. home.aspx

NEWS

home.aspx
   


SIEM Is A Great Tool But It's Administrative Challenges Are A Barrier

February 20, 2020 / AJINKYA BAGADE
SHARESHARESHARE

  • Sumo Logic's survey finds 38.5% of users found administration was the biggest struggle of SIEM complexity, whilst 32% cited deployment.

  • SIEM engineering and management require a dedicated team that is accustomed to the platform and its internal infrastructure and operations.

  • Many bad actors have learned how to get by the static SIEM rules whether by evasion techniques or otherwise

SIEM solutions help IT teams to be more proactive in the fight against security threats by providing a holistic view of what is happening on a network in real-time. The software has been in use in various guises for over a decade and has evolved significantly during that time. And while the platforms can be remarkably powerful defensive tools, their power is tempered by a long list of challenges that, as often as not, make them as much of a hindrance as a benefit.

A Twitter poll hosted by Sumo Logic revealed, that 40.3% of SIEM users valued it as a “security control” while, less than a quarter saw it used for threat detection or data collection. Threat detection accounted for 23.3% of responses,  while data collection accounted for 24.3%.

Talking about risk management at the Crypsis Group, Michael Thoma said that a SIEM can be used as a form of security control as some SIEMs can detect if a user was added to a domain admin account without a ticket and use APIs to disable that user automatically.

There are many tools that can supplement threat detection in lieu of a SIEM. In fact, a SIEM is typically centralization of the technology platforms that alert and log in the first place. For instance, you may have an Intrusion Prevention System (IPS) that is sending events and alerts to your SIEM based on malicious network activity. The SIEM can allow for additional correlation and retention of system logs, but the IPS by itself can still provide alerts on what is happening within your environment..

- Michael Thoma, Principal Consultant, Crypsis Group

In another Twitter vote, of 621 respondents, 38.5% said that administration was the biggest struggle of SIEM complexity, whilst 32% cited deployment and 29.5% opted for operations. Thoma said that SIEM is “absolutely one of the most valued security controls for security operations and IT teams; however, it's only as useful as its implementation.”

READ MORE: Why complexity issues persist in SIEM and cybersecurity

Thoma said the SIEM engineering and management require a dedicated team that is accustomed to the platform and its internal infrastructure and operations. He explained, “A SIEM is not an off-the-shelf product, and too many teams implement a SIEM for a fraction of the capabilities offered. There are likely just as many teams using it for the full effectiveness as there are those hoping to use it as a silver bullet.”

He further said a better SIEM solution was not likely soon explaining that “SIEMs are inherently complex as they must be able to integrate with a multitude of technology stacks across many business verticals and allow for the creation of custom metrics and alerts specific to an organization's environment.”

Sumo Logic is going to announce the availability of its new Cloud SIEM Enterprise offering, which will ease the burden on security operations center personnel. The latest offering that has new capabilities will help identify and prioritize high fidelity threats and automate the analyst workflow, allowing SOC personnel to better manage real security events and effectively enforce security and compliance policies.

About Sumo Logic's new offering, Greg Martin, general manager, security business unit, Sumo Logic, said, “With the industry’s fast-moving transformation to the public cloud, we wanted to give security teams a cloud-native solution with robust features they can use to navigate today’s cloud-centric world.”

Despite the central role SIEM plays, the research indicates that SOC teams use additional tools beyond SIEM for threat detection and response, investigations and query, threat intelligence analysis and process automation and orchestration. Sumo Logic’s Cloud SIEM Enterprise can help bridge this gap with a broader set of automation capabilities targeted directly at the modern SOC.

- Jon Oltsik, Senior Principal Analyst, ESG

SIEM’s ability to bring together security tools and give a comprehensive look at real-time threats as they happen is dependent on static rules. Many bad actors have learned how to get by these rules whether by evasion techniques or otherwise.



READ MORE: What is SIEM and how to choose the right tool