Gurucul recently conducted a survey of more than 230 security professionals at the 2023 RSA Conference to better understand the biggest SIEM challenges facing the SOC today. Security Information and Event Management (SIEM) users face issues around data ingestion, security analytics, and threat detection and response. While traditionally the core purpose of the SIEM has been logging, data retention and compliance, SIEMs have evolved over the last decade to be more focused on identifying an ever-increasing number of complex security threats. We wanted to hear how well modern SIEM solutions were accomplishing this goal, straight from the security practitioners that use them every day.
More than ever, the effectiveness of security programs depends on having full visibility into the entire enterprise. Blind spots mean places that attackers can hide, which makes defender’s jobs harder. Most current SIEM products collect and ingest data, primarily logs, across the entire network to prevent this. Some (often called “Next Generation SIEMs”) use advanced analytics and Machine Learning to improve visibility, calculate risk, and produce more accurate alerts. How well are these capabilities working in practice? Let’s see what our respondents said.
Most SOC Teams Get Over 1,000 Security Alerts Per Day
These alert numbers were staggering. Incredibly, security teams are still facing a barrage of security alerts with 61.37% of teams claiming to get more than 1,000 alerts a day. 4.29% get more than 100,000 a day, and a whopping 19.74% say there are simply too many alerts to count.
This tells us that these respondents’ SIEM solutions lack comprehensive data source ingestion and the analysis used to contextualize and reduce false positives. It will be quite difficult for these SOC teams to pick out the true positives in such a flood of unprioritized data.
Adding New Data Sources to A SIEM Is Difficult
Ingesting data from a new application, device, or updated schema, interpreting that data, and then determining the relevant context for that specific data source requires a new data parser or changes to existing data parsers. This often requires the organization to hire someone who can build or maintain these parsers, pay for professional services, or wait for the SIEM vendor to publish one, which can take months.
23.61% of respondents use automated data source mapping, which simplifies the integration of new data sources, takes less time, and allows the team to better respond to current security threats. Also, 30.04% of respondents claim they can add new data sources to their SIEM in just days, which is great news.
But not all SIEMs make this easy. 30.9% of respondents don’t know how to add a new data source to their SIEM, and 21.89% rely on the data source provider to do it. 42.5% claim it takes weeks, months or longer to add new data sources, likely because of the issues above. These numbers are an encouraging start, but they could be much better.
Not Everyone Is Confident Their SIEM Can Detect Unknown Threats
Only 19.74% of teams were very confident their SIEM could detect unknown threats and 37.34% were somewhat confident. But 16.74% were not confident at all, 5.58% know their SIEM can’t detect unknown threats, and 20.60% claim to have no idea. Since most SIEMs rely on correlation rules, detecting an attack becomes extraordinarily difficult if the threat actor has altered any malicious code or the attack campaign is obfuscated – perhaps by spreading the steps of the attack out over time to circumvent known defenses.
Rule-based correlations can neither adapt to the organization nor handle these variants. Security teams must gather the right threat intelligence and tweak the models or build custom models to handle any new variants or attacks – and the organization is vulnerable in that time. SIEMs that can detect unknown threats will provide better threat detection overall.
More Data Means More Context, But Sometimes Higher Costs
The top four contextual sources respondents claimed they could utilize were endpoint (55.36%), email (39.91%), firewall/IPS (36.48%), and cloud applications (33.91%). However, 10.30% believe it’s currently too expensive to bring all these data sources into their SIEM.
This points out an important operation problem with many SIEM solutions; the more data you feed in, the more alerts they create. This leads to more false positives and dramatic, often unpredictable increases in cost over time. This is because most SIEMs charge based on the amount of data ingested and collected. This equates to customers getting penalized the more they want to protect their organization. Adding additional security analytics such as UEBA or NTA can exacerbate the problem with more alerts.
Many SOC Teams Cannot Identify the Full Attack Kill Chain Or Build Custom Playbooks
It was good to see that 15.02% of respondents claim they can build custom playbooks and workflows in just minutes and 24.46% can do this in just hours. Unfortunately, 31.76% still take days to create these policies and flows, 22.32% didn’t know if they could build custom playbooks, and 6.44% claim it’s not even included in their SIEM. Automation is the key to streamlining threat response, so the more this process can be automated, the better.
Chaining together analytics to help identify the full attack kill chain is crucial to stopping threats. Yet only 51.07% of respondents claim to do this for endpoint, 49.79% for network, 25.75% for identity, 23.18% for cloud, 17.60% for UEBA, and 13.30% for IoT. Teams need to work to chain more analytics together to quickly and accurately determine that an attack campaign is actually underway versus an isolated threat. It’s worth noting that 17.60% of respondents were not even sure if their SIEM was capable of chaining together analytics.
Overall, it was encouraging to see how many respondents had some advanced SIEM capabilities, how many were confident their SIEM could detect unknown threats, and how quickly many of them could add new data sources. But these numbers could be much higher. Many organizations seem to be working with limited SIEM technology that creates significant gaps and limits when it comes to threat detection. And the high numbers of alerts per day was sobering to see. It shows just how important it is to have accurate threat detection.
Download The Full Report
I hope this has given you a snapshot of the current state of SIEM technology. For all the results, download the full report. Learn more about the Gurucul Next Generation SIEM offering here.