Prize fight winner

SAO vs. SIEM security suites: And the winner is...

Security information and event management (SIEM) suites offer organizations a security blanket against cyber attacks, but that blanket has become frayed for many SIEM shops.

As many as one in three SIEM owners are dissatisfied with their SIEM system's performance, according to a report released in July by Osterman Research and Cyphort, maker of a threat detection, analytics, and mitigation platform.

"Moreover," the report noted, "although most decision makers agree that their SIEMs help them identify the most serious security threats their organizations face, they mostly disagree that their SIEMs provide adequate scalability, threat investigation, and threat analysis capabilities."

Managing a SIEM is also a sore point among some owners of the products. According to the report, two full-time equivalent staff are needed to manage a SIEM for every 1,000 users.

SIEM systems have enough shortcomings to lead information security teams to seek alternatives. One possibility for overcoming the drawbacks of SIEMs is security automation and orchestration (SAO) tools. 

How do you know if you need a SIEM system?

SIEMs are difficult to query

What SIEMs do best is collect information and store it. Ideally, SIEMs create a way to make sense of potentially relevant security information stored in what can be hundreds or thousands of logs generated in a modern IT architecture. Making sense of that information, though, can be challenging.

When data enters the SIEM, it's structured and stored in tables. To get what you want out of the SIEM, you need to know the structure of those tables. "Most users don't know that," said Josh Mayfield, platform lead at FireMon, a network security intelligence platform maker.

Even if users know what they're doing, a SIEM can be challenging. "Getting meaningful information out is the most difficult part of SIEM technology," he said. "I've written thousands of queries. Some of them are elegant and five lines long and took a day and a half to create. Then when I execute them, I don't get the results I'm looking for. That's an arduous task to go through not to get what I want."

"SIEMs are really good at getting all the data together, but then doing analytics on it in a meaningful way is very difficult," added JP Bourget, founder and chief security officer at Syncurity, maker of a security automation and orchestration platform.

The false positives problem

In addition to storing data, SIEMs generate threat alerts, and those alerts follow rules. Typically, a SIEM will include sets of rules it uses to generate alerts, and it has the ability to create custom rule sets. "Writing and maintaining these rules is a significant effort. Many implementations fail at this due to a skill shortage or expertise deficit," said A.N. Ananth, co-founder and CEO of EventTracker, a log monitoring tool and SIEM solutions provider.

Inadequate rule sets result in enormous amounts of false-positive alerts from SIEMs. "The false-positive rate is between 60% and 70%," FireMon's Mayfield said. "That's an extraordinary amount. If a doctor had a false positive rate of 65%, they'd lose their medical license."

Because of the SIEM's architecture, it's difficult to get the precision needed to weed out those false positives. "Unless you work on the SIEM's data for months to calibrate the alerts, it becomes impractical to get anything without a lot of false positives," he noted.

"Even if you spent the time to get your model correct," he added, "by that time the attacks you were worried about when you started would have been replaced by new attacks."

How SAO addresses SIEM limitations

So what about SAOs?

"SAOs plug workflow and automation efficiencies into what has historically been a manual and under-manpowered process: incident response," said Daniel Kennedy, research director for information security and networking at 451 Research.

They also offer a mechanism for making sense out of what has become a problem for many enterprise security architectures. "Many different systems generate alerts through their own dashboards with little way outside of manual correlation to make sense out of a single security event that creates alerts across multiple tools," he said.

Christopher Jordan, CEO of Fluency, a network behavioral analytics company, thinks that the SAO approach is more aligned to system integration. It starts with a key or trigger event and then creates a process of validating and responding to the event. The SAO is not focused on data, but on the integration from one tool or service to the next.

"The SAO concept is that a SIEM fails because there is too much data for a person to handle, and that by automating the validation and response to an event, the person will only be involved with exceptions to a rule," Jordan added.

Doing, not just saying

While SIEMs can generate alerts, SAOs can act on some of the risks they flag. "A properly configured SIEM can say something, but an SAO can also do something," said EventTracker's Ananth.

"After all, isn’t that the whole point?" he added. "Protection, not just alarms and alerts?"

By acting on some risks, SAOs can help lighten the workload on overworked security teams. "You don't want your top analysts running command-line tools," said Syncurity's Bourget. "You want them deeper in the funnel looking at critical threats."

Should SAOs supplant—or supplement—SIEM suites?

SAOs consolidate data sources, make use of threat intelligence, and automate common responses so that incident response is faster and more effective. But while they are appealing in short-staffed environments, 451's Kennedy doesn't believe SAOs will supplant SIEMs in the enterprise.

"While some marketing might pivot off traditional SIEM weaknesses, the reality is that security tools evolve rather than displace each other most times," he said.

"It's possible what is or remains SIEM today will increasingly be called something else, but the activities around filtering meaningful security information out of the panoply of logs generated by enterprise systems remains a key security capability," he said.

"Dealing with that security information is where SAO finds its fit," he added.

How do you know if you need a SIEM system?
Topics: Security