![]() ![]() ![]() Running a SIEM that’s misconfigured and not properly tuned may actually be putting your organization at bigger risk. Small and medium-size organizations typically don’t have the adequate staff and expertise to dedicate full-time employees to the proper implementation and continuous tuning of the SIEM. Running the SIEM requires several full-time people-at a time when the talent gap makes staffing cybersecurity positions challenging. One report found that a SOC analyst spends 25% of their time, on average, on investigating false positives. The high number of false positives the SIEM generates is a common frustration that the technology is notorious for. Without the right correlations, the SIEM will generate too many false positives, as well as miss potential anomalies. Even so, the SIEM can generate thousands of alerts a day, depending on the size of your organization. Your staff needs to continually fine-tune the correlations based on new threat intelligence data and other changes. SIEM MaintenanceĬomplicated deployment is just the start. The deployment takes several phases, each requiring full-time engineering expertise. Correlations that come out of the box may not be applicable to your network, so among other things, your team needs to decides which ones to disable and which new rules to create. You have to configure the SIEM to look for the right correlations in your environment. It can take your security engineers six months (and sometimes as long as a year) to fully deploy the platform. To begin with, the time to value of this technology is high. But because SIEM is rules-based, you’re constantly having to reconfigure it and add new correlations as threats emerge, which can create a lot of challenges. In theory, automating data collection, aggregation, and analysis from all the security tools sounds like every analyst’s dream. You can centralize and streamline your auditing and reporting of security events, and SIEM is typically compatible with compliance reporting for regulations like PCI, HIPAA, and others. In addition to providing visibility across your environment, SIEM is a great compliance tool. ![]() They can also customize those alerts based on specific criteria to help identify potential threats. Your security engineers can create rules that specify normal behavior for all the systems, and the SIEM will automatically find anomalies and create alerts. You can ingest everything from your endpoint security to intrusion prevention systems, and integrate more data sources when you add new security solutions into your ecosystem. This enables SOC analysts to consolidate all the security data into one interface, correlate it, and get better insights into cybersecurity events.Īnother benefit is that SIEM gives you complete control and flexibility over the sources you pull into it. The main benefit of SIEM platforms is that they collect, aggregate, store, and analyze logs and real-time data from a variety of sources. The Threat Detection and Compliance Benefits of SIEM Instead of reducing the volume of alerts, it increases both the number of alerts and the false positives, which defeats the point of this expensive investment. Worse yet, if you lack the resources and expertise to properly tune and configure a SIEM, the tool does more harm than good. To take the most advantage of a SIEM, you need a fully staffed, 24×7 SOC, and many small and medium-sized organizations simply don’t have the resources to do that. In reality, this tool is a drain on resources for many organizations because it takes a lot of time and expertise to maintain on an ongoing basis. At one point, SIEM was even the fastest-growing segment in the security market, according to Gartner. This makes it easier to sift through all the data and find potential threats. When the technology became available years ago, it was designed to minimize the number of alerts that analysts need to investigate. As threats continue to evolve, security teams have to constantly monitor their environments and respond to threat-and SIEM helps them do that more effectively. In recent years, SIEM platforms have become the centerpiece of the security operations center (SOC). SIEM’s Role in the Security Operations Center The adoption of software-as-a-service (SaaS) and other cloud services adds a layer of complexity that SIEM platforms weren’t built for, which further reduces their usefulness. The single pane of glass is an appealing proposition, but SIEM also has limitations and disadvantages, and leaves a lot to be desired in a hybrid environment. Security analysts and incident responders rely on it as a single source of truth, with events and data pulled in from multiple sources. Security information and event management (SIEM) technology is a useful tool for many organizations.
0 Comments
Leave a Reply. |