Why SIEM is Not a Silver Bullet for Threat Detection and Reaction

Table of Contents A Quick Historical past of SIEMThe Concealed PriceIf I Prevent Utilizing SIEM

Safety and incident occasion management (SIEM) has been with us for pretty some time, about 20 several years. It is nonetheless regularly promoted as an important aspect of an organization’s menace detection and response capability. Having said that, in observe, there’s a major concealed expense associated to the ongoing maintenance and tuning of the platform’s danger detection rules. This typically leaves them accumulating dust and not including the price that they ended up meant to deliver. 

A Quick Historical past of SIEM

The initial drivers for applying SIEM ended up rooted in centralized log administration. Provided many organizations’ methods are all siloed, there is a real require to have all your logs in a single position. Centralizing anything would make it significantly much easier to lookup and evaluate business-critical facts. 

The danger detection ability arrived later, only once the organization’s data was in just one position, and technological developments meant pc power was additional commonly available. These breakthroughs permitted corporations to carry out actual-time examination on the centralized info to attempt and unearth threats. IT teams were being then tasked with composing a rules motor on top rated of this information lake, hoping to deliver serious-time alerting of malicious and anomalous activity. 

The Concealed Price

SIEM solutions are likely to occur with a significant rate tag, yet some IT customers can be persuaded that it is all truly worth it if it solves their compliance and menace detection issues. Though SIEMs are wonderful for log storage, administration and compliance, to fully make use of the SIEM’s threat detection functionality calls for substantial enter from skilled industry experts (that concealed price tag). Buying an high-priced SIEM and assuming your risk detection worries will vanish is like getting an F1 vehicle and contemplating you will be ready to race like Lewis Hamilton. In fact, if you don’t have a capable driver and simply cannot manage it, the race motor vehicle will sit in the garage, accumulating dust. Regretably, I’ve observed this happen with SIEMs time and time yet again. 

SIEMs come with out-of-the-box policies, which help relieve some of the stress from in-home stability teams, but the reality is that you will want gifted people to constantly fantastic-tune and make risk detection content material unique to your business enterprise context. Only then can you maximize the technology’s performance. In most circumstances, you’ll want at least just one whole-time worker a luxurious that small — and stretched — infosec teams can’t afford to pay for. 

If I Prevent Utilizing SIEM for Menace Detection, Exactly where Does That Depart Me?

There’s a proliferation of very complex safety tooling out there to acquire off-the-shelf, which can detect malicious or anomalous action across the overall IT environment. At a superior stage, these equipment work by initial obtaining their native menace detection engines — managed/tuned by the seller — assess the knowledge and then deliver alerts when their engines are induced. Place in different ways, they detect threats based mostly on a unique danger detection use case and then crank out alerts as a result of this. 

Audio familiar? 

I like to simply call these equipment mini-SIEMs. 

Today’s seller landscape looks extremely different from the one a decade in the past. These days, if you want to embed a selected risk detection capability, you can opt for from a plethora of goods (mini-SIEMs). Whereas a ten years in the past, you would have had to choose a single SIEM for all your detection functionality (and your seller choices had been restricted).

This means that for the stretched infosec group, the difficulty has fundamentally changed from crafting and tuning guidelines within a central SIEM system for danger detection to now needing to aim on responding to the alerts produced by these innovative threat detection solutions.

In a planet where the risk detection ability we’ve related with SIEMs is decentralized, financial investment must hence be directed to the ’right‘ threat detection instruments. Financial investment should really go to resources that tackle your business’ particular danger detection use scenario issues and should be put together with technology that will assistance you triage, investigate and answer proficiently. 

So, before diving headfirst and investing big in SIEM, only to creak more at the seams, take into consideration your chance urge for food and source profile diligently. There are alternative — and additional ideal — versions out there for risk detection and response.