In our previous installment of common problems you may face with a SIEM, we covered several topics. We included dealing with false positives, finding the right people to manage your SIEM and hosting internally and storage issues. In this week’s installment, we’re going to be covering three more problems that you’ll most likely face with SIEM.
Problem #4: Unexpected Costs
You should be wary of where you’re getting your services from. Some SIEM vendors will bill you for exceeding certain EPS limits and device counts. Organizations might not be aware of the hidden costs that can come with some software vendors. This can lead to internal issues between the company’s leader and the employee who initially signed for the services which they are now paying double for.
Real-World Scenario: A mid-sized financial services company in need of SIEM services was asked by a SIEM vendor to calculate the EPS they would use in production. The bank had never had a SIEM before, which made it difficult for them to know the answer to this question. The SIEM vendor then asked the bank to give them their best guess, which turned out to be off by a factor of 35. When the bank was billed, the director who signed the contract was let go by the company and litigation between the vendor and the bank began.
Problem #5: Complexity Issues
SIEM services are complex and require two things: time and talent. Setting up a dashboard and doing simple research is the easy part. However, performing any real forensics is best left to the professionals. Cybersecurity experts must also analyze a network baseline and adjust rule thresholds based on analytics, which can become extremely time-consuming. How exactly are you supposed to get intelligence out of a system which is so complex? It’s better to leave SIEM management to the professionals, as per this next real-life scenario.
Real-World Scenario: A SIEM solution sales rep assured a hospital that their IT staff could be trained and get all caught up with the complexities of managing a SIEM solution. After undergoing extensive training, the staff found that they still didn’t have the necessary expertise to manage the solution. Not wanting to hire a full-time cybersecurity expert, they spent countless hours with the vendor. Month in and month, they tried to learn how to effectively manage the SIEM solution. This increases the cost by about 38 percent of the original price.
Problem #6: You Might Miss Some Things
It’s been months since you’ve deployed a SIEM solution. When you don’t see positive results, you might be asking yourself, “what are we missing?” Important information can be missed due to some data not being able to be ingested by your devices. You could also be running into issues where parsers aren’t cataloging data properly, which is not helpful to your company. The SIEM service vendor assures you that these issues will resolve soon, but after patiently waiting for reports to be available, you need to do something. Otherwise, you could end up with an issue such as this:
Real-World Scenario: A restaurant chain utilizing a SIEM had some WAP devices which couldn’t send their logs to the solution because the device was rather new and did not have a parser written by the SIEM vendor. The company waited eight months for the parser. During that time, the security devices ended up having security flaws. This helped hackers compromise their devices via a local LAN attack through one of their restaurants. The attackers were able to gain access to sensitive data before they were finally detected.
These are three more issues you might run into if you’ve deployed a SIEM within the last few years. Look out for the final installment of this series, where we will discuss three more issues you might come across.