within an Enterprise
The use of Security Information and Event Management systems in enterprises today was prompted by the need to combat ever-evolving cybersecurity threats and the need for compliance with regulations. Some businesses choose to operate two separate SIEM solutions – one for compliance and the other for data security. The reason for this is that the system is very resource-intensive, and this way, an enterprise gets the most value for each purpose.
Smaller enterprises find it more difficult to run SIEM precisely because of this. Since SMBs are restricted by monetary resources, they are unable to bear the costs of maintaining the software and hiring the talents to keep it running on an ongoing basis. A cheaper alternative to running on-premise SIEM is having it delivered as software as a service from outsourcing providers. However, considering the sensitive data involved, not many companies are keen on running analytics on the cloud.
SIEM Deployment Concerns
This product is a valuable aspect of any modern security infrastructure. Its capabilities can do a great deal of good for your security. However, due to the complexity of the software, successfully deploying SIEM is not always guaranteed. In the worst-case scenario, it could end up complicating your security environment and creating new issues.
Here are the major limitations to the system:
Delayed Setup Time
Security Information and Event Management isn't instant software. Many businesses don't realize that it takes a long time to implement. There is an extensive discovery and planning phase where objectives need to be identified. All current assets need to be accounted for, and this will require investing in the appropriate software if not already available.
An implementation stage will include the actual deployment of SIEM systems and processes as well as thorough testing of all assumptions made during the discovery and planning stage.
This is followed by a controlled deployment stage where all SIEM processes, procedures, and operations are rolled out over time. And it is done gradually to guarantee seamless integrations and optimal configurations.
Taking all that into account, it usually takes several months to install SIEM that works effectively. A lack of adequate planning and coordination at the start will negatively impact the bottom line.
The Need For Specialized Staff
Although many of the SIEM processes are fully automated, it still requires skilled analysts for configuration and optimization. SIEM deployments can require as many as eight full-time security analysts to enable it to run effectively. With the shortage of experienced security specialists, businesses have a hard time sustaining SIEM deployments.
Furthermore, SIEM technology provides alerts of security threats in real-time, and taking advantage of this feature requires round-the-clock monitoring. This only compounds the staffing problem because regular employees do not have the required training to keep up with the technical processes. As a result, many departments experience burnout not long after deployment.
A Never-Ending Improvement Phase
The work is never really complete with SIEM processes. After the initial deployment then comes a continuous improvement phase of monitoring and fine-tuning the system.
There is always a need to adapt to new security policies and compliance procedures. Besides, organizational structures do not remain constant, and even small-scale changes could cause a ripple effect throughout the entire business. In that scenario, SIEM will have to be optimized to accommodate the changes and maintain effective security performance.
This continuous maintenance implies continuous costs, bringing us to the next limiting factor of SIEM.
Cost of Maintenance
Although relatively new, SIEM software accounts for over $2 billion of global spending on enterprise security. Annual costs for a business running the application can go from tens of thousands to over $100,000, depending on the size of the organization. This includes software and hardware costs, as well as personnel costs to implement, manage and monitor the system.
Hiring skilled talent doesn't come cheap, and in-house training of employees entails more spending. It's no wonder that small companies choose not to invest in it at all.
Going down the path of SIEM integration will add to a business's list of things to manage. For this reason, deciding whether to deploy SIEM is a complex matter that requires a review of your current security posture and a long-term commitment. Many organizations find their progress stalled or abandoned midway. When you consider the investment expensive, a failed Security Information and Event Management will certainly leave an impact on the business’s ROI.
The Problem of Limited Contextual Information
A major issue among SIEM customers is the difficulty in diagnosing and researching pertinent security events. SIEM applications are unable to distinguish sensitive and non-sensitive data, so they are only as capable as the data they receive.
For example, the system could indicate a rise in network activity from an IP address without revealing the user responsible for the traffic or the files that were accessed. The incidence, in reality, could be one of two things - either critical data theft or an authorized transfer of data. If the latter were to be the case, the lack of context in the security alert would have sent the IT team on a wild goose chase.
Unable to distinguish between seemingly suspicious sanctioned file activity and actual malicious threats, the alarm gets constantly triggered. This would eventually desensitize the security team to system alerts, thereby harming the value of the SIEM application.
Maximizing The Value of Your SIEM
To maximize the value of your SIEM, you need to know which battles to fight. SIEM provides out-of-the-box solutions like dashboard widgets, alert reports, saved searches, etc. However, unlike an antivirus solution that caters to a universal problem of stopping malware, we've established that the use of SIEM is much more context-dependent.
To derive continuous value, the software has to be customized to an organization's specific problem and evolving needs.
The SIEM administrator gets this done by creating a profile that defines the behavior of enterprise systems, both under normal conditions and pre-defined security incidents. Luckily the system allows every business to fine-tune the default rules, alerts, reports, and dashboards embedded in the software. In this way, defining the company's use case(s).
In a typical example of a business concerned about trader fraud, the SIEM administrator can write a correlation rule to alert on activities that exceed the average trade value by a certain percentage over some time.
Then There Are Next-Gen SIEMs
Where traditional SIEMs are still unable to solve the problem of lack of context, lagging incidence response, and security workflows, modern SIEMs feature advanced technologies like User Event Behavioural Analysis (UEBA) and Security Orchestration and Automation (SOAR).
Below are the benefits of next-gen SIEMs
Complex Threat Identification
Modern SIEMs feature automatic behavioral profiling that can detect advanced attacks such as insider threats, targeted threats, and fraud. Thanks to UEBA, SIEMs can achieve this by leveraging AI and deep learning techniques to monitor human behavioral patterns.
Asset Behavior Analysis
The ability to detect behavioral patterns extends to critical assets within the organization. SIEMs can learn the unique patterns of network devices and discover any unusual activity that may suggest a threat.
Ability to Thrive on Data
Organizations get bombarded with tons of data every day, and the amount keeps increasing. Modern SIEM solutions thrive the more data is pumped into them. More data provides analysts greater visibility into the activities. Consequently, IT personnel are more effective in responding to threats.
Increased Flexibility and Scalability
As an organization grows, so does its need for systems capable of adapting to the increased scale. SIEMs have the improved capability to grow as business changes over time. They can be deployed on-premise or in the cloud, with the possibility of a hybrid option.
With the infusion of machine learning and AI components, some SIEMs allow shorter implementation times and low maintenance resource requirements.
Enhanced Investigation and Incidence Response
SOAR enables next-gen SIEMs to integrate with enterprise systems and perform automatic incident responses on affected resources before the hacker can launch an attack. Since attackers search for key assets in a network using IP addresses, credentials, and machines, SIEMs can detect this lateral movement by analyzing data across the IT infrastructure. Then, interacting with other security technologies, the system automates the initial steps of incidence response.
Reduces Security Staff Requirements
The enhanced automation of modern SIEMs eases the burden on security analysts. Its machine learning capabilities enable it to manage the bulk of its processes without the need for manual input. With the increased threat detection, context awareness, and behavioral analysis, SIEM greatly cuts down the need for security staff. And less staff implies reduced costs of maintenance.
Detection Without Rules or Signatures
Many times, correlation rules still lack the context to identify complex attacks. Unfamiliar incidents may also go unnoticed if traditional SIEM isn't customized for that purpose. Moreso, sophisticated hackers can launch attacks that bypass known signatures.
New SIEM platforms utilize machine learning to detect incidents without pre-defined attack signatures. It also comes equipped with default use cases like detecting insider threats and meeting compliance standards, so both the system and the IT analysts are more productive as soon as the logs are collected.
Guarantees Stable Pricing Models
SIEM pricing is often unpredictable when based on data usage. Businesses can't forecast the increase in data volume, so they are unable to estimate the total cost of maintaining the system. With modern SIEMs, the pricing model is based on the number of devices sending logs. So by keeping track of your IT assets, you can predict the cost of ownership. It is also easier to manage costs of increasing hardware capabilities when the SIEM security needs to scale.
Conclusion - Why You Need SIEM?
In this era of continuous technological innovation, enterprises have more data to collect than ever before. This makes it all the more important to have a central security solution to keep track of behavior and security events. Despite the limitations of SIEM, many enterprises have had great success with their SIEM deployments.
With the introduction of next-gen SIEMs, the capacity to sift through massive quantities of data and discover connections between events is even more advanced. Tempered with good understanding and a commitment to maintenance, properly deployed SIEM adds tremendous value to an enterprise's security infrastructure.