Natives restless with SIEM, study shows

A security technology that was supposed to be the solution to porous perimeter defenses is losing the hearts and minds of IT professionals, according to a survey released Wednesday by a maker of network security solutions.

Security and Information Event Management (SIEM) is designed to monitor network activity with an eye toward identifying Black Hat ills such as Advanced Persistent Threats, cyberespionage and data breaches.

What surveyors for elQnetworks discovered, though, is considerable discontent in SIEM shops over their deployments. Nearly a third (31 percent) of the 191 IT pros interviewed for the survey said they'd ditch their SIEMs if they could find an alternative that would save them more money.

Managing a SIEM can be a headache for many organizations, the surveyors found. Deploying a SIEM took a few weeks to more than a month for nearly half (44 percent) the IT pros interviewed.

"Not only did it take weeks to get the product installed, it took even longer to start seeing stuff from the product that provided value," eIQnetworks Senior Director Product Management Brian Mehlman said in an interview.

Once installed, a quarter of the respondents said they needed to bring in hired guns for more than a month to iron out system kinks.

In addition, more than half (52 percent) of those surveyed said they two or more full-time employees to keep the SIEM humming.

Moreover, motivation behind installing a SIEM had more to do with compliance than results for more than a third (35 percent) of the organizations.

A majority of breaches go undetected due to the complexities involved in correlating security and configuration data across IT assets, inadequate security controls, and lack of actionable and timely security intelligence, elQnetworks said in a statement.

While there are companies dissatisfied with their SIEM deployments, it's not necessarily the software's fault, maintained Anton Chuvakin, research director for security and risk management for Gartner.

He acknowledged that the industry may have oversold itself during its infancy. "Many security problems are overhyped, but SIEM was probably more overhyped than some of the products," he told CSO Online.

[Also see: Advanced persistent threats can be beaten, expert says]

SIEM makers oversold the "black box" aspect of the product and discounted the analytic aspects, he continued. It's like being sold a car as a device to get you from point A to B without being told you still have to drive the car to get where you're going, he explained. "They were told they were being sold a limo, when what they were being sold was a car," Chuvakin said.

Quite a few vendors explained the security and monitoring capabilities of their SIEMs he continued, but they didn't fully explain the monitoring and analytical maintenance that had to be done to make the software effective.

Since SIEMs were introduced in the late 1990s, they have become easier to use, he noted, but they still required skilled people -- either in-house or through a professional services organization -- to work. "Someone who knows what they're doing still has to be behind the steering wheel," Chuvakin said.

Organizations dissatisfied with their SIEMs typically don't understand the manpower requirements needed to make the systems work, he observed. "It isn't like a firewall where you can configure some rules and forget about it," Chuvakin added.

Read more about network security in CSOonline's Network Security section.

Join the CSO newsletter!

Error: Please check your email address.

Tags applicationsSecurity and Information Event ManagementsecuritysoftwareData Protection | Network SecurityelQnetworksdata protectionSIEM

More about CSOGartner

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by John P. Mello Jr.

Latest Videos

  • 150x50

    CSO Webinar: Will your data protection strategy be enough when disaster strikes?

    Speakers: - Paul O’Connor, Engagement leader - Performance Audit Group, Victorian Auditor-General’s Office (VAGO) - Nigel Phair, Managing Director, Centre for Internet Safety - Joshua Stenhouse, Technical Evangelist, Zerto - Anthony Caruana, CSO MC & Moderator

    Play Video

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

More videos

Blog Posts

Market Place