The Trouble with SIEM

Published on March 18, 2013

It is an article of faith that information security is a giant game of cat and mouse, played out on millions of corporate and university networks around the globe.  Hackers, criminals, vandals and thieves seek some kind of technological advantage while the network admins and their InfoSec allies try desperately to secure their digital infrastructure, protect their data and safeguard their customer’s transactions.

Mostly this is a seesaw battle of incremental change, new exploits and new patches.  Systems penetrated, lessons learned, networks hardened.  But every now and then, there is a breakthrough. Whether it’s the “Love Letter” virus or SSL, some changes are revolutionary rather than evolutionary.  In the early part of this century, that’s how we saw SIEM.  It was a game changer, essentially a plug-and-play tool that would allow us to secure our networks, detect penetrations and prevent theft.  Of course, like many declarations of victory over the forces of darkness, this one is turning out to be premature, and substantially overly optimistic.

Most of the larger enterprises have implemented some kind of SIEM technology at this point, and they are universally beginning to speak out about their dis-satisfaction.  This is not a “silver-bullet” technology, they are saying, but another large, complex software layer that consumes significant human resources, demands substantial compute resources and returns a great deal of data that offers little in the way of real, useable intelligence.  Often, the problem is not what the SIEM doesn’t do, but rather what it does.  At the end of the day, the goal is to prevent attacks, but when that isn’t possible, at least to detect them.  And this is where the SIEM, along with the IAM and DLP tools break down.

Most security practitioners at larger enterprises where SIEM is deployed have always known it was not a silver bullet to solve all their technology security problems, but more of a next step in the evolution of a layered security approach. SIEM technology promises many robust solutions to security needs, such as correlation, log centralization with consolidation, console reduction and finally the ability for less trained engineers to be a first step in the defense of a company’s high value financial targets. While SIEM does well when properly installed, maintained and staffed it is only capable of what its engineers directly program it to do. The adage ‘garbage in garbage out’ comes to mind. SIEM has met some of the promises but has created others problems, one of which is what some people have called a data explosion. Data explosion means that rather than reduce the number of alerts and logs, it has increased them exponentially. To solve this problem we need to move away from traditional correlation and IDAM systems and toward Security Intelligence.

The main difference between traditional SIEM and Security Intelligence is in the techniques and technologies used in Security Intelligence. A typical SIEM can provide you with top talkers in an AD environment but is hard put to tell you if those top talkers are exhibiting normal behavior of like others in their peer groups or do they pose an actual risk/threat. Securonix with its purpose built techniques and technologies is made for this type of intelligence and can scale to millions of identities. SIEMS generally can’t scale to millions of identities because their schemas were developed with security events, not identity data in mind.

Smart people are working very hard to penetrate our network defenses and steal information, funds or credibility.  If we assume that there is some solution that can prevent all those attacks, even those that employ zero-day exploits or compromised accounts, we will find ourselves more vulnerable, rather than less.  A third of IT departments who have implemented a SIEM would remove it if they could, according to a recent survey. That same survey found that more than half of IT departments have had to dedicate at least 2 full-time employees to running their SIEM.  And even with all that, they get so many hits they have no way to act on them in real time.

What’s the answer? Well, we’re still working on that. But one thing we can do is use big data analytics and intelligent algorithms to integrate SIEM data with other data sources, such as syslog files, IAM, DLP and HR Data and to develop a behavior-based view of your network activity, correlated to actual identities.  That way, you can see outlier and anomalous user behavior in real time, regardless of the account they use or the entitlements they are granted.  The result?  Real, actionable intelligence you can use to protect your users, your customers and your IP in real time.

The point is that you don’t lack for data.  What your systems lack is intelligence.  That’s what Securonix does. It’s the piece you’re missing.  Check it out – ask us for a demo today.