This article was originally posted on HelpNetSecurity

Over the last 10-15 years, many organizations built Security Operations Centers (SOCs) on the backbone of security information and event management (SIEM) solutions. These systems capture all of an enterprise’s data, logs and events in one place, and provide a rules-based system to flag suspicious events.

The challenge is SIEM systems are inherently reliant on human analysts to investigate and determine whether an event flagged by a rule merits any further investigation.

The industry has reached a point where due to the high volume of security events and alerts, security analysts aren’t able to address the hundreds of alerts a day that even a moderately sensitive rule will throw their way. Conversely, if companies limit the number of rules or set the rules too permissively, many more threats could be missed.

This state of affairs is not an excuse to throw the baby out with the bathwater – SIEM systems are a great foundational step in aggregating log data, helping meet compliance requirements and supporting forensic investigations. These were difficult problems to solve a decade ago, and the leading SIEM solutions have tackled them very well.

Having said that, let’s examine the challenges most SIEM deployments face today:

Challenge: Generating too much noise

SIEM systems are rules-based, ideally you create a rule for every indicator of compromise for which you’re aware. The problem is by the very nature of rules, they tend to generate a lot of alerts. As IT infrastructure expands, more security solutions are deployed that feed into SIEMs, and the workplace and its workers get more digital. Further, the volume of security events will only continue to increase. The volume of alerts will also do the same.

Unfortunately, 90-95 percent of alerts generated by a typical SIEM rule fall into the category of false positives. These are events that met the criteria of the rule but don’t actually need to be escalated or remediated.

In general, each alert could be investigated in 15-45 minutes by a skilled security analyst. However, when you’re getting hundreds of alerts a day, it is simply impossible to hire enough analysts to keep up. The SIEM may be doing its job, but the analysts are overwhelmed, fatigued and unhappy.

Challenge: Missing unknown threats

Leveraging threat intelligence and prior incidents, you can usually generate rules for the known threats. However, as attackers get increasingly sophisticated in morphing attacks, narrowly targeting organizations and users, and finding new ways to masquerade their tracks, it is the unknown threats that pose the greatest danger.

Industry research often indicates that on average it takes several months to detect a breach. That’s covering both known and unknown attacks. It is downright scary to think about the breaches you don’t know about – the ones that may dwell in your environment for years without being detected.

Rules, by definition, only cover the known threats. Hence, while your SIEM is collecting mountains of security event data, you’re missing the breaches for rules yet to be written. Which brings us to our next point.

Challenge: Overcoming hard-to-write and tune rules

Ninety percent of enterprises have fewer than 400 rules. Building such rule sets is time-consuming and needs constant revision. Typically, it takes 4-8 hours to fully establish a sophisticated rule – some security teams have dedicated content authors just for this task. Despite these professionals’ best efforts, it extremely difficult to write rules that cover an extensive set of threats and to keep the rules well tuned has proven equally as laborious.

Challenge: Missing context and “smarts”

Rules are fairly brittle and shallow by nature. It is almost impossible to program rules to account for the context, intelligence and intuition of a human analyst. As a result, SIEMs operate in a very tactical mode, dutifully spitting out alerts following precise instructions. All of the real decision making falls upon the analyst. Fundamentally, SIEM architectures are not designed for cognitive decision making, hence, the SOC relies on an army of security analysts to finish the job.

Turbocharging your SIEM investment

Given these challenges, what can you do to get the most from your SIEM investment? Innovations in security automation technologies can help. Here are some key capabilities you should leverage to complement your SIEM:

1. Automate investigative data gathering.

A core part of the process of investigating each alert is for an analyst to gather all the relevant data associated with that event. This could be checking against sources like VirusTotal, looking up network traffic for a device or user, etc. Much of this information gathering per alert can be easily automated using robotic process automation tools.

2. Automate alert ranking and scoring.

After the data is gathered, you need to determine the severity of each alert. While data gathering has saved your analyst some time, this phase is still very time consuming, especially given the hundreds of alerts that need to be processed each day. The good news is new cognitive automation solutions allow you to automate ranking and scoring of the alerts. By the time an analyst logs into the SIEM, the alert can be already scored with a full explanation of the how and why. The analyst can simply review the scoring and take the appropriate action. For the 95 percent of alerts that are false positives, this means no further action is required. Congratulations, you just brightened your analyst’s day!

3. Add intelligence and context.

As humans, we intuitively add context to our decision making. Teaching a machine to do so is much more difficult. In addition to applying cognitive automation for alert ranking, one key consideration is to ensure you’re able to add your analyst’s contextual expertise and knowledge to the system so the solution can more intelligently score alerts based on the specifics of your environment. SecOps teams should continuously be asking why they have to look at an alert manually. How did they decide whether it was a false positive? What do they know that the system that alerted them did not? Then capture, document and automate that intelligence and context. Of course, if you have a system that is not very adaptable this is going to be hard. Look for solutions that make this “feedback loop” process easy and seamless with a well designed automation framework.

4. Apply continuous threat ranking.

As discussed in the challenges, your SIEM is missing any threats for which you don’t have a rule. The good news is you probably already have a lot of the data you need to detect the unknown threats, hiding somewhere in the mountains of SIEM data. However, you need to add the ability to continuously monitor that data and proactively look for new threats. There is no question, this is information security’s big data problem. Similar to alert ranking, cognitive automation solutions can help detect and rank threats continuously and tirelessly around the clock.

To sum it up, the good news is you don’t need to dump your SIEM. A new generation of automation technologies complement the SIEM you already have. Look for solutions that are able to tackle both robotic and cognitive automation tasks to get the best bang for your buck, today and in the future. Make sure the solution is also able to add your organization’s specific context and intelligence for the highest levels of effectiveness.

Download Ebook


Related Posts

May 20, 2022 Willy Leichter

Automating Threat Detection: Three Case Studies

Demystifying the technology with case studies of AI security in action Many automation tools, such...

Learn More

May 17, 2022 Willy Leichter

It's Time to Put AI to Work in Security

While we’ve been talking about and imagining artificial intelligence for years, it only has...

Learn More

May 15, 2022 Tessa Mishoe

LogicHub Security RoundUp: May 2022

Hello, and welcome to the latest edition of the LogicHub Monthly Update! Each month we’ll be...

Learn More

May 9, 2022 Tessa Mishoe

Bad Luck: BlackCat Ransomware Bulletin

Blackcat Ransomware On April 19th of 2022, the FBI Cyber Division released a flash bulletin...

Learn More

May 6, 2022 Kumar Saurabh

Let Humans Be Humans and AI Be AI

LogicHub’s unique decision automation technology can build clients the ultimate security playbook...

Learn More

May 3, 2022 Kumar Saurabh

How to Build a Threat Detection Playbook In 15 Minutes or Less

Automating a threat-hunting playbook with the help of AI Many threat-hunting playbooks we build for...

Learn More

April 29, 2022 Tessa Mishoe

Integrating Better: What Can Integrations Do For Me?

Introduction Within the realm of security, there are many different toolsets and opinions on what...

Learn More

April 27, 2022 Willy Leichter

Beyond No-Code: Using AI for Guided Security Automation

SOAR Playbooks Outside of football, the term “playbook” is well understood by a relatively small...

Learn More

April 21, 2022 Willy Leichter

Goodbye Lonely SIEM, Hello MDR

When updating your systems from a pure Security Information Event Management (SIEM), choosing the...

Learn More

April 15, 2022 Tessa Mishoe

LogicHub Security Roundup: April 2022

Hello, and welcome to the latest edition of the LogicHub Monthly Update! Each month we’ll be...

Learn More