Businesses who have implemented a SIEM within the last two to three years may have experienced some common issues at some point. These issues could be affecting security, finances, and could be confusing within a company, which is why it’s essential to recognize them. If you’re dealing with SIEM problems, you’re not alone. Nearly every organization that has invested in a SIEM tool has dealt with issues after a few months of initial deployment. Let’s take a look at some of these issues.
Problem #1: Dealing with False Positives
Service providers often show potential customers demos that entice them to invest in their SIEM solutions, going as far as performing a proof of concept to ensure that you see the SIEM functioning as you’d expect. However, after purchasing a SIEM solution and using it for a few weeks, customers may begin to notice that after the first impressive performance, the system has continued to generate thousands or hundreds of thousands of events and alerts. Where these events begin to become an issue is when they flood in as stated, making it challenging to identify what could be a potential threat and what is low-level.
False positives tend to overshadow legitimate alerts due to a client not knowing how to tune the SIEM. A SIEM requires ongoing care and feeding, and aside from tuning, there is more that comes with a SIEM. Every time a server receives an upgrade, a new program is loaded, or a patch to a system is introduced, rules must be adjusted. Rules can break, misfire or misconfigured. False positives are a direct result of companies not taking the time to accurately tune the rules, thresholds, criticality and counts.
Real-World Scenario: A large clothing retailer had the equipment and solutions, as well as a large team of trained cybersecurity experts. The systems were not tuned properly, and the company was receiving an astonishing 80,000 alerts per day. The security team began clearing all alerts without review due to the colossal amount, including notifications that their systems had been breached. This cost the organization tens of millions of dollars.
Problem #2: Finding the Right People to Manage Your SIEM
When looking into a SIEM, the vendor may attempt to convince you that that your in-house IT team can handle it in their spare time. On the contrary, SIEM takes experience and vast knowledge of cybersecurity gear. One other major issue that companies face is that aside from the initial investment in an expensive SIEM tool, they’ll now have to hire professionals to manage it. Sounds pretty simple, right? Well, not only are these professionals going to come with higher wages, but the unemployment rate in cybersecurity is one of the lowest in the world. On top of that, short tenures are extremely common, as other companies may offer them better pay just when they’re beginning to become efficient for you.
The only other solution to this issue is to utilize a managed service provider, but this might be concerning to companies who may not be guaranteed that that MSP has more cybersecurity experience than the current team. The IT specialist within that MSP may have been given a new title such as “cybersecurity expert,” with their only task being calling the vendor and asking how to fix the current issue. Cybersecurity experts working for an MSP, on average, have less than one year of actual cybersecurity experience.
Real-World Scenario #1: A fortune 500 company in the medical field had to hire three full-time employees just to run their SIEM. The company was told that their current in-house IT staff would be able to manage their SIEM without any cybersecurity experience and as a part-time job. In a year, the business had a 300 percent turnover within its cybersecurity staff. After the company was finally able to hire a competent cybersecurity staff, they had to re-hire when new team members left for other organizations that were willing to pay more.
Real-World Scenario #2: A large MSSP was struggling to find and retain the proper staff to provide their clients with cybersecurity solutions. The company decided to purchase a small cybersecurity firm, but 60 percent of the acquired company’s staff quit within six months.
Problem #3: Hosting Internally and Storage Issues
It’s not enough to settle for the minimum hardware specs when you’re planning on hosting a SIEM. Running reports and doing queries takes a long time, not to mention the terabytes storage you need to store all the data. This issue frustrates infrastructure teams within a company when they don’t have the necessary resources required to host the SIEM tool efficiently.
There is an alternative when it comes to storage, although it’s not a cheap one. Many businesses who are lacking adequate storage turn to hosting in the cloud. This method eliminates the need to worry about resource availability, but you now have to worry about climbing hosting costs determined by the events per second being processed. Be prepared to spend anywhere from several hundred to tens of thousands of dollars a month.
Real-Life Scenario: An international telecommunications firm attempted to get their hosting division to provision resources for their SIEM. Six months later, the company didn’t have a place to host the SIEM due to internal strife and accounting responsibilities. Since the licenses were already active due to the subscription they had purchased, they ended up hosting in the cloud. This cost the firm three-times what they had initially budgeted.
These are just three of the most common issues that a company that has implemented a SIEM experiences during the initial months of setting it up. In our next installment, we’re going to be going over more common issues, so make sure you keep a lookout and as always, give us a call or take a look at some of our other blog posts and services pages for any of your cybersecurity needs.