IT security professionals have a love-hate relationship with security information and event management (SIEM) systems. While most consider SIEM to be an invaluable element of modern network security, they also find the systems to be costly, complex and confusing.
SIEM systems are meant to create a “single pane of glass” view of network security. They collect real-time log data from multiple network sources such as antivirus software, intrusion detection systems, firewalls and servers. This data is then forwarded to a central console for inspection and analysis to identify any unusual patterns that could signal a security threat.
In theory, that should give IT teams great insight into their security posture. However, SIEM systems are notorious for collecting more data than IT staffs can adequately investigate. More than 80 percent of organizations in one survey complained that their SIEMs generate too many false positives, making it difficult to filter through the noise to identify legitimate threats.
In addition, about two-thirds of organizations say their SIEM’s log data makes it difficult to understand when, where and how something happened. Most say their IT specialists have to spend an inordinate amount of time manually adjusting data to make SIEM reports understandable to the management team and other non-tech stakeholders.
Organizations can resolve some of these issues by fine-tuning their SIEM systems with periodic rules and configuration updates. However, that’s a time-consuming job that requires highly specialized in-house security and networking experts to manually evaluate and adjust every log source, correlation rule and alert. Studies suggest that training, implementation and management expenses account for about 75 percent of the cost of an in-house SIEM system.
A New Approach
The good news is that a new generation of cloud-based SIEM solutions resolve most of these traditional drawbacks with advanced analytics, statistical modeling and automated remediation. Additionally, cloud-based solutions dramatically reduce deployment time and costs. Solutions such as Blumira’s preconfigured cloud SIEM can be up and running in a matter of hours, compared to the months-long deployment process for most in-house solutions.
With statistical and pattern modeling capabilities, modern SIEMs can correlate security alerts with multiple risk intelligence feeds to accurately identify new and evolving threats while paring down the overwhelming amount of log data being reported. Alerts are automatically prioritized based on identifiable characteristics, eliminating much of the time, manpower and expense required to comb through large volumes of log data for investigation and response.
Automated reporting and remediation capabilities enable end-to-end threat responses, from detection to resolution, without toggling between multiple, disparate solutions. With the Blumira system, alerts include all the necessary information for conducting further investigation, including associated user accounts, source IP addresses, domain names, timestamps and more.
The Threat Playbook
A key to this approach is the use of gathered intelligence to create remediation playbooks that document the behaviors and methodologies used in cyberattacks. Information about an attack’s unique tactics, techniques and procedures (TTPs) is fed into AI-powered systems, which can detect attack patterns and interrupt attacks by anticipating and shutting down the next step in the attack sequence.
With this level of automation and intelligence, organizations don’t need highly specialized SIEM experts on staff. When the Blumira system detects a threat, it automatically implements blocking procedures to halt the attack. For further remediation, experts in the company’s security operations center will guide IT teams through step-by-step response workflows based on remediation playbooks.
Cyberthreats are constantly evolving and becoming more sophisticated. So should your SIEM solution. Traditional systems can be costly and complex, requiring significant expertise and manpower to manage and maintain. Modern solutions such as Blumira’s cloud-based SIEM use automation and advanced analytics to dramatically improve your security capabilities.