SIEMs are mandatory tools for forensic security teams, aggregating logs from a multitude of sources, exploring within a dataset, and auditing thoroughly. But anyone who’s tried to run their security operations solely on a SIEM (Security Information and Event Management), knows all too well its limitations:
1. Hard to connect the dots
One of the major challenges when using security monitoring and analytics tools is how to deal with the high number of alerts and false positives. Even when the most straightforward policies are applied, SIEMs end up alerting on far too many incidents that are neither malicious nor urgent. The goal is not to be alerted on every possible incident, but to identify, in real-time, the incidents driven by actual malicious activity. Getting there can be a cumbersome process, requiring detailed investigation and a series of diagnoses. Typical scenarios might include: pinpointing the IP address of the suspicious user activity, identifying the relevant logs and determining, which devices were affected. Only then can a researcher decide if the threat is real. Connecting the dots is indeed cumbersome and time-consuming. During this process the race against the attackers is at risk and a backlog of unhandled incidents is created.
2. Insufficient correlation rules
The out-of-the-box, correlation rules of traditional SIEM solutions are insufficient to address the needs of today’s organizations. They need to be extensively configured to meet the unique requirement of the organization. This a time-consuming task requiring significant technical understanding of the organization’s cybersecurity infrastructure.
Another major challenge lies in the fact that it’s impossible to create rules broad enough to factor every conceivable event. New threats are continually emerging and changing and SIEMs need to be continuously maintained in order to adapt to the evolving landscape. The result is that most SIEMs end up running with limited coverage, particularly around correlation of activities.
3. Challenging user-experience
SIEMs are capable of monitoring logs from a multitude of locations at once, striving to eliminate the risk of missing important events. They receive information from various endpoints by pulling or accepting pushed event data, triggering alerts according to predefined correlation rules. Using SIEM dashboards, SOC teams should be able to view and analyze event information in real-time. However, as the organization’s network expand and data accumulates, security professionals are unable to see the log’s origin, user identities, user activities, and if they could be a potential threat.
SIEMs typically show all network and log activities in a tabular format, making it difficult to quickly get insights from the data. Even if the event data is organized by categories with defined policies, viewing the entire network in one consolidated display is still challenging.
4. Limited investigation capabilities
In some cases, SIEMs are able to combine event data with contextual information such as, details of a user, assets, known threats, and specific vulnerabilities. This provides crucial knowledge about security events. However, SIEMs are not actually built to support the natural research flow in the case of an attack.
Let’s take the following attack sequence as an example: The SOC team gets an alert on a brute-force attack on an FTP server, and then another alert appears from an antivirus system on a different server. In parallel, there is a growing trend of outbound traffic from that server.
In such a case, a researcher needs to quickly understand that these events are a part of a single attack: an attacker compromised the FTP server while inserting a Trojan into one of the organization’s servers.
Although SIEM correlation rules consolidate events into a single alert, the SOC team still needs to explore each endpoint to get more information about the incident. Once the attack is revealed, the security team needs to access the FTP servers and check the firewall log, the DLP system status and the EventVwr of the targeted servers and more. The lack of advanced querying capabilities, forces the researcher to leave the SIEM dashboard and switch between various systems and manually analyze and correlate information gleaned from them. In addition, the researcher has no tool for mapping out the flow of the attack.
5. Lack of built-in mitigation tools
SOC teams need to be notified about incidents, properly analyze them and take remedial actions in real-time.
They must be able to perform risk mitigation and take concrete action for every incident that might result in a data breach. Traditional SIEM solutions do not provide actionable data and investigation tools to support SOC teams and lead them through the mitigation process.
These systems mainly serve to gather and explore log sources for revealing and analyzing events. This means SOC teams have to use third-party tools or custom script frameworks to handle the event and mitigate the attack. The lack of consolidation between the monitoring processes and the required actions for mitigation makes it impossible to pursue continuous protection from within the SIEM dashboard.
Addressing this challenge with one intelligent, easy-to-use environment for all security operations is what Siemplify Nexus is all about. Register for a demo and see how Siemplify Nexus can transform your security operations.