Why enterprises have a love-hate relationship with SIEM

Companies have conflicted (love-hate) feelings about their security information and event management (SIEM) systems, according to survey findings recently released by 451 Research.

SIEM systems are designed to be a central collection place for security events. They ingest logs from all the systems producing them, identify and correlate information, and then use threat intelligence against that data set to identify problems.

As good as that sounds, 451 Research found that less than a quarter of the security pros it surveyed (21.6 percent) believe they are getting full value from their SIEM systems. In addition, only 31.9 percent of respondents said they're getting more than 80 percent of the value they expected from their system when they installed it.

"This disconnect between expected and actual value of a SIEM is largely predicated on the difficulty of getting the SIEM to the point where it is generating value in the form of actionable security and other system environments intelligence," said Daniel Kennedy, information security and networking research director at 451 Research's InfoPro.

Application Security Research Update: The State of App Sec in 2018

SIEM logjam

Much of the log data that SIEM systems need to do their job isn't being fed into them, researchers discovered. Only 21.6 percent of organizations said they pass more than 81 percent of their log data through their SIEM system. More than a third (38 percent) pass less than 30 percent of their data through their system.

Setup complexity can also contribute to SIEM dissatisfaction.

"Log ingestion from different systems, correlating that information, and setting up alert rules can be somewhat Herculean tasks," said Kennedy at a recent webinar.

What's more, because of the difficulty in setting up alerts, some SIEM makers overcompensate, whereby their systems create too many alerts and more noise than an operator can handle. Eliminating that white noise from the system requires skilled staff, and not only consumes time but adds cost to a solution that's not cheap to begin with.

Return on investment

The technology's complexity also means it can take time before an installation starts showing a return. Many SIEM implementations are measured in months, if not years.

Despite being dissatisfied with the value being returned from their SIEM systems, most respondents indicated a reluctance to switch vendors. More than half of the survey participants (58.5 percent) said they have no plans to switch vendors in the next 12 months. "To be frank, a certain amount of pain has to be generated for people to do that because once you have a SIEM successfully running, it's usually representative of a lot of work," Kennedy said.

"By the time that effort's complete, you would really need to see significant problems with your installed SIEM before you elected to change it," he added.

Among the top reasons respondents cited for dumping a SIEM vendor were cost (18.4 percent) and lack of features and functionality (13.8 percent).

No turning back

Whatever warts SIEM may have, they don't seem to be slowing deployments, which researchers expect to grow by 21 percent in the next 12 months.

The 451 Research study was conducted during the second and third quarters of this year. It included more than 950 completed surveys and a subset of phone interviews with information security professionals at mostly large global enterprises across a variety of industries. Some 73.4 percent of the respondents were from North America and 20.6 percent from Europe.

The study also identified a number of inhibitors to SIEM growth. The top two inhibitors to SIEM adoption cited were lack of expert manpower (44.4 percent) and inadequate staffing (27.8 percent). Those inhibitors were followed by setup, overall complexity, budget, and company culture.

Help wanted

Manpower deficiencies can have an acute impact on SIEM operations because it takes more than one person to run one. More than half of the organizations surveyed (56.9) recognize that and assign multiple people to their SIEM setups. However, 14 percent use a single employee.

Others said they rely on a third party to manage their SIEM (14.3 percent) or don't manage it all (11.8 percent). Of those not managing their SIEM system at all, Kennedy said, "They either didn't get full value out of it or they sort of implemented it as a compliance check mark and now they've moved on to the next thing."

"There's a shortage of qualified security people in the United States," Kennedy added. "I think the shortage is near or at drought proportions."

That drought was evident in the survey findings. Of the companies surveyed, nearly three-quarters (72 percent) have from zero to five employees dedicated to the information security function. What's more, more than half do not have a clearly defined security leader in the company. In addition, only a little over half are conducting security awareness training to reduce risky behavior by employees.

If organizations can find the security people they need, it appears the money is there to hire them. Surveyors found that security spending was strong in the second quarter and is even stronger in the third. Nearly half of the survey respondents (44.5 percent) said they're increasing security spending, and nearly 1 in 10 (9.7 percent) significantly so. That compares with 37 percent who said they boosted spending in the second quarter. In both the second and third quarters, only 4 percent of the security pros said they were cutting security spending.

Security spend

Surprisingly, the steady beat of data breach stories grabbing headlines doesn't appear to have a big impact on security budgets. About two-thirds of respondents (67 percent) said news about data breaches had no effect on their budgets.

As a percentage of the total IT spend for companies, though, security spending is relatively low—only 5 to 10 percent for most companies and below 5 percent for nearly a quarter of the respondents (22 percent).

For more than half of organizations in the study (56.9 percent), information security spending is buried in the total IT budget. That can make it difficult for security managers to accurately track their tool investments and work up cost-benefit analyses.

Spending on outside vendors for security services varies widely. A majority of companies surveyed spend less than 30 percent of their security budget on third-party services. But more than 1 in 10 (13.1 percent) spend from 40 to 60 percent of their budgets on outside services and 5.5 percent outsource practically their entire security operation, spending more than 81 percent on third-party vendors.

Surveyors also asked the security pros how their projects were approved for spending. Risk is the top consideration, but compliance is close behind. For a long time now, compliance has been a big driver behind security decisions, even though it's widely believed that good compliance doesn't translate into good security.

In phone interviews, the security pros said they're trying to get away from using compliance as the reason for doing good security. If security is done well, compliance should follow, they said. That's a reversal of past attitudes. It makes compliance an output of good security rather than an input that's supposed to produce good security.

"Despite that noble goal," Kennedy said, "compliance is at the top of security concerns over the past quarter, just below bad actors."

Top future concerns cited by the respondents are hackers with malicious intent and preventing insider espionage and cyber warfare, followed by industry-specific compliance and internal audit. "There is some effect on the top on the part of security managers to kind of get back into the meat and potatoes of security looking forward rather than let compliance drive the program," Kennedy said.

The changing landscape

Although compliance continues to play a heavy role in early SIEM adoption, SIEM is reaching beyond compliance today. "SIEM has somewhat transcended its compliance roots," Kennedy said, noting that "91.9 percent of respondents with a SIEM in place today say they would have it in place if no compliance requirement existed mandating its presence in the environment."

The reason for that, as one respondent told the surveyors, is visibility. There are very few ways to understand what's going on in a network environment without pulling in long data and correlating it with flow and packet data. "If you're not doing that, you're not doing what you should be doing from the security perspective," Kennedy said.

As powerful as SIEM systems are in securing the enterprise, most respondents agreed that the technology needs help in thwarting threats. Only 28.3 of survey participants believe their SIEM systems can meet the general log management needs of their organizations. Some 71.7 percent of respondents said the log management capabilities of their systems need to be supplemented with other tools. In healthcare, those tools often sit in front of the SIEM and act as translators, turning the log information from the medical systems into something the system can understand.

Survey respondents found SIEM falling short when it comes to monitoring information in the cloud. "Virtualization and the cloud are creating new issues and exacerbating old ones for SIEM-based monitoring," Kennedy said. Nevertheless, 6 of 10 respondents (62.5 percent) noted they use SIEM in some fashion with virtualized and cloud environments.

However, 21 percent acknowledged they just don't monitor their applications in the cloud the way they do locally. That indicates "a capability gap—a somewhat serious one—going forward and a possible security inhibitor to fully moving into those cloud or virtualized architectures," Kennedy said.

Who's who in SIEM

As part of its research, 451 Research classified leading SIEM vendors in so-called Vendor Windows, a quadrant model based on user ratings of promise and fulfillment.

Vendor promise is a measure of existing customers' perception of a vendor's promises prior to purchase across multiple attributes. High promise scores usually mean a vendor is forward looking and strategic in nature.

Vendor fulfillment is a measure of existing customers' perception of execution effectiveness across multiple attributes. High fulfillment scores usually mean a vendor excels in delivery of services, such as performance and reporting.

In the future, a critical factor for SIEM products will be their ability to integrate with other security solutions because users of the technology see it as becoming the hub of their network defenses. Nearly 69 percent of respondents said they view SIEM as a single pane of glass through which they will be able to see their other security solutions.

Those expectations of SIEM are important for developers of other security solutions, too. That's because more than half of the survey respondents (59.8 percent) said a log-producing security tool's integration with a SIEM system could be a factor in picking one tool over another. More than a quarter of the survey respondents (27.2 percent) said it was a major point of differentiation for them.

The only SIEM provider showing high promise and high fulfillment in 451 Research's quadrants was Splunk. Intel Security straddled the line between high promise, high fulfillment and high promise, low fulfillment. HP and IBM sat on the line between low promise, low fulfillment and high promise, low fulfillment. SolarWinds rested in the high promise, low fulfillment quadrant. Four other vendors hugged the line between low promise, high fulfillment and low promise, low fulfillment: Symantec, LogRhythm, EMC (RSA), and AlienVault.

"The market, although mature, is not yet clearly dominated by any single player," Kennedy said.

 

Topics: Security