Why is SIEM so hard to do well?
SIEM is an essential security tool for any organization. Unfortunately, most have developed poor reputations for being difficult to implement and producing poor quality alerts. Why is this?
What is a SIEM?
Security incident and event management (SIEM) tools collect, analyze, correlate and aggregate IT log events that have significance to an organization’s cyber posture. These log events contain metadata describing transactions and operations within the systems, applications, and services used by an organization to support IT and data operations.
Common SIEM tools include: QRadar, Splunk, Sentinel, Elastic Search, and many others.
What Is a SIEM used for?
The SIEM has two primary responsibilities:
- Cybersecurity analysts will query data in a SIEM to find insights that will help them triage security alerts and support incident response activity. Often analysts are looking at events related to a security alert to add context and help them decide if a cyber threat is present.
- A SIEM is typically configured to analyze log events to identify activity that is potentially harmful to an organization. You might use a SIEM to identify compromised accounts, data being stolen, or hosts infected with malware.
Why is a SIEM so difficult to use?
There are two primary complaints regarding the usability of a SIEM:
- A SIEM can be difficult to install and manage.
- SIEM alerts are often false positives, frustrating the SOC
- SIEM is difficult to manage
SIEM tools require integration with multiple data sources and likely thousands of individual systems. Each implementation will be subject to the unique IT and data fingerprint of an organization, meaning each SIEM implementation is unique and therefore complicated. Most organizations won’t have in-house talent trained to perform this type of work and will need to look for outside assistance. Furthermore, a fully implemented SIEM will need ongoing care and attention as the IT systems, applications and services that feed information to the SIEM are updated and replaced. Changes to source systems often lead to changes in data that, in turn, impact the reports and analytics implemented in the SIEM.
- SIEMs are too noisy
The most common complaint about SIEM tools is that they produce too many cyber alerts. In fact, 90%+ of SIEM alerts turn out to be false positives. The challenge isn’t that the technology doesn’t work, it’s that the use case implemented in SIEMs often have to look for proxy activity to the actual malicious behavior an organization wants to detect. Let’s look at an example:
False Positive Cases:
- A user might be on vacation or work travel to a new country
- A user might login to a VPN to support team members in another country
- The geo-location data of an IP address assigned to the user might be wrong about where the user is logging in from
- The account in question might be shared by many systems and a new system using that account was deployed in a new location
- A new employee who is logging in for the first time might trigger this alert since he has no prior location history
As you can see, there are reasons to monitor this type of activity given it can indicate a real break, but also numerous cases where the alert captures expected business activity. Adjusting the alert logic to account for edge cases will help, but it isn’t going to work for every case. Alert tuning also risks over-tuning the case where too much is excluded from the rule including the malicious activity you want to find.
Most SIEM alerts follow this same pattern. It’s typically impossible to directly indicate if some threat behavior is occurring (i.e. account takeover or data theft) so instead, SOCs rely on indications of something suspicious that they can follow up on, knowing most suspicious actions are OK.
Can SIEM be made better?
Unfortunately, most organizations will find it necessary to have someone specializing in this technology to ensure it works well for them. There have been numerous noteworthy breaches where missing or malformed SIEM logs impacted the organization’s ability to detect and respond to an active threat more effectively. Many others will look to third-party service providers to help monitor and manage SIEM tools on their behalf.
Emerging technology and AI provide targeted relief.
Our own AI security analyst technology, Salem, is designed to combat false positives by using cyber analyst-trained AI to investigate alerts and identify the few that are likely real threats. Other tools have emerged to help simplify data management and processing and still others are improving detection analytics by automatically correlating more types of data.
Conclusion
The SIEM is and will remain a vitally important SOC tool. It's indispensable when analysts need to find context to support an investigation, and it’s often one of the only ways to find behavior-oriented threats. They remain difficult to manage and produce noisy alerts, but new tech is coming to help make aspects of owning a SIEM better.
