By Chris Triolo, vice president, Customer Success, Respond Software
This scenario plays out all too often: Security controls send alerts to a SIEM. The SIEM uses rules written by the security team to filter down the number of alerts to a much smaller number, typically 100:1 or even 10,000:1. Writing and maintaining the rules can often take valuable time that organizations don't have. A better approach is to look at the outcomes your customers want to achieve with security monitoring and where people vs. technology can have the biggest impact.
The SIEM Status Quo
Some MSSPs have taken to using SIEMs to improve efficiency, but there are still gaps in delivery and monitoring. SIEM is a mature technology, but many only use it as a log management tool, and there is little integration of that data for other uses. A recent study by the Ponemon Institute revealed that 58 percent of security leaders rated their MSSP as ineffective. Why? Their MSSP fails to find security incidents and generates too many false positives.
Gartner notes that managing and using a SIEM is difficult, and many projects are stuck in compliance or minimal-value deployments due to the difficulty of use. Most SIEM challenges lie squarely in operations and not because the tools are broken.
Challenges With SIEM
The challenge with SIEM technology is that automation isn’t built in from the onset. You could write a rule for a SIEM that might find an alert and investigate it. The solution doesn't do any of that, though. Automation is only a capability. You need trained staff to make it happen.
SIEMs are focused on the logs they manage, and this leads to the creation of a set of alarms based on guidelines the SIEM provides. There is no analysis or decision making, leaving the service insufficient. This is a classic security data lake.
SIEMs are a collection of rules, which leaves room for error and inconsistency. Implementation of SIEMs is just one step on the journey to security automation. A human security analyst will interact, on average, with one out of every million events that a SIEM collects. The unfortunate and risky consequence of this alert volume reduction is that, because it’s binary or rule-based, it’s not an intelligent selection process. This means that valuable information—the true signals of an attack—may well be ignored or overlooked.
An important role most SIEMs have performed is maintaining, preserving and making available
security logs for forensic analysis and for seeking out novel incidents. This capability relies heavily on the speed of data retrieval and is generally dominated by columnar or parallel data stores. Since the mean time to detection is nine months, MSSPs need faster access to much more data than ever before if they are going to hunt where the attackers are located in time. No SIEM can provide this without exorbitant associated costs. SIEM solutions can take weeks or months to implement into an environment, and results will vary across organizations that deploy them. The ongoing maintenance required to manage a SIEM will use valuable MSSP resources of time and budget.
Industry experts declared SIEM dead more than 10 years ago, but it is still widely used in security organizations today. One reason it’s still used broadly is that SIEM, once deployed, has processes and procedures woven around, making it burdensome to change. “Uninstalling” SIEM isn’t as simple as flipping a switch.
How SIEM Clients Are Struggling
Though MSSP clients want every security tool at their disposal, what has happened over the last few years is that clients haven’t made optimal use of SIEM solutions and, in some cases, weren’t deriving much value from them at all. The biggest problem is that SIEMs aren’t being managed efficiently. Is anyone writing rules? Is anyone logging in? Has the SIEM been optimized to meet client requirements?
Clients struggle with the cost burden, as well. The engineering that SIEMs require means keeping highly trained, high-priced professionals on hand. After all this expense, up-front ramp-up time can take months before organizations start seeing value – if ever.
Scalability also poses a significant challenge. MSSPs that have deployed a SIEM grapple with limitations in the ability to scale, largely because the deluge of alerts from sensors in the environment are choking them out. And that’s leading to lackluster results.
A Better Solution
Because SIEM does not have decision making capabilities, automation is a challenge. A client may have 100,000 or more events in a workday. There is simply no way a team of human analysts could look at all of them.
Automating the decision-making process changes the game. It surpasses the human ability to see and remember important information with an essentially limitless recall capacity. And decision-making software can analyze data at scale and speed. With decision automation, MSSPs are equipped to monitor all logs and events that clients’ systems generate. This means the MSSP now has near-infinite Tier 1 capabilities – as many as a client needs.
The Human-Machine Partnership
The current path of most Security Operations Centers (SOCs), whether managed completely in-house or fully outsourced, is ineffective and not sustainable. Only MSSPs that can deliver real value to their customers—automation that goes beyond workflow and rules --
—stand to win. MSSPs must solve the problems that are leading so many enterprises to seek out advanced security controls and services from a third-party in the first place. Armed with this approach will propel next-gen MSSPs to leverage the best of both human capital and technology and reduce risk.
About The Author
Chris Triolo is vice president, Customer Success at Respond Software.