Security information and event management (SIEM) technology is a useful tool for many organizations. Security analysts and incident responders rely on it as a single source of truth, with events and data pulled in from multiple sources.
This single pane of glass is an appealing proposition, but SIEM has limitations and disadvantages, and leaves a lot to be desired in a hybrid environment. The adoption of software-as-a-service (SaaS) and other cloud services adds a layer of complexity that SIEM platforms weren’t built for, which further reduces their usefulness.
SIEM’s Role in the Security Operations Center
In recent years, SIEM platforms have become the centerpiece of the security operations center (SOC). As threats continue to evolve, security teams must constantly monitor their environments and respond to threats — and SIEM helps them do that more effectively.
When the technology became available years ago, it was designed to minimize the number of alerts that analysts needed to investigate. This made it easier to sift through all the data and find potential threats. At one point, SIEM was even the fastest-growing segment in the security market, according to Gartner.
In reality, this tool is a drain on resources for many organizations because it takes a lot of time and expertise to maintain on an ongoing basis. To get the most out of a SIEM, you need a fully staffed, 24×7 SOC, and many small and medium-sized organizations simply don’t have the resources to do that.
Worse yet, if you lack the resources and expertise to properly tune and configure a SIEM, the tool does more harm than good. Instead of reducing the volume of alerts, it increases both the number of alerts and the false positives, which defeats the point of this expensive investment.
The Threat Detection and Compliance Benefits of SIEM
The main benefit of SIEM platforms is that they collect, aggregate, store, and analyze logs and real-time data from a variety of sources. This enables SOC analysts to consolidate all the security data into one interface, correlate it, and get better insights into cybersecurity events.
Another benefit is that SIEM gives you complete control and flexibility over the sources you pull into it. You can ingest everything from your endpoint security to intrusion prevention systems, plus integrate more data sources when you add new security solutions into your ecosystem.
Your security engineers can create rules that specify normal behavior for all the systems, and the SIEM will automatically find anomalies and create alerts. They can also customize those alerts based on specific criteria to help identify potential threats.
In addition to providing visibility across your environment, SIEM is a great compliance tool. You can centralize and streamline your auditing and reporting of security events, and SIEM is typically compatible with compliance reporting for regulations like PCI, HIPAA, and others.
Disadvantages of SIEM Platforms
In theory, automating data collection, aggregation, and analysis from all the security tools sounds like every analyst’s dream. But because SIEM is rules-based, you’re constantly having to reconfigure it and add new correlations as threats emerge, which can create a lot of challenges.
To begin with, the time to value of this technology is high. It can take your security engineers six months (and sometimes as long as a year) to fully deploy the platform. You have to configure the SIEM to look for the right correlations in your environment. Correlations that come out of the box may not be applicable to your network, so among other things, your team needs to decide which ones to disable and which new rules to create. The deployment takes several phases, each requiring full-time engineering expertise.
Complicated deployment is just the start. Your staff needs to continually fine-tune the correlations based on new threat intelligence data and other changes. Even so, the SIEM can generate thousands of alerts a day, depending on the size of your organization.
Without the right correlations, the SIEM will generate too many false positives, as well as miss potential anomalies. The high number of false positives the SIEM generates is a common frustration that the technology is notorious for, leading to alert fatigue among IT and security teams. One report found that a SOC analyst spends 25% of their time, on average, investigating false positives.
Running the SIEM requires several full-time people — at a time when the talent shortage makes staffing cybersecurity positions challenging. Small and medium-size organizations don’t typically have the headcount and staff expertise to dedicate full-time employees to the proper implementation and continuous tuning of the SIEM.
Running a SIEM that’s misconfigured and not properly tuned may actually be putting your organization at bigger risk. Your security analysts will simply have to ignore a large number of alerts, and they won’t be able to get a full picture of which ones are the most critical.
Securing the Cloud with SIEM
With the introduction of SaaS and other cloud offerings, integrating and managing a SIEM platform becomes a lot more complicated. Not only does the cloud add many new log sources, but the rules are also different from a hardware-based environment.
SIEM technology was created for on-premises security architecture, where the network perimeter is well-defined. On-prem SIEM configurations are not intended for hybrid cloud environments, where the perimeter is blurred as users access SaaS applications from anywhere and on multiple devices.
One of the biggest problems with ingesting cloud logs into SIEM is the additional, potentially massive, volumes of data that are generated. The traditional SIEM wasn’t built to keep pace with that level of data.
The SIEM is also not agile enough for cloud services like microservices because in the on-premises, hardware-based environment, rules were typically based on problems that were known. That’s not the case in the cloud, where the threats are rapidly evolving.
As a result of these cloud-derived complexities, many organizations simply give up on the idea of using SIEM to get visibility into their cloud infrastructure. That creates additional risk exposure, since cloud providers are not accountable for the security of your cloud assets.
Some vendors now offer cloud-native SIEM platforms, but those have disadvantages as well. In most cases, they only store logs for a limited amount of time. They can also be more expensive than on-prem SIEM.
How Security Operations Addresses SIEM Challenges
SIEM still has a role to play in the SOC, but for small and medium-sized organizations that need more agility and cost-efficiencies in a hybrid cloud environment, it’s not a viable solution.
When you look at the sum total of the SIEM limitations and disadvantages — including staffing shortages, inaccuracies, manual tuning, and high time-to-value — it‘s clear that you need to find an alternative solution for detecting and responding to threats.
Managed detection and response (MDR) solutions gives you all the benefits of a SIEM and on-prem SOC, but without the headaches of upfront capital investment and staffing.
An MDR provider has the agility and the resources to ingest and parse the data from all your security tools, the 24×7 team required to run a SOC, plus the expertise to provide you with around-the-clock threat detection and response.
Unlike a SIEM, MDR is a turnkey solution that gives you immediate value. It augments your security tools and your team and eliminates all the care and feeding problems that come along with a SIEM.
The Leader in Security Operations
Looking to enhance security at your organization? Arctic Wolf combines a cloud-native platform with a highly trained Concierge Security® Team to provide 24×7 monitoring, detection, and response, as well as offering ongoing risk management. Contact us to find out how we can strengthen your security posture.