Information overload, SIEM version

Our manager is very happy with the performance of his security information and event management platform, but sometimes it's too much for the network bandwidth. Fortunately, an easy fix is at hand.

It's been over a year since I last wrote about my security information and event management (SIEM) platform -- and a lot has happened since then. Back then, I wrote, "Now that my SIEM has been in operation for several months, I've become completely dependent on it, not only for security monitoring, but also for overall awareness of my network."

Since that time, I've only become more dependent on my SIEM for keeping track of all the alerts being generated by my various security information, alert and log sources. At last count, I had 21 different systems feeding data into my SIEM, including intrusion-detection sensors on the network, malware detection on the network and individual computers, firewall logs, network device logs and flow data, and server logs. All this information has given me unprecedented visibility into threats on my network -- and now is the right time to have that visibility.

Looking at all the data breaches in the news over the last year (including the top 20 breaches I wrote about last month), one thing they all have in common is a lack of timely detection. In fact, most of the victims had no idea they were breached until the U.S. government's three-letter-agency watchdogs notified them. The attackers operated undiscovered for months on those networks before they were discovered. It's my belief that a good SIEM would have alerted those organizations to the attackers' activities, such as phishing, malware exploits, unauthorized remote access and data exfiltration. Certainly, my SIEM would do so.

How can I have so much confidence in my SIEM? Because I use it every day, and it reliably alerts me to all of those threats. When I last talked about my SIEM, I mentioned that I was looking into third-party services to monitor it as well. Since then, I've actually gone through three different monitoring services. The first two were disappointments, but the third is doing a really great job of escalating the important alerts while tuning out the false positives and less important data. I find threats on my network every day -- usually malware, most often caused by poisoned Web searches that employees stumble across while doing personal searching. The poisoned search results usually fly right through the employees' browsers without their knowledge or interaction, resulting in infections that set off my alarms. When that happens, one of my team members pays a visit to the victim, confiscating the hard drive and offering advice on how to avoid infections in the future.

I have a good, reliable SIEM technology that pays dividends every day. So what could go wrong?

Too much information, that's what. Not coming out of the SIEM, but going into it. I have so much data pouring into my SIEM that it's actually overloading the network. My SIEM is fine -- it's built to handle massive amounts of data flow -- but the network bandwidth itself is becoming saturated by all the alerts and logs. Not only does this lead to complaints from our network engineer, but unreliable service as well. For example, some of the data flowing into my SIEM is in the form of "spans" from network routers and switches. These spans duplicate all of the traffic flowing inside my company's network, which is very useful for SIEM analysis. But when the network gets bogged down from too much traffic, the routers and switches automatically cut off the spans so they can focus on delivering network traffic. When that happens, my SIEM goes blind.

What I'm planning to do about this situation is to offload some of the traffic from the routers and switches onto a specialized data delivery device. The device I'm looking at is designed to sit on the network and mirror the network traffic to my SIEM, so the routers and switches don't have to. It can also take log and alert data from some of my other sources and carry them directly to my SIEM, cutting down on network bandwidth.

So while I now have too much of a good thing, fortunately the state of security technology has caught up to the problem. If all goes as planned, I can simply drop in the new device and hook it up to my SIEM without any trouble. Then I can add even more data to what I'm already monitoring.

This week's journal is written by a real security manager, "J.F. Rice," whose name and employer have been disguised for obvious reasons. Contact him at

Join in

Click here for more security articles.

Join the CSO newsletter!

Error: Please check your email address.

Tags network securitynetwork bandwidthsecuritySIEM

More about Click

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by By J.F. Rice

Latest Videos

  • 150x50

    CSO Webinar: Will your data protection strategy be enough when disaster strikes?

    Speakers: - Paul O’Connor, Engagement leader - Performance Audit Group, Victorian Auditor-General’s Office (VAGO) - Nigel Phair, Managing Director, Centre for Internet Safety - Joshua Stenhouse, Technical Evangelist, Zerto - Anthony Caruana, CSO MC & Moderator

    Play Video

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

More videos

Blog Posts

Market Place