Security Information and Event Management (SIEM) is an important tool for reducing cyber risk. Enterprises have been investing substantial sums to SIEM solutions in both capital and operating budget lines for the past 15 years. Despite this, year after year, industry studies indicate that SIEM users are dissatisfied with their investments.
SIEM solutions have been criticized for being difficult to handle, loud, and slow in detecting cyberattacks. Some of the problems are alleviated by concepts such as “intelligence-driven SOC,” “orchestration and automation,” and “managed SIEM,” but they miss the mark of assuring reliable, efficient, and prompt recognition rate.
Proactive Validation: Only Sensible Way
Proactive validation is the only certain approach to use SIEM platforms efficiently. Obtaining constant, consistent, and ad-hoc validation skills based on genuine cyber-attack emulations aids in the identification of holes in SIEM operations and opens up numerous possibilities for preventing real attacks.
Enterprise-grade Breach and Attack Simulation (BAS) Platforms take adversary emulation to another level from this perspective. BAS platforms:
- Can use threat-centric analytics to identify detection gaps at the adversary behavior level;
- They can automate and thus diversify emulation to thousands of scenarios;
- They can provide detection and prevention content for immediate risk mitigation;
- And they can make purple teaming a repeatable capability.
BAS Empowered SIEM
SIEM Powered by BAS is one of Gartner’s top eight technological trends for 2021. Enterprises should consider the use cases that BAS systems provide for increasing SIEM efficiency and return on investment. A BAS-enabled SIEM platform may be used by a wide range of users, including CIOs, CISOs, SOC managers, security analysts, and compliance teams, to construct resilient networks.
In 2005, SIEM technology was designated as a new category, and much has happened in the realms of IT and cybersecurity since then. Networks are now larger, more interconnected, and more versatile. As a result, criminal actors take benefit of what these descriptors imply: more flexibility, the potential for greater effect, and expanded attack surface. Despite the fact that SIEM technology have advanced substantially, not every element of how SIEMs are used today meets the problems that current networks and business dynamics provide.
SIEMs are Underutilized
SIEMs aren’t being used to their full potential. The SANS report “Common and Best Practices for Security Operations Centers: Results of the 2019 Survey4” investigates how pleased users are with their technologies as they relate to the NIST Cybersecurity Framework areas of identification, protection, detection, response, and recovery. . In the identification category, the survey shows that only 22% of SIEM users are very satisfied, while 25.8% are not satisfied. In the detection category, these numbers are 20.5% and 34.8%, respectively:
A study5 by Ponemon Institute supports the findings of the SANS survey. Even though organizations’ first choice is a SIEM technology to detect malicious activities, on average 25% of those detections are false positives, and 55% of alerts triggered by detections are not attended to.
Because the amount of alerts is so large, many SOCs just delete the alert backlog at the end of each day to have a fresh start in the morning.
En Route to Efficiency
SIEM systems are the most popular detection solution for a variety of reasons. SIEMs are known for their speed in delivering findings. SIEM solutions gather and analyse data in a way that no other detection technology can. Advanced analytics capabilities are unrivaled by SIEMs. Maintaining high efficiency on this -expensive but necessary- equipment is a critical component of combating sophisticated cyber assaults. The question of how to get there, on the other hand, remains unanswered. There are several obstacles that SOC teams must overcome in order to achieve and maintain SIEM efficacy.
CHALLENGES IN OPERATIONALIZING SIEMS EFFECTIVELY
In the discussion of SIEM efficacy -or rather inefficacy-, three fundamental challenges put a strain on SIEM capabilities. Extensively debated SOC problems of false positives, alert noise, missing detections, long dwell time, and other issues that are related to the SIEM efficacy are the symptoms of not combating these three challenges effectively in the first place.
1) The Large Volume of Data Modern Networks Generate
Regardless of how advanced a SIEM technology may be, it fundamentally relies on the scope and quality of data it collects and processes. Even though “the more log, the better” sounds like a reasonable proposition, the massive volume of data modern networks generate today requires SOC teams to handle log management more creatively and selectively.
2) Ever-Changing Adversarial and Internal Environments
Data sets and detection rules on SIEMs are susceptible to being out of date due to the rapid changes happening in networks and the adversarial landscape. Each new application, network and user device may mean a new vulnerability and data source at the same time. New attack techniques and threats may also require new data sources to be ingested to detect them.
3) Lack of Skill Set and Security Analysts
While SIEMs heavily rely on human power for planning, setting processes and successful execution, Gartner ranks “SIEM expertise” among the most difficult to find skill sets in its 2020 IT Skills Roadmap report7.
Assigning right priorities to alerts, managing log sources, quick and effective detection engineering, improving processes, ensuring collaboration between junior and senior team members and other key SIEM tasks require the right level of expertise to be in place. Organizations need to find ways to empower SIEM users by ways of training, automation, and taking a proactive approach to preempting repetitive tasks.
Contact Ward Solutions to discuss how our Breach Attack Simulation services can help validate your current SIEM and to improve your SIEM effectiveness:
- Contact our sales team: Information Security – Ward Solutions or call 01 6420100
- To get more information visit our website at Security Testing