RSA 2023 Survey: What are the Biggest SIEM Challenges Facing the SOC Today?

Gurucul recently conducted a survey of more than 230 security professionals at the 2023 RSA Conference to better understand the biggest SIEM challenges facing the SOC today. Security Information and Event Management (SIEM) users face issues around data ingestion, security analytics, and threat detection and response. While traditionally the core purpose of the SIEM has been logging, data retention and compliance, SIEMs have evolved over the last decade to be more focused on identifying an ever-increasing number of complex security threats. We wanted to hear how well modern SIEM solutions were accomplishing this goal, straight from the security practitioners that use them every day.

More than ever, the effectiveness of security programs depends on having full visibility into the entire enterprise. Blind spots mean places that attackers can hide, which makes defender’s jobs harder. Most current SIEM products collect and ingest data, primarily logs, across the entire network to prevent this. Some (often called “Next Generation SIEMs”) use advanced analytics and Machine Learning to improve visibility, calculate risk, and produce more accurate alerts. How well are these capabilities working in practice? Let’s see what our respondents said.

SOC Challenge #1: Most SOC Teams Get Over 1,000 Security Alerts Per Day

These alert numbers were staggering. Incredibly, security teams are still facing a barrage of security alerts with 61.37% of teams claiming to get more than 1,000 alerts a day. 4.29% get more than 100,000 a day, and a whopping 19.74% say there are simply too many alerts to count.
This tells us that these respondents’ SIEM solutions lack comprehensive data source ingestion and the analysis used to contextualize and reduce false positives. It will be quite difficult for these SOC teams to pick out the true positives in such a flood of unprioritized data.

SOC Challenge #2: Adding New Data Sources to A SIEM Is Difficult

Ingesting data from a new application, device, or updated schema, interpreting that data, and then determining the relevant context for that specific data source requires a new data parser or changes to existing data parsers. This often requires the organization to hire someone who can build or maintain these parsers, pay for professional services, or wait for the SIEM vendor to publish one, which can take months.

23.61% of respondents use automated data source mapping, which simplifies the integration of new data sources, takes less time, and allows the team to better respond to current security threats. Also, 30.04% of respondents claim they can add new data sources to their SIEM in just days, which is great news.

But not all SIEMs make this easy. 30.9% of respondents don’t know how to add a new data source to their SIEM, and 21.89% rely on the data source provider to do it. 42.5% claim it takes weeks, months or longer to add new data sources, likely because of the issues above. These numbers are an encouraging start, but they could be much better.

SOC Challenge #3: Not Everyone Is Confident Their SIEM Can Detect Unknown Threats

Only 19.74% of teams were very confident their SIEM could detect unknown threats and 37.34% were somewhat confident. But 16.74% were not confident at all, 5.58% know their SIEM can’t detect unknown threats, and 20.60% claim to have no idea. Since most SIEMs rely on correlation rules, detecting an attack becomes extraordinarily difficult if the threat actor has altered any malicious code or the attack campaign is obfuscated – perhaps by spreading the steps of the attack out over time to circumvent known defenses.

Rule-based correlations can neither adapt to the organization nor handle these variants. Security teams must gather the right threat intelligence and tweak the models or build custom models to handle any new variants or attacks – and the organization is vulnerable in that time. SIEMs that can detect unknown threats will provide better insider threat detection overall.

SOC Challenge #4: More Data Means More Context, But Sometimes Higher Costs

The top four contextual sources respondents claimed they could utilize were endpoint (55.36%), email (39.91%), firewall/IPS (36.48%), and cloud applications (33.91%). However, 10.30% believe it’s currently too expensive to bring all these data sources into their SIEM.

This points out an important operation problem with many SIEM solutions; the more data you feed in, the more alerts they create. This leads to more false positives and dramatic, often unpredictable increases in cost over time. This is because most SIEMs charge based on the amount of data ingested and collected. This equates to customers getting penalized the more they want to protect their organization. Adding additional security analytics such as UEBA or NTA can exacerbate the problem with more alerts.

SOC Challenge #5: Many SOC Teams Cannot Identify the Full Attack Kill Chain Or Build Custom Playbooks

It was good to see that 15.02% of respondents claim they can build custom playbooks and workflows in just minutes and 24.46% can do this in just hours. Unfortunately, 31.76% still take days to create these policies and flows, 22.32% didn’t know if they could build custom playbooks, and 6.44% claim it’s not even included in their SIEM. Automation is the key to streamlining threat response, so the more this process can be automated, the better.

Chaining together analytics to help identify the full attack kill chain is crucial to stopping threats. Yet only 51.07% of respondents claim to do this for endpoint, 49.79% for network, 25.75% for identity, 23.18% for cloud, 17.60% for UEBA, and 13.30% for IoT. Teams need to work to chain more analytics together to quickly and accurately determine that an attack campaign is actually underway versus an isolated threat. It’s worth noting that 17.60% of respondents were not even sure if their SIEM was capable of chaining together analytics.

Overall, it was encouraging to see how many respondents had some advanced SIEM capabilities, how many were confident their SIEM could detect unknown threats, and how quickly many of them could add new data sources. But these numbers could be much higher. Many organizations seem to be working with limited SIEM technology that creates significant gaps and limits when it comes to threat detection. And the high numbers of alerts per day was sobering to see. It shows just how important it is to have accurate threat detection.

About The Author

Jane GraftonJane Grafton, VP Marketing, Gurucul

Jane Grafton has more than 30 years of experience in domestic and international marketing, sales and business development. She came to Gurucul from Lieberman Software where she spent 9 years managing global marketing operations inclusive of marketing automation, website, events, collateral, digital marketing, email campaigns, product marketing, PR and corporate branding. Prior to that she spent 12 years at Sun Microsystems in field marketing management, supporting commercial accounts and federal systems integrators throughout the U.S. Prior to Sun, Mrs. Grafton sold and developed new markets for Locus Computing Corporation’s UNIX software services focusing on OEMs. At Computer Associates Limited in the UK, she established a new corporate function, Third Party Marketing, by developing relationships with hardware manufacturers, distributors and management consultants. Mrs. Grafton graduated from UC San Diego, CA in Applied Mathematics.

Resources