Many enterprises count on security information and event management (SIEM) products to help identify threats by...
correlating security event data across a variety of sources, but one analyst says SIEM deployment failures remain common because organizations buy the technology without fully understanding it.
In a report issued last week, Oliver Rochford, research director with Stamford, Conn.-based Gartner Inc., detailed the most common issues that lead to SIEM deployment failures.
When they first debuted in the late 2000s, SIEM products were notoriously difficult to implement, configure and manage, causing many organizations to abandon SIEM projects before they were completed. Despite improvements made to the technology in recent years, Rochford estimated that somewhere between 20% and 30% of SIEM deployments among his client base fail, meaning not only do they not meet predefined goals, but also that many organizations don't even bother using the product.
But according to Rochford, many of those failed deployments could have been avoided if organizations had both researched the technology and analyzed their own environments. For instance, Rochford said the main reason why SIEM deployments stall is because organizations underestimate the resources needed to operate and maintain the product.
Once a SIEM product is turned on, it can instantly produce thousands of events that must be treated as legitimate security incidents, he said, so if an average enterprise wants to use the SIEM as the core of a continuous real-time monitoring program, it will need a minimum of eight people just focused on the SIEM alone – perhaps slightly less with automation. Rochford added that number doesn't even take into account management, employee turnover or vacation time.
Oliver Rochfordresearch director, Gartner Inc.
"A lot of organizations are never going to have that amount of people just to do the monitoring component," said Rochford, noting that the personnel requirement alone puts SIEM out of the reach of small- and medium-sized businesses. "They have it and then they can't use it because they don't have the resources available."
Even in cases where an organization has the budget and personnel required to manage a SIEM deployment, problems still arise due to a lack of planning. Rochford said organizations often send all available log data to their SIEM products, but then aren't prepared for the ensuing tidal wave of alerts that are actually false positives. Such cases tend to produce situations akin to the boy who cried wolf, he said, where after six to 12 months of too many false positives, most employees tend to ignore the warnings.
Conversely, Rochford said some organizations fail to feed a key data source into a SIEM product. For example, an enterprise may be attempting to monitor authentication failures, but without integrating Active Directory, a SIEM will be unable to yield the desired alerts.
Rochford said that realistically, any given organization will be able to monitor a limited amount of SIEM output, so it's vital to understand the threat detection priorities upfront. For instance, a common use case for a SIEM product is monitoring outbound network connections for malicious activity, he said, such as connections going to a command and control server for malware.
"That's a very limited use case. You know exactly what data sources you need, you're going to need a proxy on the firewall and you know you'll need threat intelligence," said Rochford. "But without defining all that in advance, you might end up buying a SIEM product that doesn't support threat intelligence. That's a very common case we see."
SIEM deployment best practices
To avoid many of the headaches associated with a SIEM deployment, Rochford advocated for a formalized approach to SIEM planning before making a purchase. This requires forming a project team -- including stakeholders outside the security team -- and then defining the monitoring objectives and initial scope. He said each organization must understand exactly what it wants to monitor, whether it be a mission-critical database server of a perimeter security product such as a firewall, so that the right vendor can be selected.
Once a product has been purchased, Rochford said that organizations should then focus on implementing between five and seven use cases within the first six months. That process should include defining the scope, identifying the data sources that need to be fed into the SIEM to produce the desired result and constructing the dashboard for reports. Of course, the scope of a SIEM can be expanded, Rochford added, but it can't be completed all at once.
"This is a concern that organizations, especially those that have a critical or an urgent need, tend to just brush under the carpet," said Rochford. "But realistically, if you just set this thing up and throw a million sources at it, the tuning and optimization will be something that even experts find difficult."
Rochford also emphasized that even after properly planning and rolling out SIEM, the technology still requires maintenance on an ongoing basis as threats continue to evolve. That means that security teams must constantly reevaluate exactly what data sources are fed to a SIEM product.
Ultimately, deploying SIEM technology means encountering many potential pitfalls for even the most well-funded security teams, Rochford said, which is why Gartner advocates employing a third-party service provider to manage SIEM products. Whereas a single enterprise may need eight or more people to manage a SIEM, he said a service provider can manage deployments for between 150 and 200 organizations with a team of 25 or 30 security professionals. Service providers can also provide threat expertise that an organization may otherwise be lacking.
"Realistically, there are a lot of organizations that will never be able to use SIEM. It's a technology that relies on everything else being well formed," said Rochford. "It already expects you to have a segmented network, to have firewalls, to be doing antivirus. So you have to be high up on the maturity curve. You need the correct budget to be able to run SIEM."
Mike Rothman of Securosis explains how the technology has developed over more than a decade.
Karen Scarfone discusses what enterprises should look for in a SIEM product now.