If your organization is worried about its network security, congratulations! You should be. If you weren’t, we’d be worried. Unfortunately, information security is an often-overlooked, but crucial, feature of a well-functioning organization. It is deeply complex, and implementing effective cybersecurity solutions requires a huge depth of specialized knowledge and, because most people don’t have this knowledge, software solutions such as SIEMs can look incredibly attractive.
Software automatically collecting and analyzing data, constantly monitoring for and alerting you of network risks? It sounds too good to be true…
Because it is.
As is so often the case, SIEMs really aren’t that simple, and definitely aren’t as effective as advertised. One mid-sized financial firm said their vendor sold them a lemon, with promises that it could magically sort through a haystack of log data and return the needle (a possible breach); what they got was a program that produced a lot of extra hay. Even multi-million dollar SIEM implementations, along with a full team of experts, failed to produce any real-world benefits for one major bank who had an internal joke where they referred to their SIEM as the “Stupidly Irrelevant Electronic Messaging”. Due to SIEM shortcomings the security industry using VC money has now poured billions of dollars into startups to try and solve the problem by adding Threat Intelligence, Machine Learning, SOAR, and UEBA but all of these innovations could not solve the root cuase of the issue and as a matter of fact continue to generate more alerts and more false positives. In fact, every organization we have worked with has reported that their SIEMs are overpriced and overrated. Over the past 20 years I’ve personally worked with SIEMs, and even had a large implementation at my MSSP business “earthwave”, but you don’t have to take my word for it; a 2016 study released by Netwrix delivers some sobering facts. Let’s take a look at the data in their 2016 SIEM Efficiency Survey, and breakdown the problems organizations are having with their SIEM package.
SIEMs are Overpriced
69% of survey respondents are trying to cut down SIEM costs, and 85% reported that, as they continue to use their SIEM, they have experienced significant price hikes. Mostly, prices go up because organizations realize that SIEMs aren’t security miracles, and need to bring on additional staff to utilize their expensive new SIEM. If an organization doesn’t bring in security professionals, they’ve gutted their budget in exchange for a fancy log-collector that will pump out way too many reports that nobody on staff can begin to understand.
Other unexpected costs went to SIEM support and maintenance, hardware upgrades for older systems, and storage for all those new log files. All in all, we’re left with a majority of SIEM users paying more than they wanted for software they aren’t able to use effectively.
SIEMs are Overrated
As if the price tag and hidden costs weren’t bad enough, users reported that their SIEMs had three massive shortcomings bundled in with the hidden costs. Don’t think that the high prices of purchasing, maintaining, and utilizing SIEMs is due to their effectiveness, or that you will get an equal return on investment with your “bolstered” security software. According to the 2016 survey, the three major limitations to SIEMs were in their reporting capabilities (probably what you want the SIEM for): the reports were noisy, incomplete, and difficult to understand.
81% of responders said that their reports were negatively impacted by excessive noise data. Their SIEM was probably improperly configured, and was reporting normal incidents or non-threatening scans by “automated opportunistic attacks” as high-risk threats. These noisy logs can obstruct actual threats, and can overwork your SIEM analysts.
The second largest complaint (68%) was that the SIEM reports were incomplete. Again, probably an issue with utilization. You might be detecting a theme here? We thought so.
The final complaint, made by 63% of responders, was that the generated reports were just too difficult to understand.
SIEM – a perfect example of incorrectly skewed security budgets
What is astonishing with the current situation is that customers are none the wiser with the threat intelligence security market (SIEM, Log Management, IAM, SVM, Risk Management, Incident Forensics) expected to grow from just over $3 billion in 2015 to nearly $6 billion by 2020, at a compound annual growth rate (CAGR) of 14.3% from 2015 to 2020, according to Markets and Markets. They state that SIEM is expected to dominate the market with the largest market share of the solution segment in 2020 and forecasts the global SIEM market will grow to $4.5+ billion in 2019. They previously estimated the SIEM market to be worth approximately $2.6 billion in 2014.
Additionally, consider this: Gartner’s Anton Chunakin and Augusto Barros in their February 2016 report SIEM Technology. Market and Vendor Assessment, said “Security information and event management is a crucial and widely used security technology, yet many security architects struggle to get value from their often-expensive deployments.”
SIEMs are Crazy Complicated
The biggest myth about SIEMs is that they are accessible to non-technical people. This simply isn’t true. SIEMs are time consuming to configure, require maintenance to keep them running effectively, and produce reports which are indecipherable to most people. In order to get the most value out of your SIEM, you need professionals in threat analysis, system administration / maintenance, SIEM rule development, and security monitoring. Without a full security team, your expensive SIEM will be relegated to a fancy log-collector that sends an annoying number of threat alerts and leaves you vulnerable to cyber-attack.
SIEMs are basically the Achille’s heel of the security world. They offer the illusion of cyber security, but fail to return promised results despite their large price tag. Without a full security team, a SIEM is about as effective as a cardboard padlock, but it also provides a false peace-of-mind to worried organizations. Thinking themselves protected by their SIEM, employees and management can become lax in their security practices.
So, get a SIEM, if you must, but with the knowledge that it will take a lot of time and money to get it running and keep it that way. Even then, you are vulnerable to attack. Best practice is to augment your SIEM with advanced threat detection and response capability that hunts down and eliminates advanced and unknown threats that routinely bypass perimeter controls while your SIEM (maybe) keeps out the automated opportunistic attacks and script-kiddies.
So What is the Solution?
With LMNTRIX Active Defense, we don’t use a SIEM to detect and respond to advanced threats. However, we do recognize the need for a SIEM to meet log management and compliance requirements and as such we offer a free onsite Managed SIEM Service or a cost-effective cloud option to replace your SIEM – we call it ThinkGrid. Offered as an optional extra to Active Defense, LMNTRIX ThinkGrid is the fastest and most scalable analytics based SIEM on the planet.By allowing unlimited log collection without any additional vendor SIEM licensing fees, LMNTRIX ThinkGrid is ideal for large log management and compliance use cases. The free ThinkGrid Onsite can be deployed on Google Cloud, Azure, AWS, or in-house otherwsie you can cost-effectively subscribe to ThinkGrid Cloud.
Our use of machine learning algorithms means ThinkGrid Cloud gets smarter every minute while also eliminating the need for clients to come up with use cases, write rules or create thresholds. By analyzing your data in order to find discrepancies and unorthodox behavior, ThinkGrid Cloud is able to link these anomalies together, joining the dots and uncovering the truth behind advanced threat activity. Critically, in order to ensure accuracy, our algorithms are based on your data because the only way we can know what is “abnormal”, is to know what’s “normal” for your organization.
SecOps and threat hunting are team sports: ThinkGrid provides an interactive workspace for security teams to triage events and perform initial investigations. Monitor for threats, gather evidence on a timeline, pin and annotate relevant events, and forward potential incidents to ticketing and SOAR platforms.
Gain visibility into your environment: ThinkGrid allows you to view your data on interactive dashboards and maps. Perform graph-based relationship analysis. Search across information of all kinds. Do it all with the technology fast enough for the sharpest analysts.
Automate detection with ATT&CK-aligned rules: With ThinkGrid Cloud you can continuously guard your environment with correlation rules that detect tools, tactics, and procedures indicative of potential threats. Cut to what matters with preconfigured risk and severity scores. Content is aligned with the MITRE ATT&CK knowledge base and ready for immediate implementation.
For a demo of ThinkGrid email us at email@example.com or to learn more about LMNTRIX Active Defense, visit us at lmntrix.com or email us using firstname.lastname@example.org.
If you enjoyed this article and you would like to learn more about our thinking, the following articles are a good start:
- SIEMs, EDRs, SOCs, MSSPs – cyber security’s false prophets
- If vendors spent less on marketing and more on capability, our job would be a lot harder
- Is Microsoft one of the most effective AV vendors on the planet?
- VIDEO – WHY YOUR SIEM MIGHT BE AS USEFUL AS A SELFIE-OBSESSED CELEBRITY
- The Three Pillars of Cybersecurity
- Stepping into the Breach
- LMNTRIX: Security Done Different