SIEM tools have become more challenging to set up, manage, and use on a day-to-day basis. Busy security teams find themselves overwhelmed by the SIEM solution itself, and this takes their focus away from the actual threats they need to identify and stop. The solution is to offload key threat detection capabilities from the in-house team to a SIEM solution, or service provider. This frees up the in-house security team to focus on strategic initiatives, and importantly, results in more secure systems.
Operational Duties Eclipse Security
A SIEM solution should excel at helping teams identify threats and mitigate them. In recent years, there has been a focus on mitigation, and neglect of actually identifying threats. SIEM has become all about operations and compliance, and less about security. Security teams have reflected this trend. They spend a bulk of their time collecting logs, parsing them, storing them for three months or more, dealing with alerts when they come up, and bringing down the meantime to recovery/response.
Source: Pixabay
All these activities are not harmful in themselves, but they can become a trap if they get in the way of the more important task of accurately identifying threats. Threat detection metrics, such as the number of threats detected per day or the total system coverage, are essential for a successful SIEM practice. Threat detection is the first step, and it precedes other operational tasks that come later.
Apps and Extensions May Hurt More Than Help
In recent years, there is a trend for SIEM vendors to offer a marketplace of apps or extensions that you as a customer need to install to extend the SIEM solution and get more out of it. These apps allow you to set custom rules for threat detection for each platform, such as Windows, Cisco, Palo Alto Networks, or Oracle. Once installed, your in-house security team needs to configure these apps, and ensure they have the custom rules needed to spot and alert on new threats.
The vendors pitch this as a way to customize your SIEM to your exact needs without any limits. While this sounds attractive, it does not hold up for two reasons.
First, most organizations end up being overwhelmed and not getting the most out of the SIEM platform because it’s too much work to customize and configure. Organizations are unable to build all the rules they imagined they would.
Source: Pixabay
Second, this puts the onus of threat detection on the customer organization rather than the SIEM vendor. The organization’s security team needs to do the heavy lifting of configuring threat detection. The vendor or their solution is not responsible for the actual implementation of threat detection.
Solutions To Put the Focus Back on Threat Detection
The way to counter this trend is to make SIEM simpler for in-house security teams and shift some of the responsibility back to the SIEM vendor or service provider.
Brite, a SIEM services company, echoes this view, saying: “Investing in a SIEM is the right decision but get the most out of it and go beyond monitoring it in-house. A finely-tuned SIEM is more beneficial and worth more than just implementing an out-of-box SIEM.” They recommend opting for a managed SIEM service provider.
Another alternative is to use a SIEM solution that combines their own SIEM tooling with the expertise of security professionals. DNIF is one SIEM provider that takes this route. They have decided to actively participate in threat detection. DNIF takes responsibility for the threat detection capability of its SIEM solution. In fact, according to their CEO, Shomiron Das Gupta, they have a dedicated team in-house that actively researches known and new threats as they come up. The Threat and Content Research Team’s mission is to provide protection from newly emerging threats. They identify threats that are lethal and write custom capabilities to detect those threats. The benefit of this approach is that the customer need not configure any custom rules to identify threats. The SIEM vendor does the heavy lifting of threat detection. The new and improved detection content can now be at the customer’s disposal instantly as the threat emerges.
This also solves the skills gap that exists in most security teams that are understaffed. The solution is not to place the burden of threat detection on a few employees, but to leverage SIEM tools with threat detection out of the box, and augmented by human intelligence.
Conclusion
In conclusion, organizations need to buck the trend of focusing on SIEM operations more than threat detection. They need not sacrifice threat detection for operational capabilities in SIEM. While many modern SIEM tools are focused on unlimited customization, this is a double-edged sword, as it can overwhelm the security team. Instead, what’s needed is a combination of robust threat detection capabilities that don’t require extensive customization, and this is augmented with a team of security experts. It’s time to put the focus back on threat detection, the core of SIEM.
