Detective Work

SIEM systems help overworked IT teams wade through alerts and event logs to better detect and respond to security incidents.

Common sense would dictate that the longer it takes to discover a security breach, the greater the potential damage. Unfortunately, insider attacks, zero-day exploits and advanced persistent threats are increasingly difficult to detect, giving cybercriminals the advantage of lengthy “dwell times” in compromised systems and networks.

A recent study from Aberdeen Research found that, in half of successful security breaches, the victim organization detected the attack in 38 days or less. In the other half, however, detection took as long as four years, with an average about 210 days.

The business impact of delayed discovery depends upon the nature of the security incident. The researchers found that organizations can reduce the impact of a data breach by 30 percent if they can cut detection and response times in half compared to the status quo. When it comes to attacks that cause business disruption, organizations can reduce the impact by 70 percent if they can respond twice as fast.

“In multiple areas of cybersecurity, time is currently working in favor of the attackers — and time is the strategic advantage that the defenders need to regain,” Derek E.Brink, Aberdeen Vice President and Research Fellow, said in the report.

Security information and event management (SIEM) solutions can aid in the rapid detection of security incidents. SIEM systems correlate security data from across the organization, looking for unusual patterns that could signal a security threat. Data is collected from a wide range of devices and systems in real time, and forwarded to a central console for inspection and analysis.

SIEM helps organizations overcome two of the primary impediments to rapid indent response — an overwhelming amount of security event data and an insufficient number of skilled personnel to analyze it. However, SIEM systems are also complex to configure and manage, which can limit their value.

Searching for Clues

It’s easy to see why many cyberattacks go undetected. According to new research from IDC, organizations experience an average of 40 actionable security incidents per week. However, only 27 percent think they are coping comfortably with this workload, while 33 percent describe themselves as “struggling” or “constantly firefighting.” More than half (53 percent) say that staff devote too much time to routine operations and incident investigation to improve security response.

“The amount of time companies are spending on analyzing and assessing incidents is a huge problem,” said Duncan Brown, associate vice president, security practice, IDC. “The highest paid, most skilled staff are being tied up, impacting the cost and efficiency of security operations. Organizations must ensure that they are using their data effectively to gain key insights quickly to determine cause and minimize impact.”

There generally is evidence that an attack is taking place, but it’s often buried in log files and alerts that go unnoticed. In fact, so many alerts are generated in the typical environment that IT teams simply can’t keep up. A 2015 Ponemon Institute study found that organizations received an average of 16,937 security alerts each week and spent almost 21,000 hours a year analyzing them.

SIEM systems apply data analytics to this monumental task. While a single piece of information has limited value, data collected from multiple systems and viewed holistically can reveal trends and patterns. SIEM systems use statistical correlation to identify relationships between the data points, which are then compared to profiles of normal system conditions in order to spot anomalies.

While there are a number of solutions to choose from, including both commercial offerings and open source platforms, SIEM is notoriously difficult to implement and manage. Commercial offerings tend to be complex and expensive, while open source tools require significant time and expertise.

Closing the Book

This complexity is reflected in the total cost of ownership for SIEM. According to a recent Ponemon Institute study, the initial purchase of the software represents just 25 percent of the total SIEM cost, with installation, maintenance and staffing making up the remaining 75 percent.

The survey also found widespread dissatisfaction with SIEM. While 84 percent of respondents said their SIEM is important, very important or essential to their incident respondent processes, only 48 percent were happy with the actionable intelligence they get from their SIEMs.

“The root of their dissatisfaction seems to be related to the complexity of the SIEM itself,” explained Dr. Larry Ponemon, chairman and founder of the Ponemon Institute. “In fact, 75 percent of respondents said there is significant, or very significant, effort involved in configuring their SIEM. Obviously, this complexity can make it very difficult to extract the value they want and need.”

A common complaint is that SIEM is too “noisy” — 54 percent of respondents said that their SIEM generates too much low-level data and too many alerts. Seventy percent want their SIEM to generate fewer alerts that are more accurate, prioritized and meaningful, while 71 percent want to automate certain SIEM-generated tasks so that response teams can focus on priorities.

Increasingly, organizations are engaging managed security service providers to handle the monitoring and management of SIEM. There are also cloud-based solutions that allow organizations to maintain control while eliminating the capital cost and implementation burden of traditional on-premises systems.

SIEM is not a panacea. The Ponemon research revealed that for 65 percent of organizations, the SIEM’s discovery of a compromise can take hours, days, weeks or even months. Done right, however, SIEM is a valuable tool that can help organizations regain the strategic advantage of time in detecting and responding to cyberattacks.