What We Do
How we do it
Resources
TRU INTELLIGENCE CENTER
Our Threat Response Unit (TRU) publishes security advisories, blogs, reports, industry publications and webinars based on its original research and the insights driven through proactive threat hunts.
View Threat Intelligence Resources →
SECURITY ADVISORIES
Jun 01, 2023
Critical Vulnerability in MOVEit Transfer
THE THREAT eSentire is aware of reports relating to the active exploitation of a currently unnamed vulnerability impacting Progress Software’s managed file transfer software MOVEit Transfer.…
Read More
View all Advisories →
Company
ABOUT ESENTIRE
About Us
eSentire is The Authority in Managed Detection and Response Services, protecting the critical data and applications of 2000+ organizations in 80+ countries from known and unknown cyber threats. Founded in 2001, the company’s mission is to hunt, investigate and stop cyber threats before they become business disrupting events.
Read about how we got here
Leadership Work at eSentire
LATEST PRESS RELEASE
Mar 20, 2023
Exertis and eSentire Partner to Deliver 24/7 Multi-Signal MDR, Digital Forensics & IR Services and Exposure Management to Organisations Across the UK, Ireland, and Europe
Basingstoke, UK– 20 March, 2023. Leading technology distributor, Exertis, announced today that it has bolstered its cybersecurity services, adding eSentire, the Authority in Managed Detection and Response (MDR), to its Enterprise portfolio of offerings. eSentire’s award-winning, 24/7 multi-signal MDR, Digital Forensics & Incident Response (IR), and Exposure Management services will be available…
Read More
Partners
PARTNER PROGRAM
e3 Ecosystem
We provide sophisticated cybersecurity solutions for Managed Security Service Providers (MSSPs), Managed Service Providers (MSPs), and Value-Added Resellers (VARs). Find out why you should partner with eSentire, the Authority in Managed Detection and Response, today.
Learn more
ECOSYSTEM PARTNER RESOURCES
Apply to become an e3 ecosystem partner with eSentire, the Authority in Managed Detection and Response.
Login to the Partner Portal for resources and content for current partners.
Search
Resources
Blog — Oct 15, 2018

SIEM: the many shades of success and failure

5 minutes read
Speak With A Security Expert Now

It’s no secret that there’s difficulty in implementing, operating and deriving business value from SIEMs. Service providers love to promote FUD (fear, uncertainty and doubt) with baseless claims insinuating inevitable failure when trying to sign a prospect to a service contract that may not be necessary. Like many things in life it’s not always black or white, there are many shades of grey in between.

During the research phase of our recent service launch of esLOG, I sorted a mountain of statistics on the success and shortcomings of SIEM adopters. One thing became clear: there are factors that lead to varying levels of success and failure from a security point of view. Let’s start with the lay of the land to better understand these factors. According to Ponemon’s SIEM challenges report:

What does this mean? A SIEM is important, but less than half of adopters are essentially deriving value. What’s causing the disparity? Further research painted a clear picture on risk factors that have the greatest correlative effect upon success:

Let’s look at these at a high level to understand their context to the bigger picture.

Visibility

Digital transformation is pushing visibility requirements well beyond the traditional perimeter. On-premises, cloud, or somewhere in between, most organizations are somewhere on the spectrum of hybrid IT transformation. In a recent study[2], SIEM users ranked greater visibility of network traffic as the second greatest challenge. While the section on visibility could continue for pages, two points emerge that organizations must take into consideration:

  1. Data ingest: more data flowing into the SIEM increases your visibility. However, more data increases storage costs, adds maintenance complexity and requirements on staff (see below), and elevates the need for advanced analytics and correlation (see below). It’s a double-edged sword that must be taken into consideration.
  2. Cloud: cloud data adds complexity that traditional SIEMs weren’t built to handle. In addition as microservices/containers are spun up, the need for visibility and ingestion of unstructured data multiplies complexity and factors to consider.

Staffing

When it comes to dedicated personnel for SIEM administration and maintenance, according to Ponemon’s Study, 43 percent of organizations have less than one person, 36 percent have one person and only 22 percent have more than one. Interestingly, the third and fourth response in the same study said more staff were needed to optimize the SIEM to understand the data and remove complexity. However, organizations on average report they need 40 percent more security personnel. Unfortunately, when it comes to allocation of SIEM investments, 33 percent of costs are attributed to human capital. For most organizations, understaffing is a contributing factor to the delta of satisfaction. For organizations that are limited by headcount restriction, do not assume existing personnel can take on a challenge of this magnitude. Many enterprise-sized organizations have five or more dedicated personnel to continuous SIEM maintenance. If you are worried, look to augment until you have in-house capabilities.

Advanced analytics

According to Ponemon, the most important feature ranked by SIEM users today is detection of threats through advanced analytics. In addition, the third most important feature is correlation of events into single incidents. While many SIEMs come pre-built with big data analytics, machine learning, UBA, etc., the challenge of parsing data, configuring rules, alerts, etc. remains. Modern SIEM solutions were designed to look for known actions that are indicators of compromise, but they are not effective at detecting the unknown. This is partly because SIEM solutions are adept at handling traditional log data, but not other data types such as network packet, threat intelligence, asset context, and endpoint data, which often provide greater detective visibility when correlated with data from a SIEM. If your organization lacks these capabilities this could be an augmentation area.

Prioritization and response

In another Ponemon Study, enterprise organizations reported on average their SIEMs produced 17,000 alerts on a daily basis, while their IR teams could only investigate four percent of them. That’s 16,320 incidents that were marked as potentially malicious or in violation of policies that were ignored. SOC and IR teams are usually understaffed and overwhelmed. Chasing false positives ends up consuming precious time while trying to find a needle in the haystack. For SIEM users this problem has emerged to be the second and third priority to remedy in the next 12 months as organizations seek to automate manual tasks that consume SOC and IR teams and increase accuracy of security events. This factor can become the biggest contributor in the delta of SIEM satisfaction as detection and alerts on events are one thing, but the ability to quickly investigate and remediate is ultimately the difference between a blip on the radar and a business-disrupting event.

While these four factors are not the only influencers that affect success, they each have major implications in decision making for current and potential SIEM adopters. While many organizations have the resources and capabilities to meet these challenges, evidenced by the 48 percent of respondents who said they are satisfied in the SIEM Optimization Ponemon Study, there remains a delta that must be addressed for the other 52 percent. Otherwise organizations put themselves at additional risk.

For some, this means using managed SIEM providers to augment staffing. For others, it could mean outsourcing to an MSSP for staffing, management and alerting or an MDR provider to augment additional visibility, staffing, management and advanced detection and response. Wherever you are in your journey, look at your capabilities and ask yourself where you sit and the capabilities you need to augment to derive the most value if you were to adopt a SIEM right now. Measuring against these factors will help determine your expectations and roadmap for future success.



[1] Ponemon: Challenges to Achieving SIEM Optimization: March 2017

[2] Ponemon: Challenges to Achieving SIEM Optimization: March 2017

[3] Ponemon: Challenges to Achieving SIEM Optimization: March 2017

[4] Ponemon: Cost of Malware Containment Study

View Most Recent Blogs
Wes Hutcherson
Wes Hutcherson Director of Product Marketing
As eSentire's Director of Product Marketing, Wes oversees market intelligence, competitive research and go-to-market strategies. His mult-faceted, technology experience spans over a decade with market leaders such as Hewlett-Packard and Dell SecureWorks.