Why SIEM-implementations often fail

SIEM solutions often do not provide the level of extra protection that is promised. We have listed the causes of this in the top 5 below:

IT security is not sexy
SIEM implementations are complex
(Almost) all IT components are necessary
Talent is scarce
Everything is moving

1. IT-security is not sexy

While many employees think IT isn’t sexy in the general sense, this is even more the case for the security aspects of IT. Everyone considers safe and reliable IT as self-evident, but that is not the case. Companies often see the security of their products as a closing station or don’t have any budget and time at all. Only when their products are misused and they are forced, they are prepared to do something about it. Security by design is not common in a world where a short time-to-market means more profit. During the implementation of internal projects at our customers, we often see that IT security is neglected. One is only willing to spend time and effort when this is enforced by security policy and alert security officers.

2. SIEM implementations are complex

Implementing a Security Information & Event Management (SIEM) solution is complex and expensive and requires strong perseverance from all who are concerned. The trajectory requires very specific expertise and a solid mandate from higher management. You often see that the implementation of SIEM solutions is initiated from the IT departments themselves, which usually leads to insufficient mandate, budget, time, and a lack of cooperation to be able to implement this in a meaningful way. There is also insufficient willingness to follow up the safety reports, resulting from the SIEM solution.

3. (Almost) all IT-components are necessary

Where you have to take into account a single application, one or a few databases and a handful of (virtual) servers when implementing a business application, a SIEM implementation should involve virtually every IT component in the organization (and possibly beyond). Signals about potential misuse of your IT resources can manifest at all levels in your IT environment. From deep into your network to somewhere hidden in the millions of lines of your application log files. This means that SOC analysts are looking for that one needle in hundreds of haystacks to filter out just that important log line that can put them on the track of the hacker who threathens your business!

In addition, a large number of people needs to be tuned about what is connected, how to realize this and what – in terms of security signals – the SOC must pay attention to. Where are the biggest risks in your business processes and how does this translate into reports, log sources and runbook? Who is required to mitigate the consequential damage if these risks are unexpectedly manifest? How does this work at night and in the weekend? Do they have the right information and resources to take the necessary measures?

4. Talent is scarce

IT talent is scarce but IT security talent is even more scarce! Who ever heard his son or daughter say enthusiastically that he/she wants to become an IT security specialist? In a SOC, thanks to the non-stop nature of the work, many highly educated IT security specialists are required. To implement SIEM solutions, they must have in-depth knowledge of the selected SIEM solution, combined with good skills to channel the much-needed communication with all stakeholders; a scarce combination of character traits in the IT landscape!

Finding good SOC staff is a very big challenge, keeping them engaged and involved with your organization requires a carefully planned but extremely necessary approach. These specialists expect excellent equipment and software, challenge in their work, excellent working conditions and continuous enrichment of their knowledge and skills. Regular visits to seminars and conferences and the possibility to attend specialist training courses should be self-evident.

5. Everything is moving

Knowledge and skills are quickly outdated in the IT security world. Employees must continually update themselves. For SOC analysts and SIEM specialists, hackers are constantly changing their method of attack. Every day new zero-days are discovered for which new detection filters have to be implemented by the SIEM specialists.

More and more foreign powers see a cyber war as a real way of attacking, cyber-industrial espionage is increasing, not to mention cybercrime. The attacks to be fouled are becoming increasingly serious and the business interests of the information stored in IT systems are getting bigger and bigger.

In addition, protecting IT systems is a particularly unfair battle: IT specialists need to keep a large number of different types of information systems secure with hundreds of thousands of potential bugs, where the hacker needs to find only one or a few vulnerabilities in your IT network to achieve its goals.

Conclusion

All in all, not a reassuring story. Of course, Navaio is happy to assist you with these challenges. Navaio implements Security Operation Centers (SOCs) and helps optimize the efficiency of existing SOCs and the SIEM solutions implemented for this purpose. Our SOC/SIEM specialists have extensive experience in setting up SOC and SIEM environments and can help you avoid the pitfalls they have identified.

Cookie	Duration	Description
cookielawinfo-checkbox-advertisement	1 year	The cookie is set by GDPR cookie consent to record the user consent for the cookies in the category "Advertisement".
cookielawinfo-checkbox-analytics	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Analytics".
cookielawinfo-checkbox-functional	11 months	The cookie is set by GDPR cookie consent to record the user consent for the cookies in the category "Functional".
cookielawinfo-checkbox-necessary	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookies is used to store the user consent for the cookies in the category "Necessary".
cookielawinfo-checkbox-others	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Other.
cookielawinfo-checkbox-performance	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Performance".
viewed_cookie_policy	11 months	The cookie is set by the GDPR Cookie Consent plugin and is used to store whether or not user has consented to the use of cookies. It does not store any personal data.

Cookie	Duration	Description
sp_landing	1 day	This cookie is set by the provider Spotify. This cookie is used to implement audio content from spotify on the website. It also helps in collecting information on user interaction with this audio content.
sp_t	1 year	This cookie is set by the provider Spotify. This cookie is used to implement audio content from spotify on the website. It also helps in collecting information on user interaction with this audio content.

Cookie	Duration	Description
__gads	1 year 24 days	This cookie is set by Google and stored under the name dounleclick.com. This cookie is used to track how many times users see a particular advert which helps in measuring the success of the campaign and calculate the revenue generated by the campaign. These cookies can only be read from the domain that it is set on so it will not track any data while browsing through another sites.
_ga	2 years	This cookie is installed by Google Analytics. The cookie is used to calculate visitor, session, campaign data and keep track of site usage for the site's analytics report. The cookies store information anonymously and assign a randomly generated number to identify unique visitors.
_ga_S3S4QWSG9R	2 years	This cookie is installed by Google Analytics.
_gat_gtag_UA_110801228_1		This cookie is set by Google and is used to distinguish users.
_gcl_au	3 months	This cookie is used by Google Analytics to understand user interaction with the website.
_gid	1 day	This cookie is installed by Google Analytics. The cookie is used to store information of how visitors use a website and helps in creating an analytics report of how the website is doing. The data collected including the number visitors, the source where they have come from, and the pages visted in an anonymous form.
CONSENT	16 years 5 months	These cookies are set via embedded youtube-videos. They register anonymous statistical data on for example how many times the video is displayed and what settings are used for playback.No sensitive data is collected unless you log in to your google account, in that case your choices are linked with your account, for example if you click “like” on a video.

Cookie	Duration	Description
IDE	1 year 24 days	Used by Google DoubleClick and stores information about how the user uses the website and any other advertisement before visiting the website. This is used to present users with ads that are relevant to them according to the user profile.
test_cookie	14 minutes	This cookie is set by doubleclick.net. The purpose of the cookie is to determine if the user's browser supports cookies.
VISITOR_INFO1_LIVE	5 months 27 days	This cookie is set by Youtube. Used to track the information of the embedded YouTube videos on a website.
YSC	session	This cookies is set by Youtube and is used to track the views of embedded videos.
yt-remote-connected-devices	never	These cookies are set via embedded youtube-videos.
yt-remote-device-id	never	These cookies are set via embedded youtube-videos.

Why SIEM-implementations often fail