SIEM Still Creates Complexity and Administration Challenges

Written by

Based on a series of Twitter polls hosted by Sumo Logic, 40.3% of Twitter users that responded said that SIEM is valued most as a “security control” whilst less than a quarter saw it used for threat detection or data collection.

According to 5766 votes, threat detection accounted for 23.3% of responses, while data collection accounted for 24.3%. Commenting, Michael Thoma, principal consultant, risk management at the Crypsis Group, told Infosecurity that a SIEM can be used as a form of security control as some SIEMs can detect if a user was added to a domain admin account without a ticket and use APIs to disable that user automatically.

“There are many tools that can supplement threat detection in lieu of a SIEM,” he explained. “In fact, a SIEM is typically centralization of the technology platforms that alert and log in the first place. For instance, you may have an Intrusion Prevention System (IPS) that is sending events and alerts to your SIEM based on malicious network activity. The SIEM can allow for additional correlation and retention of system logs, but the IPS by itself can still provide alerts on what is happening within your environment.”

In another Twitter vote, of 621 respondents, 38.5% said that administration was the biggest struggle of SIEM complexity, whilst 32% cited deployment and 29.5% opted for operations. Thoma said that SIEM is “absolutely one of the most valued security controls for security operations and IT teams; however, it's only as useful as its implementation.”

He claimed that SIEM engineering and management requires a dedicated team that is both intimately familiar with the platform itself and the internal infrastructure and operations. “A SIEM is not an off-the-shelf product, and too many teams implement a SIEM for a fraction of the capabilities offered,” he said. “There are likely just as many teams using it for the full effectiveness as there are those hoping to use it as a silver bullet.”

Thoma said he suspected that an out-of-the box SIEM solution was not likely in the coming years, as “SIEMs are inherently complex as they must be able to integrate with a multitude of technology stacks across many business verticals and allow for the creation of custom metrics and alerts specific to an organization's environment.”

The surveys were done in advance of Sumo Logic announcing the availability of its new Cloud SIEM Enterprise offering, which includes capabilities to ease the burden on security operations center personnel. The company said that the new capabilities help identify and prioritize high fidelity threats and automate the analyst workflow, allowing SOC personnel to better manage real security events and effectively enforce security and compliance policies.

Jon Oltsik, senior principal analyst and fellow at ESG, said: “Despite the central role SIEM plays, the research indicates that SOC teams use additional tools beyond SIEM for threat detection and response, investigations and query, threat intelligence analysis and process automation and orchestration. Sumo Logic’s Cloud SIEM Enterprise can help bridge this gap with a broader set of automation capabilities targeted directly at the modern SOC.”

Greg Martin, general manager, security business unit, Sumo Logic, added: “With the industry’s fast-moving transformation to public cloud, we wanted to give security teams a cloud-native solution with robust features they can use to navigate today’s cloud-centric world.”

What’s hot on Infosecurity Magazine?