This article was originally posted on HelpNetSecurity
Over the last 10-15 years, many organizations built Security Operations Centers (SOCs) on the backbone of security information and event management (SIEM) solutions. These systems capture all of an enterprise’s data, logs and events in one place, and provide a rules-based system to flag suspicious events.
The challenge is SIEM systems are inherently reliant on human analysts to investigate and determine whether an event flagged by a rule merits any further investigation.
The industry has reached a point where due to the high volume of security events and alerts, security analysts aren’t able to address the hundreds of alerts a day that even a moderately sensitive rule will throw their way. Conversely, if companies limit the number of rules or set the rules too permissively, many more threats could be missed.
This state of affairs is not an excuse to throw the baby out with the bathwater – SIEM systems are a great foundational step in aggregating log data, helping meet compliance requirements and supporting forensic investigations. These were difficult problems to solve a decade ago, and the leading SIEM solutions have tackled them very well.
Having said that, let’s examine the challenges most SIEM deployments face today:
Challenge: Generating too much noise
SIEM systems are rules-based, ideally you create a rule for every indicator of compromise for which you’re aware. The problem is by the very nature of rules, they tend to generate a lot of alerts. As IT infrastructure expands, more security solutions are deployed that feed into SIEMs, and the workplace and its workers get more digital. Further, the volume of security events will only continue to increase. The volume of alerts will also do the same.
Unfortunately, 90-95 percent of alerts generated by a typical SIEM rule fall into the category of false positives. These are events that met the criteria of the rule but don’t actually need to be escalated or remediated.
In general, each alert could be investigated in 15-45 minutes by a skilled security analyst. However, when you’re getting hundreds of alerts a day, it is simply impossible to hire enough analysts to keep up. The SIEM may be doing its job, but the analysts are overwhelmed, fatigued and unhappy.
Challenge: Missing unknown threats
Leveraging threat intelligence and prior incidents, you can usually generate rules for the known threats. However, as attackers get increasingly sophisticated in morphing attacks, narrowly targeting organizations and users, and finding new ways to masquerade their tracks, it is the unknown threats that pose the greatest danger.
Industry research often indicates that on average it takes several months to detect a breach. That’s covering both known and unknown attacks. It is downright scary to think about the breaches you don’t know about – the ones that may dwell in your environment for years without being detected.
Rules, by definition, only cover the known threats. Hence, while your SIEM is collecting mountains of security event data, you’re missing the breaches for rules yet to be written. Which brings us to our next point.
Challenge: Overcoming hard-to-write and tune rules
Ninety percent of enterprises have fewer than 400 rules. Building such rule sets is time-consuming and needs constant revision. Typically, it takes 4-8 hours to fully establish a sophisticated rule – some security teams have dedicated content authors just for this task. Despite these professionals’ best efforts, it extremely difficult to write rules that cover an extensive set of threats and to keep the rules well tuned has proven equally as laborious.
Challenge: Missing context and “smarts”
Rules are fairly brittle and shallow by nature. It is almost impossible to program rules to account for the context, intelligence and intuition of a human analyst. As a result, SIEMs operate in a very tactical mode, dutifully spitting out alerts following precise instructions. All of the real decision making falls upon the analyst. Fundamentally, SIEM architectures are not designed for cognitive decision making, hence, the SOC relies on an army of security analysts to finish the job.
Turbocharging your SIEM investment
Given these challenges, what can you do to get the most from your SIEM investment? Innovations in security automation technologies can help. Here are some key capabilities you should leverage to complement your SIEM:
1. Automate investigative data gathering.
A core part of the process of investigating each alert is for an analyst to gather all the relevant data associated with that event. This could be checking against sources like VirusTotal, looking up network traffic for a device or user, etc. Much of this information gathering per alert can be easily automated using robotic process automation tools.
2. Automate alert ranking and scoring.
After the data is gathered, you need to determine the severity of each alert. While data gathering has saved your analyst some time, this phase is still very time consuming, especially given the hundreds of alerts that need to be processed each day. The good news is new cognitive automation solutions allow you to automate ranking and scoring of the alerts. By the time an analyst logs into the SIEM, the alert can be already scored with a full explanation of the how and why. The analyst can simply review the scoring and take the appropriate action. For the 95 percent of alerts that are false positives, this means no further action is required. Congratulations, you just brightened your analyst’s day!
3. Add intelligence and context.
As humans, we intuitively add context to our decision making. Teaching a machine to do so is much more difficult. In addition to applying cognitive automation for alert ranking, one key consideration is to ensure you’re able to add your analyst’s contextual expertise and knowledge to the system so the solution can more intelligently score alerts based on the specifics of your environment. SecOps teams should continuously be asking why they have to look at an alert manually. How did they decide whether it was a false positive? What do they know that the system that alerted them did not? Then capture, document and automate that intelligence and context. Of course, if you have a system that is not very adaptable this is going to be hard. Look for solutions that make this “feedback loop” process easy and seamless with a well designed automation framework.
4. Apply continuous threat ranking.
As discussed in the challenges, your SIEM is missing any threats for which you don’t have a rule. The good news is you probably already have a lot of the data you need to detect the unknown threats, hiding somewhere in the mountains of SIEM data. However, you need to add the ability to continuously monitor that data and proactively look for new threats. There is no question, this is information security’s big data problem. Similar to alert ranking, cognitive automation solutions can help detect and rank threats continuously and tirelessly around the clock.
To sum it up, the good news is you don’t need to dump your SIEM. A new generation of automation technologies complement the SIEM you already have. Look for solutions that are able to tackle both robotic and cognitive automation tasks to get the best bang for your buck, today and in the future. Make sure the solution is also able to add your organization’s specific context and intelligence for the highest levels of effectiveness.