SOCs and SIEMs
Louis Evans

Burnt by a SIEM: A Familiar Plight in Cybersecurity

Where did it all go wrong?

Just a few months ago you and your team decided to buy a security information and event management (SIEM) tool. It was the “magic bullet” you needed for comprehensive visibility into the critical security threats that impact your business. At least, that’s what you thought.

You did your research. You did your proof of concept, your due diligence. You called references. You picked a leading SIEM vendor from the top right corner of Gartner’s Magic Quadrant, one that enjoys favorable reviews. You were awed by impressive demos of a sleek, powerful interface. You shook hands and signed a contract.

Maybe, if you purchased an on-premises appliance, you even got an unboxing experience worthy of a YouTube video: a large server delivered by truck, that new-computer smell, the hard, physical labor of racking an appliance and checking all of its cabling. If you went the SaaS route, you had the true 21st-century experience of clicking through a simple login page and watching your appliance unfold as if by magic. “Look, ma, no hardware! It’s all in the cloud!”

Today, That SIEM’s Weighing You Down

But none of that good feeling remains. Instead, that SIEM is a millstone around your neck as you face one of the typically painful scenarios:

  • SIEM as shelf-ware: You’ve got an implementation checklist as long as your arm, but no resources or plan to execute it
  • Ongoing tuning challenges: You turned the SIEM on but faced endless configuration tasks to establish rules and monitor activity around your most important assets
  • Alert fatigue: Your SIEM runs but you can’t weed out the real alerts from the overwhelming number of false positives

All that considered, are you gaining any real value from the SIEM?  While you might be able to tick a compliance checkbox, is your company any safer today? There’s only the two of us here on this blog, so you can be honest. The answer is no. You’re no more equipped to detect a cyberattack, let alone stop one, than you were before the SIEM.

All of this can be very dispiriting. You’re in a tight spot.

Many good teams—probably most of them—struggle mightily with SIEM implementation, which typically takes more than 12 months to start delivering value. Especially at smaller organizations, SIEM projects often begin with high hopes but end with shelf-ware and shame, not to mention a big hole in the budget.

Why? Because SIEM is a tool used as part of a larger project: a fully comprehensive security operations center (SOC). Unless you’ve got the SOC building blocks in place, a SIEM is a powerful engine without a car or driver.

It’s About People and Processes Too, Not Just Technology

A successful SOC roll-out requires people and processes around the SIEM you purchased, along with additional technology.

  • People: SIEMs require care and feeding in the form of extensive tuning, repeated configuration, and constant monitoring. This work can easily consume several skilled fulltime engineers during an extended deployment cycle. Plus, SIEMS also need dedicated monitoring staff on a permanent ongoing basis
  • Process: SIEMs require repeatable processes to take in a glut of data, triage events, and identify security incidents. Developing these processes takes experienced management, defined procedures, and careful training
  • (Additional) Technology: SIEMs are the crown jewel of a SOC, but without other key ingredients like threat intelligence, custom alert rules, and trouble ticketing, they can’t provide value 

If your SIEM isn’t delivering, don’t despair. And don’t throw good money after bad! Instead, consider a SOC-as-a-service provider to deliver the skilled people, repeatable processes, and scalable cloud-based technology you need as an integrated security service. You’ll get the security outcome you expected from your own SIEM, and typically at far less cost.

Right now, you’re stuck, but you don’t have to be. Learn more about SOC-as-a-service by clicking on the banner below.