In many ways, the tools security professionals have at their disposal have not kept up with the seismic changes in IT infrastructure and workloads brought about by the cloud. For example, most Security Information and Event Management (SIEM) platforms are still based on decades-old technology and architectures.
The deficiencies in traditional SIEM solutions are common knowledge throughout the industry, at least anecdotally, but I wanted to see actual data. To explore the firsthand experiences of security practitioners, my company, Panther Labs, commissioned an independent study to understand how well legacy SIEMs meet the needs of security teams today.
To gain insight into the challenges, frustrations, and desires related to SIEM capabilities, we surveyed over 400 security professionals who actively use a SIEM platform as part of their job. This group included CISOs, CIOs, CTOs, security engineers, security analysts, and security architects.
We recently published the results of the study in our State of SIEM 2021 report. While the results unequivocally support the idea that traditional SIEM solutions no longer meet the needs of modern IT security professionals, some results may surprise casual observers of this space. It’s a worthwhile read.
This article will focus on challenges related to implementation time, ease of deployment, and some of the day-to-day difficulties of working with existing solutions.
Time To Implement
Our survey revealed that over half of the respondents who were involved in deploying their current SIEM system said it took over six months to begin receiving high-value alerts. Often, these extended periods can be attributed to the many forces outside the security organization’s control. Coordinating with operations departments to get security tools on IT and production infrastructure has inherent delays. There is also a learning curve related to training which can negatively impact the time-to-value equation.
Query Speed, Complexity, and Culture
Implementation of a new security tool involves a number of challenges. To better understand what deficiencies surfaced as our respondents completed their current SIEM deployment, we asked them to comment on a set of common challenges.
Nearly half of the survey’s respondents listed slow queries in their roster of top challenges. The pain of slow queries is nearly universal among security teams. Given that these traditional architectures are over 10 years old and were never intended for cloud-based workloads, this is no surprise.
Complaints about cost are also ubiquitous. Teams pay considerable sums for systems that cant meet their scale requirements and are too cumbersome and slow to run. In the future, SaaS and cloud data warehouse technologies will be a necessary part of SIEM solutions. Without SaaS, cloud, and big data solutions, there is little hope of future SIEM solutions keeping up with business needs.
Nearly half of the IT security professionals queried responded that solution complexity was a key challenge when implementing SIEM. The insights provided by this survey’s respondents offer a good case for a new approach to SIEM, built from the ground up for cloud-native environments to simplify implementation and daily operations.
Cloud platforms continually move up the infrastructure stack to simplify and abstract extraordinarily complex concepts like pub-sub, container orchestration, queueing, and more. As this evolution continues, traditional SIEM platforms will be replaced with serverless architectures that simplify operations and enhance scalability.
Over 42 percent of respondents indicated that they work in an organization whose culture is, in some way, creating additional hurdles for their team. In an environment where on-prem software, servers, and networks still handle important workloads, SIEM implementation requires a high degree of coordination and cooperation with IT and operations teams. This paradigm has a long history of fostering a culture in which security is seen as a necessary evil and not given a seat at the table where decisions affecting the company’s direction are made. It only takes a glance at today’s news headlines to affirm that security should always be involved in significant business decisions.
We thought it would be instructive to also explore some of the routine challenges SIEM users face. Here’s what the survey respondents had to say.
Too Many Alerts
About a quarter of respondents indicated that the top challenge with their current SIEM is that it often generates too many alerts. Whether spurious or accurate, this result can cause alert fatigue or apathy, leading to ignored high-priority threats. This critical condition causes delays in the detection of data breaches, which can exponentially increase the impact of a breach.
Lack of Visibility
Many legacy approaches with on-prem infrastructure have strict limits on ingestion and retention. Nearly 14 percent of respondents said their biggest day-to-day challenge is related to a lack of visibility. Given the high cost associated with traditional SIEM solutions, security teams are often forced to choose which data sources are most crucial to collect in order to control costs. This limits visibility into the full spectrum of security-relevant data, leading to blind spots and insufficient ability to fully investigate threats.
The biggest problem for nearly 10 percent of respondents is that their inability to write clear and efficient detection rules limits their ability to adjust alerting logic and reduce false positives. Traditional SIEM platforms often lack the ability to edit existing rules or create custom-tailored rules verified by strong unit tests.
A SIEM’s value and effectiveness are dependent on the data it can ingest and how well it has been architected, tuned, and maintained. Over the years, the industry’s approach has been to keep extracting more and more security data — but with systems incapable of providing adequate visibility or effective processing of that much data.
IT infrastructure is changing. How businesses use data is changing. As a result, security is changing. The SIEM technologies of yesteryear are inadequate for today’s modern infrastructure and will continue to fall behind without a completely new approach based in cloud-native principles.