Security information and event management (SIEM) technology is a useful tool for many organizations. Security analysts and incident responders rely on it as a single source of truth, with events and data pulled in from multiple sources.
The single pane of glass is an appealing proposition, but SIEM also has limitations and disadvantages, and leaves a lot to be desired in a hybrid environment. The adoption of software-as-a-service (SaaS) and other cloud services adds a layer of complexity that SIEM platforms weren’t built for, which further reduces their usefulness.
SIEM’s Role in the Security Operations Center
In recent years, SIEM platforms have become the centerpiece of the security operations center (SOC). As threats continue to evolve, security teams have to constantly monitor their environments and respond to threat—and SIEM helps them do that more effectively.
When the technology became available years ago, it was designed to minimize the number of alerts that analysts need to investigate. This makes it easier to sift through all the data and find potential threats. At one point, SIEM was even the fastest-growing segment in the security market, according to Gartner.
In reality, this tool is a drain on resources for many organizations because it takes a lot of time and expertise to maintain on an ongoing basis. To take the most advantage of a SIEM, you need a fully staffed, 24×7 SOC, and many small and medium-sized organizations simply don’t have the resources to do that.
Worse yet, if you lack the resources and expertise to properly tune and configure a SIEM, the tool does more harm than good. Instead of reducing the volume of alerts, it increases both the number of alerts and the false positives, which defeats the point of this expensive investment.
The Threat Detection and Compliance Benefits of SIEM
The main benefit of SIEM platforms is that they collect, aggregate, store, and analyze logs and real-time data from a variety of sources. This enables SOC analysts to consolidate all the security data into one interface, correlate it, and get better insights into cybersecurity events.
Another benefit is that SIEM gives you complete control and flexibility over the sources you pull into it. You can ingest everything from your endpoint security to intrusion prevention systems, and integrate more data sources when you add new security solutions into your ecosystem.
Your security engineers can create rules that specify normal behavior for all the systems, and the SIEM will automatically find anomalies and create alerts. They can also customize those alerts based on specific criteria to help identify potential threats.
In addition to providing visibility across your environment, SIEM is a great compliance tool. You can centralize and streamline your auditing and reporting of security events, and SIEM is typically compatible with compliance reporting for regulations like PCI, HIPAA, and others.
Disadvantages of SIEM Platforms
In theory, automating data collection, aggregation, and analysis from all the security tools sounds like every analyst’s dream. But because SIEM is rules-based, you’re constantly having to reconfigure it and add new correlations as threats emerge, which can create a lot of challenges.
SIEM Deployment
To begin with, the time to value of this technology is high. It can take your security engineers six months (and sometimes as long as a year) to fully deploy the platform. You have to configure the SIEM to look for the right correlations in your environment. Correlations that come out of the box may not be applicable to your network, so among other things, your team needs to decides which ones to disable and which new rules to create. The deployment takes several phases, each requiring full-time engineering expertise.
SIEM Maintenance
Complicated deployment is just the start. Your staff needs to continually fine-tune the correlations based on new threat intelligence data and other changes. Even so, the SIEM can generate thousands of alerts a day, depending on the size of your organization.
False Positives
Without the right correlations, the SIEM will generate too many false positives, as well as miss potential anomalies. The high number of false positives the SIEM generates is a common frustration that the technology is notorious for. One report found that a SOC analyst spends 25% of their time, on average, on investigating false positives.
Staffing
Running the SIEM requires several full-time people—at a time when the talent gap makes staffing cybersecurity positions challenging. Small and medium-size organizations typically don’t have the adequate staff and expertise to dedicate full-time employees to the proper implementation and continuous tuning of the SIEM.
Alerts
Running a SIEM that’s misconfigured and not properly tuned may actually be putting your organization at bigger risk. Your security analysts will simply have to ignore a large number of alerts, and they won’t be able to get a full picture of which ones are the most critical.
Securing the Cloud with SIEM
With the introduction of SaaS and other cloud offerings, integrating and managing a SIEM platform becomes a lot more complicated. Not only does the cloud add many new log sources, but the rules are also different from a hardware-based environment.
SIEM technology was created for on-premises security architecture, where the network perimeter is well-defined. On-prem SIEM configurations are not intended for hybrid cloud environments, where the perimeter is blurred as users access SaaS applications from anywhere and on multiple devices.
One of the biggest problems with ingesting cloud logs into SIEM is the additional, potentially massive, volumes of data that are generated. The traditional SIEM wasn’t built to keep pace with that level of data.
The SIEM is also not agile enough for cloud services like microservices because in the on-premises, hardware-based environment, rules were typically based on problems that were known. That’s not the case in the cloud, where the threats are rapidly evolving.
As a result of the cloud-derived complexities, many organizations simply give up on the idea of using SIEM to get visibility into their cloud infrastructure. That creates additional risk exposure, since cloud providers are not accountable for security of your cloud assets.
Some vendors now offer cloud-native SIEM platforms, but those have disadvantages as well. In most cases, they only store logs for a limited amount of time. They can also be more expensive than on-prem SIEM.
SOC-as-a-Service to Address SIEM Challenges
SIEM still has a role to play in the SOC, but for small and medium-sized organizations that need more agility and cost-efficiencies in a hybrid cloud environment, it’s not a viable solution.
When you look at the sum total of the SIEM limitations and disadvantages — including staffing shortages, inaccuracies, manual tuning, and high time to value—it soon becomes clear that you need to find an alternative solution for detecting and responding to threats.
SOC-as-a-service gives you all the benefits of a SIEM and on-prem SOC, but without the headaches of upfront capital investment and staffing.
A SOC-as-a-service provider has the agility and the resources to ingest and parse the data from all your security tools, the 24×7 team required to run a SOC, plus the expertise to provide you with around-the-clock threat detection and response.
Unlike a SIEM, SOC-as-a-service is a turnkey solution that gives you immediate value. It augments your security tools and your team and eliminates all the care and feeding problems that come along with a SIEM.
Chi partners with Arctic Wolf for SOC-as-a-service solutions. Please reach out to us for more information at 440-498-2310 or sales@chicorporation.com.
Originally published on the Arctic Wolf blog, August 25, 2020.
