Since Gartner first coined the term SIEM ten years ago, the security landscape has changed dramatically.
Sophisticated attacks are aimed at organisations of all types, from key industries such as energy and finance, to film studios that have insulted the wrong world leader. Threats can arise from anywhere; at any time; and take any shape, from a known method to a completely new, unknown form of attack.
In this environment, there cannot be a weakest link in an organisation’s security. Every component, from the firewall to anti-virus to intrusion detection systems, is critical in shutting down the opportunities available to attackers.
Security teams must also be able to analyse the information their security systems provide, to identify potential or actual threats and highlight weak spots in an organisation’s security that need addressing. By providing the ability to collect, manage and act on this information, SIEM systems should be an essential part of the modern security infrastructure.
However, there are still barriers preventing investment. One is that too many legacy SIEM systems simply haven’t provided the levels of security and performance that they should. For example, many systems cannot cope with the amount of data generated by security events.
They either "drop" log data during peak loads, meaning that analysis may not give a full, accurate picture of the true situation: or record huge volumes of data with no way to accurately mine, search and analyse that information to provide meaningful intelligence. Others come at the problem purely with compliance in mind – gather the data and generate a chart or report based on it; with little regard for what signs of attack the data might actually contain.
Complexity is another issue; analysts can be expected to learn new languages, run continuous custom queries, or even second-guess any potential attacks, both adding to the cost of a system and decreasing its effectiveness due to the potential for human error.
While more modern systems have solved these issues, they still, coupled with the costs of security in general, make it easier for the board to decide against investment or to support a monitoring system that scrapes over the compliance hurdle but don’t fully support the wider security operations processes.
Winning the board over
One argument is to stress the need for security beyond the bare minimum. Too often, security is simply seen as part of mandatory compliance obligations. This means that, rather than investing in more intelligent SIEM systems and other advanced technologies, organisations will take a tick-box approach to fulfilling the capabilities they need to remain compliant, with no real understanding of whether the business is truly protected. IT teams need to argue that this is a false economy.
First, the business is still vulnerable to security breaches that can damage its reputation and bottom line, regardless of whether it is compliant or not. Second, regulations do not stand still. What satisfied minimum requirements one year can easily fall foul of tightened standards the next.
This can lead to having to spend time and money updating security each year, rather than having a single, continuous solution that can provide complete confidence and support growth and enhancement in the protection profile it delivers.
With increasing support for the view that it is a matter of "when" not "if" organisations suffer a breach the need for advance detection, better diagnostic and automated response capabilities become paramount. Security teams should argue for governance and process efficiency: ensuring that not only is the business compliant, but the processes and tools in place are in line with agreed best practice and are effective.
A further argument is that the adoption or a more advanced SIEM solution doesn’t mean a complete rip-and-replace of an organisation’s entire IT and security infrastructure. If an organisation selects a SIEM system that can operate with the existing security solutions, then it is essentially increasing the ROI of each individual solution by making better use of the data and outputs it provides, as well as the SIEM system itself.
Like many security tools, proving the ROI of SIEM technologies can require some thought – after all, its value is measured on quantification of impacts that the business wishes to prevent. However, by demonstrating the need for governance and showing how SIEM can add value to the entire security infrastructure and the ongoing operation processes of threat detection, attack diagnosis and breach resolution; security teams can begin to put forward a compelling argument.
Piers Wilson is Head of Product Management at Huntsman Security