Many organizations are attempting to deploy a SIEM (Security Information and Event Management) capability, but few do it well. Organizations often mistakenly view SIEM as a set-it-and-forget-it platform. Nothing could be further from the truth. A highly effective SIEM is a product of solid people and processes backing it up. SIEM vendors would want you to think any company can deploy and manage a SIEM. This is definitely not the case.
Here are the top five pitfalls we see with SIEM deployments:
- Industry-wide shortage of trained security analysts
- Insufficient training on the chosen SIEM platform
- Security team is understaffed for 24x7 coverage.
- Alerts are not properly tuned, which results in too much noise.
- Individual alerts that are not correctly correlated by the SIEM go unnoticed.
What is a SIEM? A security information and event management (SIEM) software product provides enterprise security professionals insight into and a history of activities within their networks. Today’s SIEMs are real-time monitoring, reporting, and analytic tools that correlate events from various sources for enhanced security operations intelligence. This can greatly facilitate incident response in reducing time to detect threats and time to respond to threats. Although SIEM suites are powerful tools, their complexity can make timely deployment and regular use a near impossibility for unprepared organizations.
Ensure you have adequate staffing to manage the SIEM. Enterprise management is often surprised by the number of staff required to manage the SIEM. To provide 24x7x365 coverage, True recommends four to eight full-time security analysts in your Security Operations Center (SOC). Personnel requirements alone put SIEM deployments out of the reach of many small and medium-size businesses. And, with a global workforce shortage in security analysts, it is becoming more challenging to maintain a fully staffed and well-functioning SIEM.
Security analyst training is essential for an effective SIEM capability. It is not enough to have four IT analysts assigned to SIEM duty. Managing a SIEM requires a security analyst skillset as well as training on the SIEM product itself. If you are deploying a SIEM in-house, ensure you budget for training your security analysts on the product. The business will extract much more value from the SIEM and be able to better respond to threats with adequately trained SOC analysts.
Alert tuning is critical to an effective SIEM. If you tune out important alerts, you may miss the next breach. If you don’t tune out the insignificant noise, you may miss the next breach in your sea of noise. SIEM tuning is as much an art as it is a science. The tendency with new deployments is to over-tune the SIEM, which can result in missed threats. The analyst needs to understand the value of the individual log event and whether it can be useful to correlate with other events. Even if an event appears innocuous at first appearance, it can be of critical importance when attempting to identify an intruder. Skilled analysts make the biggest difference in a SIEM tuning.
It is possible to deploy a SIEM solution in-house with proper planning and budgeting. Taking these challenges into account up-front will set your company up for success in deploying a SIEM solution that works for you. But if you are like most companies and cannot afford to hire a small army of security analysts along with the cost of the SIEM licensing and SIEM training, there is a better way.
What is the better way? Unless you are in the minority of companies who can successfully overcome these challenges, True recommends finding a SIEM partner that will deploy, manage, tune, and monitor the SIEM platform for you. Qualified security professionals are in high demand. Even if you get a fully staffed SOC, you may find it difficult to retain staff. Instead, look to utilizing a managed SIEM provider like True Digital Security. True offers a managed AlienVault SIEM solution that our experts deploy, tune, manage, and monitor. All you do is point your logs at our SIEM, and we do the rest. We alert you as soon as we detect suspicious or suspect activity. Our expert security analysts will guide you to the best path of remediation. We provide you the flexibility to dive in to the SIEM interface when you want or just leave it all to us. Contact us today to learn more about our SIEM service.