ISACA Journal
Volume 6, 2,014 


Seven Mistakes Being Made in SIEM and How to Fix Them 

Flint Brenton 

Target’s security breach is a parable that continues to unfold daily, and it has drawn the interest of the IT community. From companies that process transactions to vendors that provide security solutions to the end customer wondering how to protect themselves from fraud, everyone can benefit when it comes to additional information with regard to security.

Providers of security software, also known as security information and event management (SIEM) solutions, believe that traditional solutions are indeed falling short. While there is no one-size-fits-all solution to securing every network, the following seven mistakes of current SIEM systems must be solved to effectively secure data in the modern enterprise.

Mistake 1: Client-server-based Log Management Does Not Scale

Client/server architecture have been used for log management in SIEM systems to normalize data in various log formats. For example, Windows logs are stored in a proprietary format, while network devices send syslog messages using the same request for comments (RFC), but content is varied. Database audit logs are a mix of table data and file audit data.

Putting these logs in a client-server architecture is an immediate fix, but managing multiple log formats in a big data world has become unwieldy.

The solution: Standardize data, set formats and store them in a centralized data structure. This can be achieved if there is industrywide implementation and use of an RFC or standard form of log collection that ensures that source devices do not require clients or special formatting and are not taxed in terms of processing. Once data are collected in a standard format and properly categorized, the storage, indexing and retrieval becomes easier.

Mistake 2: Rules-based Only Analytics

Rules require frequent human modification to be effective. Rules are set up, tested and then tweaked as necessary. And, different rules must be set up to monitor different situations. Conversely, machine learning continuously analyzes data inputs across networks to understand what is normal and what is not normal.

The solution: Add machine learning capabilities to SIEM. Machine learning systems automatically learn programs from collected data. From this data, alerts, reports and notifications can then be created to keep organizations apprised of what needs attention.

Mistake 3: Creating Events, Not Just Analyzing Them

SIEM solutions frequently attempt to be everything a chief information security officer (CISO) would ever want, including tools that create events such as intrusion, detection and prevention systems. The real value of a SIEM is to aggregate, analyze and act on data sources, not to create it. Losing that focus results in a watered-down SIEM that only parses and alerts rather than bringing real intelligence to data mining.

The solution: Focus SIEM on being the brains of the network, not the arms and legs. By performing consistent and comprehensive infrastructure monitoring, SIEM is focused on being the brains of the network. SIEMs are designed to identify and analyze security-related data, but nonrelated network noise often derails the proper process. That is why having a secure network engineering infrastructure in place helps simultaneously connect secure network engineering with noise reduction.

Mistake 4: Processing Nonsecurity Data

For a SIEM to run most efficiently, it should receive only security-related data to analyze. However, today’s SIEMs often receive a variety of other network noise, such as performance and compliance data and Internet Protocol (IP) packet traffic, which creates unnecessary overhead and becomes a resource drain on the system. This is where log standardization and categorization can play a key role. If the system were able to find only the security-related data and process them, most enterprises would never be hitting more than 5,000 events per second (EPS).

The solution: Be able to identify and analyze only security-related data. SIEMs monitor across the entire IT infrastructure in real time on a single screen to quickly identify and resolve security incidents and performance bottlenecks. With multiple critical monitoring functions in a single application, SIEMs accelerate problem identification helping IT to quickly determine the appropriate corrective response.

Mistake 5: Reporting on Postprocessing Analysis of SIEM Data

Enterprises want to move beyond, “What just happened?” to “What is happening now?” Today’s SIEM solutions should provide real-time analytics across the entire cloud—public, private and hybrid—not just historical data. By monitoring network services and traffic from network flows and firewall logs, organizations can understand what anomalies are occurring in their network as they happen.

The solution: Use real-time analytics to proactively secure the network. This means using a tested incident response plan to offer real-time analytics on network traffic and deliver alerts as anomalies occur, automate the discovery of potential threats, and escalate critical notifications into an incident response infrastructure to quickly minimize damage and focus on removing attacks.

Mistake 6: Responding Passively to Security Threats

Today’s SIEMs respond to rules that are set, watched and tweaked by human interaction. The real value of SIEM is when the system can respond to threats without human interaction, such as sending an alert or doing basic Information Technology Infrastructure Library (ITIL) service management integration out of the box. Many SIEM rules are basic, become repetitive over a period of time and can be automated into a workflow. The system should also be capable of becoming self-sufficient, taking corrective (or offensive) action on its own by working with an enterprise’s existing change and configuration management tools.

The solution: Use machine learning and workflows to actively respond to threats. Much like the solution to mistake 2, machine learning from collected data can be utilized to create reports and notifications to keep enterprises aware of potential issues.

Mistake 7: Heavy and Nonmobile-optimized Reporting Dashboards

A corollary to mistake 4, today’s SIEM management consoles are code-heavy in the front end and central processing unit (CPU)-heavy on the back end. The result of this is that dashboard data are often lagging and not able to show real-time results. Furthermore, the dashboards are too complicated and detailed for an IT professional whose device of choice is an iPhone. SIEMs need to use rules and machine learning to eliminate network noise and show real-time results, and they must create dashboards that are graphically driven and responsive to mobile devices.

The solution: Lighten up reporting dashboards, and make them look great on a mobile device. A major objective for SIEM is to have a dedicated monitoring and security operations center. In large enterprises, 24/7 monitoring for events and incidents are often in place. The growing need for accessible SIEM dashboards is necessary as dependence on mobile devices continues to grow.

Be Prepared for When

As an industry, the IT community can benefit from a general security standard that assists in solidifying a long-term plan and solution for data protection. With cyberattacks growing in frequency and complexity, it is no longer a question of if, but when. Risk of such attacks can be reduced by using these seven common SIEM mistakes as a foundation for evaluating and implementing essential security control solutions against cyberattacks.

Flint Brenton joined AccelOps as president and chief executive officer (CEO) in 2012. He is a proven IT operations management software veteran and most recently served as senior vice president of engineering in Cisco’s intelligent automation business unit. In this role, he led the organization in delivering automation solutions that make it easier for IT to manage and administer diverse technologies. In 2009, as president and CEO of Tidal Software, he oversaw the company’s acquisition by Cisco. He then guided the integration of the Tidal business into Cisco and the creation of the Intelligent Automation business unit.


Add Comments

Recent Comments

Opinions expressed in the ISACA Journal represent the views of the authors and advertisers. They may differ from policies and official statements of ISACA and from opinions endorsed by authors’ employers or the editors of the Journal. The ISACA Journal does not attest to the originality of authors’ content.