SIEM solutions often do not provide the level of extra protection that is promised. We have listed the causes of this in the top 5 below:
- IT security is not sexy
- SIEM implementations are complex
- (Almost) all IT components are necessary
- Talent is scarce
- Everything is moving
1. IT-security is not sexy
While many employees think IT isn’t sexy in the general sense, this is even more the case for the security aspects of IT. Everyone considers safe and reliable IT as self-evident, but that is not the case. Companies often see the security of their products as a closing station or don’t have any budget and time at all. Only when their products are misused and they are forced, they are prepared to do something about it. Security by design is not common in a world where a short time-to-market means more profit. During the implementation of internal projects at our customers, we often see that IT security is neglected. One is only willing to spend time and effort when this is enforced by security policy and alert security officers.
2. SIEM implementations are complex
Implementing a Security Information & Event Management (SIEM) solution is complex and expensive and requires strong perseverance from all who are concerned. The trajectory requires very specific expertise and a solid mandate from higher management. You often see that the implementation of SIEM solutions is initiated from the IT departments themselves, which usually leads to insufficient mandate, budget, time, and a lack of cooperation to be able to implement this in a meaningful way. There is also insufficient willingness to follow up the safety reports, resulting from the SIEM solution.
3. (Almost) all IT-components are necessary
Where you have to take into account a single application, one or a few databases and a handful of (virtual) servers when implementing a business application, a SIEM implementation should involve virtually every IT component in the organization (and possibly beyond). Signals about potential misuse of your IT resources can manifest at all levels in your IT environment. From deep into your network to somewhere hidden in the millions of lines of your application log files. This means that SOC analysts are looking for that one needle in hundreds of haystacks to filter out just that important log line that can put them on the track of the hacker who threathens your business!
In addition, a large number of people needs to be tuned about what is connected, how to realize this and what – in terms of security signals – the SOC must pay attention to. Where are the biggest risks in your business processes and how does this translate into reports, log sources and runbook? Who is required to mitigate the consequential damage if these risks are unexpectedly manifest? How does this work at night and in the weekend? Do they have the right information and resources to take the necessary measures?
4. Talent is scarce
IT talent is scarce but IT security talent is even more scarce! Who ever heard his son or daughter say enthusiastically that he/she wants to become an IT security specialist? In a SOC, thanks to the non-stop nature of the work, many highly educated IT security specialists are required. To implement SIEM solutions, they must have in-depth knowledge of the selected SIEM solution, combined with good skills to channel the much-needed communication with all stakeholders; a scarce combination of character traits in the IT landscape!
Finding good SOC staff is a very big challenge, keeping them engaged and involved with your organization requires a carefully planned but extremely necessary approach. These specialists expect excellent equipment and software, challenge in their work, excellent working conditions and continuous enrichment of their knowledge and skills. Regular visits to seminars and conferences and the possibility to attend specialist training courses should be self-evident.
5. Everything is moving
Knowledge and skills are quickly outdated in the IT security world. Employees must continually update themselves. For SOC analysts and SIEM specialists, hackers are constantly changing their method of attack. Every day new zero-days are discovered for which new detection filters have to be implemented by the SIEM specialists.
More and more foreign powers see a cyber war as a real way of attacking, cyber-industrial espionage is increasing, not to mention cybercrime. The attacks to be fouled are becoming increasingly serious and the business interests of the information stored in IT systems are getting bigger and bigger.
In addition, protecting IT systems is a particularly unfair battle: IT specialists need to keep a large number of different types of information systems secure with hundreds of thousands of potential bugs, where the hacker needs to find only one or a few vulnerabilities in your IT network to achieve its goals.
All in all, not a reassuring story. Of course, Navaio is happy to assist you with these challenges. Navaio implements Security Operation Centers (SOCs) and helps optimize the efficiency of existing SOCs and the SIEM solutions implemented for this purpose. Our SOC/SIEM specialists have extensive experience in setting up SOC and SIEM environments and can help you avoid the pitfalls they have identified.