When security information and event management (SIEM) tools came to the market over a decade ago, many practitioners considered the combination of information management and event management groundbreaking. Since then, the technology has gone through iterations to improve and enhance its capabilities, including the incorporation of user and entity behavior analytics (UEBA), machine learning and AI capabilities, and “out-of-the-box” configurations for smaller organizations to rely on.
Despite these advances — and the fact that SIEM is a security mainstay for countless large enterprises’ security operations centers (SOC) — a SIEM’s role in security management can prove complicated due to the noise and volume of the information it produces, often a direct result of its do-it-yourself model. As a result, many security professionals may find themselves at odds with their SIEM. After investing extensive time, money, and resources to implement and operationalize a SIEM, they expect to see marked improvements and increased efficiency, but that’s not always the case.
This is especially true when it comes to the cloud. 99% of organizations use some form of the cloud, but according to a recent Arctic Wolf survey, only 40% feel they are securing their cloud resources effectively. Considering the cloud is an increasingly critical aspect of business operations, particularly with the ubiquity of SaaS applications, securing it, with or without a SIEM, is paramount.
Before diving into how these organizations can achieve better SaaS security, it’s important to look at SIEMs holistically, and see where they excel and disappoint when it comes to SaaS applications.
The Benefits of a SIEM-as-a-Service Security Platform
A SIEM does have many security benefits, the main advantage being its DIY model, which allows large enterprises full control over their SOC and security settings, strategies, and outcomes.
Other advantages include:
- Control: A SIEM is open by design, allowing internal teams to fine-tune the tool as desired
- Monitoring and visibility: A SIEM monitors multiple aspects of the environment, giving teams real-time visibility into their applications
- Threat detection: Rule-creation capabilities within a SIEM allow teams to specify normal behavior, which creates anomaly detection
- Compliance: A SIEM can comply with typical compliance reporting for common regulations
All of these advantages make a SIEM an alluring tool for organizations looking to increase their monitoring, meet compliance needs, and respond to threats. But the same capabilities that make a SIEM useful can also create issues for the security teams managing it.
The Disadvantages of a SIEM-as-a-Service Security Platform
Automating data collection, aggregation, and analysis from all the security tools sounds like every analyst’s dream. But because SIEM is open by design, having to take on the burden of configuring and maintaining every aspect of the tool internally can be a resource drain, leading to misconfigurations, alert fatigue, and other issues that can hinder security more than bolster it.
Disadvantages include:
- Long deployment times: It can take security engineers six months to a year to deploy a SIEM, and that doesn’t include time needed to configure the SIEM to look for specific correlations within the environment.
- Constant maintenance needs: Security environments are dynamic, which means a SIEM will need consistent reconfigurations and adjustments based on new threat intelligence, data, or operational changes.
- False positives: Without the correct correlations, a SIEM will generate false positives, which take up valuable time and hinder visibility and incident response.
- Staffing needed: A SIEM is just a tool, which means it’s only as effective as the team operating it. Given the security skills gap and increased cost of hiring security professionals, staffing a SIEM may be a major challenge for many organizations.
- Alert volume: Given the risk of environmental changes and misconfigurations, the alerts a SIEM generates could easily overwhelm a security team, leading to missed incidents and alert fatigue.
These disadvantages can make an organization second- guess if a SIEM is the right solution for them, especially as more streamlined, managed solutions have come on to the market, such as managed detection and response (MDR) and extended detection and response (XDR).
Given the nature of a SIEM, one thing is clear: It’s not the right solution for an organization’s SaaS security.
Why a SIEM Won’t Work for SaaS Security
With the introduction of SaaS and other cloud offerings, integrating and managing a legacy SIEM platform becomes a lot more complicated. Not only does the cloud add many new log sources, but the rules are also different from a hardware-based environment.
SaaS is also vulnerable to cyber incidents due to its multi-tenant architecture, open access, integration with other core business applications, and dependency on the vendor’s security.
SIEM technology was originally created for on-premises security architecture, where the network perimeter is well-defined. On-prem SIEM configurations are not intended for hybrid cloud environments, where the perimeter is blurred, as users access SaaS applications from anywhere and on multiple devices, while allowing the applications to be integrated into other parts of the environment.
One of the biggest problems with ingesting SaaS, cloud-based logs into SIEM is the additional, potentially massive, volumes of data that are generated. The traditional SIEM wasn’t built to keep pace with that level of data. It can lead to alert fatigue, a high volume of noise, and potentially, a cyber incident where the responsibility has fallen on the organization, not the cloud provider. The SIEM is also not agile enough for cloud services like micro-services because in the on-premises, hardware-based environment, rules were typically based on problems that were known. That’s not the case in the cloud, where the threats are rapidly evolving.
However, SaaS-based SIEMs, designed exclusively for the cloud environment, are becoming more commonplace. But those have disadvantages as well, including possible outages, availability issues, misconfigurations, vendor issues, cost accumulations, and control issues. Whether on-prem or in the cloud, a SIEM still needs staffing and expertise to keep it functioning.
To properly maintain a cloud-based SIEM, an organization will need to:
- Continually update the SIEM to protect against cloud-based vulnerabilities and other security flaws
- Implement robust identity security strategies as many, if not all, of your users are logging onto your organization’s various SaaS applications
- Employ network segmentation and access controls
- Monitoring the SIEM continually for potential issues
That is all in addition to the work of configuring and maintaining the SIEM for your security, logging, and compliance needs, as well as migrating on-prem systems and data to the cloud-based SIEM. It’s a lot of work that may add more risk to your environment.
How Security Operations Addresses SIEM Challenges
SIEM still has a role to play in the SOC, but for small and medium-sized enterprises that need more agility and cost-efficiencies in a hybrid or cloud-first environment, it’s not a viable solution.
When you look at the sum total of the SIEM limitations and disadvantages — including staffing shortages, inaccuracies, manual tuning, and high time-to-value — it‘s clear that an alternative may be the best route to take.
A managed detection and response solution built on open-XDR architecture is rooted to the endpoint and will use the combination of technology and humans to detect and respond to threats, often by identifying the root cause and submitting automated workflow recommendations. By utilizing this kind of solution, an organization can free up their security teams to focus on what they want out of their SIEM, knowing their previous blind spots and threat detection gaps are now covered.
Arctic Wolf® Managed Detection and Response is cloud-native and monitors cloud applications in addition to networks, endpoints, and identities. In addition, Arctic Wolf includes integrated cloud detection and response, which is uniquely designed to identify and stop threats across an organization’s IaaS and SaaS resources. But security operations, in line with strong cybersecurity frameworks, goes beyond detection and response.
Arctic Wolf® Managed Risk is continually scanning environments for vulnerabilities and other points of risk and works in parallel with Arctic Wolf Cloud Security Posture Management, which offers cloud inventory reporting, environment benchmarking, and posture hardening recommendations.
Arctic Wolf security solutions, including Managed Detection and Response and Managed Risk, are also based on stable parameters including users and servers, allowing businesses to more fully secure environments while controlling costs.
Learn more about how Arctic Wolf Security Operations provides enhanced protection.
Explore the threats facing your organization and the steps you can take to harden your security posture with the Arctic Wolf Security Operations Report.
