“We continue to see large companies that are re-evaluating SIEM vendors to replace SIEM technology associated with partial, marginal or failed deployments.”
July 2015, Gartner Magic Quadrant for Security Information and Event Management
Kelly M. Kavanagh, Oliver Rochford
Switching SIEM vendors would represent a material shift in investment for a company’s security team, yet not enough buyers are able to realize the full promise SIEM offers. The traditional approach of correlating events from different sources using SIEM has been around for many years but has proven insufficient for performing actual investigations. As more companies today embrace an intelligence-driven SOC approach to become context-aware when responding to the onslaught of incidents, maybe it is time to reevaluate. Rather than vendor swapping, shouldn’t buyers work to close the gaps inherent in a SIEM solution?
The log centric approach — don’t let it bog you down.
A typical security team deploys dozens of solutions and is overwhelmed with countless logs and alerts. As the traditional approach of correlating events using SIEM may be an important step in prioritizing investigations, spending time on log analysis is rarely enough and turns the investigation into guesswork. Security teams are limited to high-level metadata and are left blind to security threats targeting their network. Enterprise visibility should extend beyond logs and flow data and includes the actual payloads of network conversations in order to validate security alerts and determine the extent of successful attacks.
Traditional forensics relies on full packet capture technologies. Too much chaff & yet not enough wheat.
To truly investigate security incidents, organizations deploy network forensics solutions, designed to retain and analyze full packet capture data. Unfortunately, in most real-life scenarios these tools have proven to have an unacceptable ROI. As you can imagine, the complexity involved in sorting through mountains of packets requires advanced skill-sets that only a few team members possess. Second, recording traffic at an enterprise-scale is a storage nightmare and often restricted to merely several days’ retention periods. While most security breaches take weeks to months to discover, the value of traditional solutions that entail full packet capture is clearly diminished.
Difficulty to build shared knowledge and skills for security investigations and incident response teams.
The current recognized shortage of skills in cyber security creates a major bottleneck in facilitating forensics investigations. Organizations must cope with users who lack deep expertise; and allow front-line responders to handle more complex investigations, thus escalating fewer tickets. Today’s solutions should be able to do all the heavy lifting of data analysis to automatically translate network packets and sessions into intuitive, searchable intelligence that can be used without labor-intensive efforts.
Conclusion
Until the SIEM vendors address these solution gaps, the return on investment in SIEM technology will likely come up short (Gartner estimates the investment to be $1.6B in 2015). Real industry data demonstrates that post breach investigation effectiveness is the key to limit liability. A SIEM can help provide companies a single pane of glass for their security event detection and correlation. However, the critical missing piece impacting SIEM effectiveness today is often the lack of robust forensics tools to yield better and faster investigations.