Traditionally, the purpose of Security Incident and Event Management (SIEM) technology has been primarily for logging, data retention and compliance.
But SIEMs have evolved over the last decade to focus on identifying and detecting threats. They do this by ingesting data, which is mostly logs from across the entire network. Some use machine learning and other complex analytics to improve threat detection, calculate risk and provide more contextual information to analysts.
To learn more about how SOC teams have been using these newer, more advanced SIEM capabilities (and if they’re using them at all), my company conducted a survey at RSA 2023.
We got responses from hundreds of working security professionals attending the show. We found that data analytics and management capabilities of SIEMs vary widely, with some organizations reporting quite advanced capabilities and others reporting very limited functionality.
There were also some sobering numbers about how many security alerts organizations get each day and how difficult of a task it is to sort through them. Here’s what we found.
Many SIEMs Can’t Detect Unknown Threats
Detecting an attack is difficult if the malware has been obfuscated so it doesn’t match existing threat signatures, or the stages of the attack are spread out over time so that they seem to be unrelated.
About 21% of respondents didn’t know if their SIEM could detect unknown threats and nearly 17% were not confident it could. On the other hand, 57% were either “very confident” or “somewhat confident” that their SIEM was up to the challenge.
Part of this split might go back to SIEMs that use rule-based correlations, which cannot detect threats for which there is no signature. SIEMs which use machine learning analytics that learn over time are vastly more adept at detecting unknown attacks.
Teams that use a rule-based SIEM either must wait for the vendor to update the SIEM with a new model for each new attack, or gather threat intel and tweak existing models (or create new ones entirely).
Customization, Data Ingestion and
Analytics Capabilities Vary Widely
Many respondents reported that their SIEM scored well in customizing data ingestion, playbooks and analytics, but many reported the opposite.
For example, 15% of organizations can build custom playbooks in minutes and 24% can do it in hours, but 22% didn’t know if they could build custom playbooks and 6% claim it’s not even included in their SIEM.
The ability to chain together different types of analytics is crucial to stopping threats. Some 51% of respondents can this for endpoint, 50% for network, 26% for identity, 23% for cloud, 18% for UEBA and 13% for IoT. But 18% were not even sure if their SIEM was capable of chaining together analytics.
SOC Teams Want Automation and Prioritization
The survey found SOC teams want their SIEM to offer automated responses and prioritization, based on risk scores, to help them respond to threats effectively. These were responses #1 and #2 at 29% and 28% of respondents.
They were also interested in precise context for remediation actions (18.88%) and customized workflows or playbooks (11.16%). Also, 12.88% reported they can’t actively respond to threats.
Both the top features work together to make the SOC more efficient; automated responses are faster and remove human error, and prioritization lets the team focus on high-risk events without wasting time on low-risk ones.
Prioritization also allows more responses to be automated. Responses should be automated in situations with a high-risk event and a remediation action that’s unlikely to cause problems to legitimate users. Risk scores and prioritization built into the SIEM make these automated responses more feasible.
Contextual Data Comes at a Price
A surprising operational problem revealed itself in our findings: 10% of respondents said it was “too expensive” to bring a lot of contextual data sources into their SIEM. This is because many SIEMs charge based on the volume of data ingested.
Unfortunately, this creates a situation where efforts to get better visibility by adding more data to the SIEM may get shut down to save costs. The most common contextual sources security pros have access to are endpoint (55%), email (40%), firewall/IPS (36%) and cloud applications (34%).
Ease of use also matters. For most SIEMs to ingest data from a new application, device or updated schema, they need a new data parser or updates to an existing parser. The organization can hire someone tasked with building and updating these, pay a consultant or service provider to do it, or rely on their SIEM vendor to provide one -- which can take weeks or months.
About 24% of respondents said their SIEM offers automated data source mapping (the more automated this process is, the easier it will be) and 30.% can add new data sources to their SIEM in days. On the other side, 31% of respondents don’t know how to add a new data source to their SIEM and 42% say it takes weeks or longer to add one.
It’s heartening to see that many respondents can easily add new data sources, but others still have a long way to go.
Over 1,000 Security Alerts Per Day
Most security teams must deal with an overwhelming flood of security alerts each day. The survey showed 61% of teams claimed to get more than 1,000 alerts a day, 23% get more than 1,000 a day, 14% get more than 10,000 a day and 4% get more than 100,000 a day.
Some 74% say there are simply too many alerts to count. Several other findings from the survey suggest that many SIEMs are ingesting a great deal of data without enough analytical capabilities to filter out false positives or help analysts prioritize these alerts.
For many organizations, improving their threat detection will require they cut down on the number of alerts they must deal with.
Overall, the amount of security alerts SOC teams reported certainly gave us pause, and the number that could not detect unknown threats was also worrying.
But my colleagues and I were encouraged by the percentages that reported they could detect unknown threats, customize their SIEM, and chain together several types of analytics. Many organizations use their SIEM as a useful part of their threat detection program -- but others still have a long way to go.
Interested in viewing the full survey results? Download the report here: SIEM Data Analytics Challenges Facing the SOC.
About the author: Saryu Nayyar is the CEO of Gurucul. She is an internationally recognized cybersecurity expert, author, speaker and member of the Forbes Technology Council. She has more than 15 years of experience in the information security, identity and access management, IT risk and compliance, and security risk management sectors, and has held leadership roles in security products and services strategy at Oracle, Simeio, Sun Microsystems, Vaau (acquired by Sun), Disney and Ernst & Young. She is passionate about building disruptive technologies and has several patents pending for behavior analytics, anomaly detection and dynamic risk scoring inventions.
