Is a SIEM Like a Boat?

Written By Dustin Nowak

The First day as a CISO, the question always gets asked, “Do we have a SIEM?” The answers vary: “it's run by our MSSP,” “somewhere but we haven’t looked at it since the last incident,” “yes, but our SOC complains about it every week.” For any information security program, the SIEM represents the epicenter of alerting operations. for most CISOs, however, it’s more like a boat; the best days are the day they buy it and when they get rid of it (out-source, put it into the cloud, build a new one…)

The SIEM SOAR Market represents ~$5.7 billion worldwide. On average companies pay $18M annually for the core platforms of the Security Operations Center (SOC). Then there are the resources required to deploy it, integrate it, operate it, automate it… A SIEM represents the biggest security investment that a CISO will likely make.

With all this investment, 87% of security leadership surveyed note that their SIEM needs improvement. Chief amongst their concerns are:

  • Over-Collection: '“Study…suggests that 95% of SIEM incidents are generated by just 15% of rules”

  • Under-Collection: “Significantly diminished with an average of only 16% coverage across MITRE's ATT&CK framework”

  • Lack of Detection Engineering: “SIEM engineering capabilities are often overlooked”

The frustration with this cornerstone of security operations is so common that organizations are outsourcing their security operations to MSSPs and MDRs. The Security Operations services Market is expected to grow by a fact of 2.3x over the next five years. Their are scores of technologies and service providers trying to address the various problems driving these frustrations:

  • How do I get better at collecting logs?

  • What is the optimal retention and access strategy?

  • How can I utilize all the data I collected for analytics? … Or with AI?

  • How do I correlate all the disparate data?

  • What can I do to make the platform easier to use? Automation? APIs?

Like a boat, there is always another tool to add or another upgrade to fund.

Just as every aspiring sailor needs a boat, CISOs know they SIEM. But, when you ask them why they need it or what their return on investment is, they struggle to answer. Is it a regulatory requirement OR an investment in real-time alerting? Does it provide visibility into the enterprise OR support long term discovery? In order to properly appreciate and articulate a SIEM’s value, the CISO needs to understand, codify, translate and set measurable objectives for the Security Operations team and platform… more to come.

Dustin Nowak
Previous

Millions Spent on SIEM/SOAR and Incidents are Still a Problem