Cyber risk and advisory programs that identify security gaps and build strategies to address them.
MDR that provides improved detection, 24/7 threat hunting, end-to-end coverage and most of all, complete Response.
Our team delivers the fastest response time in the industry. Threat suppression within just 4 hours of being engaged.
Be protected by the best from Day 1.
24/7 Threat Investigation and Response.
Expert hunting, research and content.
Defend brute force attacks, active intrusions and unauthorized scans.
Safeguard endpoints 24/7 by isolating and remediating threats to prevent lateral spread.
Investigation and enhanced threat detection across multi-cloud or hybrid environments.
Configuration escalations, policy and posture management.
Detects malicious insider behavior leveraging Machine Learning models.
Customer testimonials and case studies.
Stories on cyberattacks, customers, employees, and more.
Cyber incident, analyst, and thought leadership reports.
Demonstrations, seminars and presentations on cybersecurity topics.
Information and solution briefs for our services.
MITRE ATT&CK Framework, Cybersecurity Assessment, SOC Calculator & more
It’s no secret that there’s difficulty in implementing, operating and deriving business value from SIEMs. Service providers love to promote FUD (fear, uncertainty and doubt) with baseless claims insinuating inevitable failure when trying to sign a prospect to a service contract that may not be necessary. Like many things in life it’s not always black or white, there are many shades of grey in between.
During the research phase of our recent service launch of esLOG, I sorted a mountain of statistics on the success and shortcomings of SIEM adopters. One thing became clear: there are factors that lead to varying levels of success and failure from a security point of view. Let’s start with the lay of the land to better understand these factors. According to Ponemon’s SIEM challenges report:
What does this mean? A SIEM is important, but less than half of adopters are essentially deriving value. What’s causing the disparity? Further research painted a clear picture on risk factors that have the greatest correlative effect upon success:
Let’s look at these at a high level to understand their context to the bigger picture.
Digital transformation is pushing visibility requirements well beyond the traditional perimeter. On-premises, cloud, or somewhere in between, most organizations are somewhere on the spectrum of hybrid IT transformation. In a recent study[2], SIEM users ranked greater visibility of network traffic as the second greatest challenge. While the section on visibility could continue for pages, two points emerge that organizations must take into consideration:
When it comes to dedicated personnel for SIEM administration and maintenance, according to Ponemon’s Study, 43 percent of organizations have less than one person, 36 percent have one person and only 22 percent have more than one. Interestingly, the third and fourth response in the same study said more staff were needed to optimize the SIEM to understand the data and remove complexity. However, organizations on average report they need 40 percent more security personnel. Unfortunately, when it comes to allocation of SIEM investments, 33 percent of costs are attributed to human capital. For most organizations, understaffing is a contributing factor to the delta of satisfaction. For organizations that are limited by headcount restriction, do not assume existing personnel can take on a challenge of this magnitude. Many enterprise-sized organizations have five or more dedicated personnel to continuous SIEM maintenance. If you are worried, look to augment until you have in-house capabilities.
According to Ponemon, the most important feature ranked by SIEM users today is detection of threats through advanced analytics. In addition, the third most important feature is correlation of events into single incidents. While many SIEMs come pre-built with big data analytics, machine learning, UBA, etc., the challenge of parsing data, configuring rules, alerts, etc. remains. Modern SIEM solutions were designed to look for known actions that are indicators of compromise, but they are not effective at detecting the unknown. This is partly because SIEM solutions are adept at handling traditional log data, but not other data types such as network packet, threat intelligence, asset context, and endpoint data, which often provide greater detective visibility when correlated with data from a SIEM. If your organization lacks these capabilities this could be an augmentation area.
In another Ponemon Study, enterprise organizations reported on average their SIEMs produced 17,000 alerts on a daily basis, while their IR teams could only investigate four percent of them. That’s 16,320 incidents that were marked as potentially malicious or in violation of policies that were ignored. SOC and IR teams are usually understaffed and overwhelmed. Chasing false positives ends up consuming precious time while trying to find a needle in the haystack. For SIEM users this problem has emerged to be the second and third priority to remedy in the next 12 months as organizations seek to automate manual tasks that consume SOC and IR teams and increase accuracy of security events. This factor can become the biggest contributor in the delta of SIEM satisfaction as detection and alerts on events are one thing, but the ability to quickly investigate and remediate is ultimately the difference between a blip on the radar and a business-disrupting event.
While these four factors are not the only influencers that affect success, they each have major implications in decision making for current and potential SIEM adopters. While many organizations have the resources and capabilities to meet these challenges, evidenced by the 48 percent of respondents who said they are satisfied in the SIEM Optimization Ponemon Study, there remains a delta that must be addressed for the other 52 percent. Otherwise organizations put themselves at additional risk.
For some, this means using managed SIEM providers to augment staffing. For others, it could mean outsourcing to an MSSP for staffing, management and alerting or an MDR provider to augment additional visibility, staffing, management and advanced detection and response. Wherever you are in your journey, look at your capabilities and ask yourself where you sit and the capabilities you need to augment to derive the most value if you were to adopt a SIEM right now. Measuring against these factors will help determine your expectations and roadmap for future success.
[1] Ponemon: Challenges to Achieving SIEM Optimization: March 2017
[2] Ponemon: Challenges to Achieving SIEM Optimization: March 2017
[3] Ponemon: Challenges to Achieving SIEM Optimization: March 2017
[4] Ponemon: Cost of Malware Containment Study