Deploying your own SIEM – the good, the bad & the ugly
SIEM, Security Incident & Event Management solution are designed to collect and store event log data collected from computer systems. The goal of the SIEM is to take all the log data and allow analysts to find the security alerts. This sounds great but in reality there are some major hurdles to overcome when deploying a SIEM solution.
Commercial SIEMs are expensive, there are cheap solutions but they tend to be a mishmash of open-source tools that don’t work cohesively.Those based on a consumption model become increasingly expensive as you collect and store data for analysis.Out of the box SIEM won’t necessarily have all the dashboards, filters & reports that you require so you’ll have to build them yourself! To get the most out of your SIEM you need specialised staff with specific skill sets to sort through the data to find the actionable events.
For SMEs it just doesn’t make sense to deploy due to cost, complexity & resources.
In a recent Ponemon report nearly 600 SIEM users from large enterprises across the U.S. were surveyed to better understand their attitudes and issues with their currently deployed SIEM solutions.
Some of the the key findings from the report include:
52% are not satisfied with the actionable intelligence they receive from their SIEM 70% want their SIEM to generate alerts that are more accurate, prioritized, and meaningful, 68% feel their SIEM is a useful tool, but need to more trained staff to fully utilize the tool.
So SIEM is not delivering on what it is supposed to do, which is find and prioritise the alerts that actually matter, and without skilled staff in place you are not going to see any value from your investment in the product.