Published on November 16th, 2016 | by Tony Thompson
Not So SIEMple: 3 Things to Keep in Mind Before Falling into SIEM Reliance
While many enterprise organizations are now relying on log data to answer the what, when, how, and why of a breach, the reality is that despite your team’s best efforts, more advanced threats will still slip past traditional preventative security tools and can hide on the network for an average of 200 days.
This makes network visibility more important than ever. As these attacks become more and more sophisticated, many enterprises are starting to rely on Security Information and Event Management (SIEM) tools that afford them some insight into their network traffic. However, SIEM tools can be very costly, and in some ways can even increase investigation and remediation time in the event of a breach.
Here are three things to keep in mind before falling into SEIM reliance:
SIEM logs are not optimized for data breach investigations.
The original intent of SIEM tools was to be able to provide an audit view into the tools that feed into them. SIEM logs were designed to be able to monitor the status of a tool to make it much easier for support teams to easily fix problems in the environment. The verbose logs are usually summarized and compressed after a certain period of time to avoid the substantial cost of storing the massive number of raw logs generated by the numerous network devices connected to a SIEM. So when a breach does occur on the network, these logs are not detailed enough to provide insight into more advanced breaches that were able to slip past traditional defenses.
SIEM logs must be normalized before they are useful.
The process of normalizing SIEM logs is not automated, and correlation logic must be provided. In many cases, to create a cohesive and useful interface, a lot of backend manual effort is required. The logic also tends to generate a lot of false positives. Many factors contribute to this, but SIEMs are generally unable to make an accurate determination about whether an event is related to a breach or not. Because they don’t want to take the chance of missing an actual breach event, they will mark a harmless event as a false positive, adding even more time and manual effort to an investigation, greatly increasing the overall cost of a breach.
SIEM tools are unable to go back in time.
The average SIEM is unable to store useful and efficient data for a long time without incurring massive storage costs for an enterprise. In an attempt to combat these costs, SIEMs compress logs but don’t index them, so they aren’t easily searchable if a breach event does occur. To access the information stored, the logs must be sifted through manually with great care to ensure nothing important was missed. However, these logs are only created for isolated events, not for entire chains of related events. So to track a breach across the network is not only extremely time consuming, but requires a great deal of correlation.
Because most network logs only stop at Layer 3 and 4 data, and most breaches can be seen on the network, SIEMs cannot provide enough insight into network flows at the transaction level. So many of today’s breaches slip past preventative security tools by hiding themselves in the regular flow of network traffic, and can only be seen at the application level.
To truly protect your network from breaches, you need the level of insight provided by network breach detection tools such as SS8 BreachDetect. To learn more, download our whitepaper on exploring SIEM limitations.