Swollen attack surfaces, greater numbers of human-operated and evasive threats, and ransomware that can paralyse entire countries: the cyber threat landscape keeps getting more dangerous. No surprise then that more firms than ever are deploying tools like security information and event management (SIEM) to keep them safe from cyberattacks—or at least help aid their threat-hunting efforts.
Titled “Cybersecurity Solutions for a Riskier World,” a report by ThoughtLab found that more than a quarter (28%) of companies have a SIEM solution in place already, and just under a quarter (24%) plan to spend big money on SIEM technology in the next two years.
But before rushing into a fast-growing SIEM marketplace, IT leaders need to tread carefully. Just 11% of respondents in the ThoughtLab report said a SIEM was among their most effective investments. Moreover, 4 in 10 respondents are considering replacing or augmenting their current SIEM system.
Obviously, not all SIEMs are created equal, and investing in one is not guaranteed to be a good idea. In this blog post, we outline some of the more important factors businesses may want to take into account when selecting a SIEM.
If advanced threat detection and threat intelligence, rather than compliance reporting, is your priority, you may also want to consider alternative tools. Solutions like SenseOn, a self-driving cyber defence platform, automate the process of threat detection, investigation, and response to provide a level of security equal to or better than SIEM solutions with much lower human and financial costs.
Cybercriminals are getting faster at breaking into and encrypting corporate networks, and many SIEMs can’t keep up.
Whereas a few years ago (in 2019), bad actors spent around 95 days in a target’s network before launching an attack, this has now fallen to just 11 days or 250 hours. At the same time, companies are lagging behind in their ability to detect, investigate, and respond to cyber incidents. The average time to identify and mitigate a data breach in 2021 was 287 days—7 days longer than in 2020.
With so many organisations using SIEM technology for faster threat detection, why are response times so slow? Here are some of the more common SIEM challenges SOC professionals face daily (and what a SIEM needs to do to solve them):
You can’t respond to threats you can’t see. Yet as more companies migrate to the cloud and expand their digital infrastructure, security visibility is declining fast.
Close to 15% of respondents to a Panther Labs study said their SIEMs don’t give them enough visibility across on-premises and cloud environments, and almost 10% said they need to switch between different tools to gain a comprehensive view.
Because modern threats can exploit multiple vectors, often simultaneously, it’s crucial that any SIEM you select can collate security data from a variety of data sources into a single view, from your endpoints to your network to the cloud. Ideally, this information should be easy to see from a single dashboard.
Unable to sort real threats from innocent behaviour, SIEMs typically generate an endless stream of security alerts—many of them false positives—for security analysts to go through. This often leads to alert fatigue and real security issues slipping through.
One network security analyst that the media company SC Media spoke to at Black Hat said they’re convinced that just 50 to 100 organisations worldwide have enough staff to manage SIEM alerts properly and the know-how to tune their SIEMs to reduce the number of false positives they see.
Frequently, alerts generated by a SIEM also lack context, making it even more challenging for security teams to effectively investigate and respond to cyber incidents.
To catch threats before they do any damage, organisations need to opt for a SIEM that can accurately correlate events to see if they’re part of a bigger picture and prioritise those that are malicious.
This means choosing a tool that can leverage behaviour analytics, i.e., native user and entity behaviour analytics (UEBA). By monitoring entity and user behaviour and learning what’s normal for your IT infrastructure, UEBA uses machine learning to spot suspicious behaviour, correlate anomalous events to other abnormal incidents, and measure the risk of all detected anomalies (i.e., prioritise). It can also provide context around alerts, making it easier for security operations centre analysts to investigate the issue and proceed with incident response.
Traditionally, SIEMs could issue alerts whenever they encountered something suspicious, but they could not respond to potential cybersecurity incidents.
Nowadays, many SIEMs come bundled with security orchestration, automation, and response (SOAR) tools. SOAR tools can talk directly to IT and security infrastructure, giving recommendations and automating threat response via incident response playbooks.
However, according to Allie Mellen of Forrester, because security analytics professionals still have to develop rules and build playbooks for SOARs, this kind of automation is “human-generated” and “not adaptable the way we need […] [it] to be adaptable.”
SIEM vendors need to focus on improving how they automate the collection of data points that will be useful to analysts, says Mellen. Security professionals should be able to see what caused a security incident, how it happened (i.e., the order of events), and how they need to respond at a glance—all without having to conduct deep investigations themselves.
Ideally, SIEMs and other IT security platforms should also not have to depend on a pre-built playbook based on one general circumstance. Instead, threat detection and response tools should be able to automate minute actions on their own based on different situations and without direct human intervention.
Besides advanced threat detection, investigation, and response, time-to-value is also important. The faster an organisation can deploy and implement a SIEM security solution, the better.
Unfortunately, SIEM tools are known for having a long time to value. In the Panther Labs study, over half of respondents said it took them more than six months to deploy their SIEM software before they started receiving high-value alerts. Even more worryingly, almost 2 in 10 said SIEM deployment took a full year or more.
SIEMs that come with investigation workflows and built-in detections can speed up the deployment process. However, these types of solutions are not always easy to find. In a Lokker survey on SIEM perceptions, about 1 in 2 security professionals said one of the biggest issues they have with SIEMs is that they lack out-of-the-box deployment.
Whatever SIEM solution an organisation has in mind, it needs to be able to set it up and get it running quickly.
However way you look at it, SIEMs are expensive. Whether firms opt for on-premise or cloud solutions, many security analysts feel like the capabilities they’re getting don’t quite match the price tag.
The Panther Labs study found that 40% of security professionals think they’re overpaying for their SIEM. And in the Lokker survey, cost was cited as the biggest disadvantage of SIEM solutions. In this survey, less than 1 in 10 (6%) respondents said they think the average price point of SIEM products is “fair.”
Make sure that the cost of the solution you go for makes sense in terms of what it comes with, and if at all possible, go with a provider that charges based on the number of devices/users rather than data ingested.
While SIEMs can help organisations catch security threats by processing and analysing log data from multiple systems, the type of solution you choose matters. The reality is that, according to a recent RSA panel, around 90% of security buyers aren’t getting the value service providers claim to provide.
Next-gen SIEMs are an improvement on traditional SIEM platforms, but they, too, have their own drawbacks. The biggest is that they rely on siloed cybersecurity products. For any organisation that wants to enhance its threat detection and response capabilities, choosing a platform that consolidates various different tools (EDR, NDR, etc.) can make a huge difference.
A powerful SIEM alternative, SenseOn provides unparalleled visibility across a company’s digital estate. As a threat detection, investigation, and response tool, SenseOn is easy to deploy, offers device-based pricing, and gives immediate value. Through its “AI Triangulation” technology, SenseOn can mimic how a human analyst thinks and acts. The result is that only genuine alerts are surfaced, and each potential incident is prioritised and mapped to the MITRE ATT&CK framework. SenseOn can even take automated action, shutting down critical malware like ransomware in real time.
Explore our collection of eBooks, webinars, articles, and more to help you maximize your understanding of emerging threats, adversary techniques and how to detect cyber attacks.Visit resource hub
Join thousands of like-minded professionals who are already receiving our blog updates and best practice guides.