Last Updated: 18th October, 2020
SOC and SIEMs Mythical Treachery: It is a long narrative poem for those of you who have not yet got around to reading Dante’s “Divine Comedy,” originally appeared in Dante’s native Italian. It took Dante about 12 years to write the piece of work. The poem comprises over 14,000 lines of text spanning a 7-day span, so if you squint really hard enough, there’s obviously a log file comparison to be had here. The Nine Circles of Hell, called the Inferno, are from the first segment.
Treachery, the deepest circle of hell, is the ninth circle where Dante finds himself trapped in a frozen (Data? Bingo!) lake containing traitors. What we really need to stand up about is the treachery, or rather lies, that we believe causes all sorts of problems for SOC analysts. Literature cautionary tale concluded. Let’s start over then…
Goodness gracious SOC analysts, the SIEM industry have fooled you and your organization for years, which is why…
Myth #1: More Data Equals Better Security
SIEMs have been around for more than 15 years and are considered key to many security strategies around the world. The common trend is to add ever increasing log volumes in the pursuit of missing nothing, but despite these trend threats are still being missed and attackers are still getting through. Meanwhile, your organization sees rapidly increasing costs, which benefits only your SIEM vendor. But that’s the secondary problem.
Myth #2: SIEMs Are Good At Detecting
The genuine problem is many people, nevertheless think SIEMs are good at threat detection. But in reality, without you the trusty SOC analyst, the “S” in SIEM is a fallacy.
Threats have been evolving more rapidly than anyone can comfortably keep up with. Attackers are highly induced – they’re automating faster than you can say “phishing triage” and reaping the profits from their efforts. And as the attack surface continues to grow and evolve, it’s inevitable that attack vectors will continue to get harder to detect and the volume of attacks exponential. Security isn’t getting any easier, but there are ways to break the status quo.
In the arms race of attackers vs defenders, security vendor countermeasures have constituted enormous advances by adopting analytics, automation and machine learning. Yet the detection capabilities of the SIEM itself haven’t really changed in years. They have become bloated dumping grounds where valuable security data goes to die.
Myth #3: SIEMs Allow You To Identify The Whole Picture
SIEMs to this day are still completely dependent on you — the skilled SOC analysts building rules and running queries to pursue the vigorous fight. Most organizations can maintain somewhere between 20 and 200 rules and yet we just know there are several thousand different threat indicators in your data. These missed events (false negatives) represent significant blind spots in your security posture, yet incredible people, nevertheless seem to think false positives remain a more grave concern. This should be really evident, but nobody wants to admit it or talk about it.
The exclusive way to make sense of this is to recognize that many SOCs have been distracted by metrics and operational efficiency because of the shortcomings of SIEMs. Many organizations get so focused on rules and the effort involved to maintain them that they well-nigh forget about the wider threat spectrum.
Myth #4: Correlation Rules Are Breathtaking!
The rules approach provides 10% coverage of the threat spectrum at best. OK, I made that stat up, but I don’t think I’m far off. Either way, SIEMs are still dependent on your building and managing those rules. And I would bet my hat the thought of removing rules that have never ever triggered fills you with horror – because what if you then missed something that rule would have detected? And here’s a key point; simply adding more data doesn’t reveal any additional threat intelligence without the necessary rules, it just costs more money.
What other critical security solution would you be happy with at that performance level? The SOC of the future needs to recognize the importance of moving away from the dependency on rules by adopting tools that truly helps you execute your job. By including intelligence to your SIEM, you can have over 90% coverage of the threat spectrum with the right log sources and at the same time get minimal false positives, automated event timelines and alerts prioritized by severity. This is the quantum shift you need to make the most of your valuable time and expertise.
Myth #5: SIEMs Remove The SoC Manual, Repetitive Work
You need to be free of those mundane, repetitive tasks (think: writing rules, the constant merry-go-round of a query/pivot) to work your magic. Ask yourself the question – does your current role makes you feel more like a SIEM expert (Read: DBA) or security expert?
For too long your time has been spent squeezing proverbial blood out of a stone, instead of focusing your knowledge and precious time investigating and responding. It is both empowering and less monotonous to burst the red team bubble and focus on the original mandate of protecting the organization.
So, for your entity, what business benefit does a SIEM provide?
Reality #1: SIEMs Allow You To Store Your Logs
This isn’t the end for SIEMs. Incomparably from these, they’ve just pivoted. Those 15 years of maturity have made SIEMs excellent at collecting logs in many formats from multiple sources, normalizing it and stockpiling it.
Reality #2: SIEMs (and Log Management Tools) Can Be Great For Other Teams In Your Organization
SIEMs do have highly developed search, reporting and visualization capabilities, but then so do many more generic log management tools. These deliver significant business value to a multitude of business operations such DevOps, ITOps, network management, order processing, e-commerce, performance monitoring, manufacturing, call centers, customer communities and even social media. The key difference from detecting threats is these required business outcomes are clearly defined and are much more well suited to the capabilities of a SIEM.
Reality #3: Correlation Rules Can Be Useful For Some Tasks (but There’s A But – Actually Two Buts)
Correlation rules have limitations. For the most part when you’re creating them, you’re looking back at what you know, or you’re using your best to guess the future.
Pretty much every organization on the planet must adhere to some form of compliance. But as you and I well know, compliance does not equal security. Correlation rules do have a place here, for example for compliance purposes if you need to demonstrate that all your endpoints have active anti-virus products running on then you will have a rule that says “Alert if antivirus software is disabled on any network-connected computer.”
But think about what happens when you receive this alert? What do you currently resolve next? Manually trawl through logs to find out why the Antivirus was? Logs a ticket with IT to have the Antivirus reinstalled, or they wipe them? Was it due to a malware infection? Or was the Antivirus software broken (again)? Your rule alone doesn’t tell you what happened, why it’s happening or convey you any clues as to what to conclude about it. Context matters.
Reality #4: There Is A Way Out Of This Inferno!
Analyst friends, you deserve better than this. On behalf of the industry, we feel sympathetic for the (S)IEM market has suffered you down. There are organizations to support you include intelligence to your SIEM to escape this manual, repetitive, mundane hell (Inferno).
So there, we’ve asserted it. SIEMs can provide significant business value as log management, business operations and analysis tools, but not for their primary purpose of detecting threats. Ultimately, they don’t indeed assist you undertake your job.