Hitachi

U.S.A.

Hitachi Group Global Network

Americas

Asia

Europe

Middle East and Africa

Oceania

Close

How to Address SIEM Limitations
You are here: Home \ Managed Security Services \ How to Address SIEM Limitations
solutions SIEM Limitations
Posted on Tuesday, May 1st, 2018 by

As enterprises strive to improve their protection mechanisms against cybersecurity threats, Security Information and Event Management (SIEM) solutions can provide benefits to accomplish their security objectives through log analysis, log aggregation and log correlation.

Related post: How Effective is your SIEM Solution?

 

Unfortunately, many organizations believe that their SIEM solutions are working effectively without realizing their potential limitations.

In the previous article, we explained why having a SIEM doesn’t automatically mean that your organization is secure. Several SIEM limitations were discussed in detail.

However, there are several possible solutions that can help organizations address their SIEM limitations.

 

Solutions to SIEM Limitations

  1. Ensuring that logging devices are correctly configurated
  2. Preventing pesky false positives
  3. Reducing noise, and
  4. Coping with the processing of non-security-related data

 

According to the Netwrix SIEM Efficiency Survey (2016), “86% of enterprises who integrated their SIEM with IT auditing solution claimed that it assisted them to overcome SIEM drawbacks. Besides, 55% of them preferred to cope with SIEM drawbacks by hiring additional staff, while 41% respondents opted for strengthening their SIEM with additional solutions in order to overcome the limitations”.

Extracted from the survey, the chart below demonstrates how SIEM users are typically dealing with SIEM limitations.

 

SIEM Limitations

 

On the bright side, SIEM limitations are not insurmountable. Applying additional security controls with a SIEM can help your organization mitigate threats and vulnerabilities by leaps and bounds.

Continuous 24/7 SIEM maintenance is also indispensable to ensure that all components are working effectively.

 

  1. Ensure Logging Devices Are Correctly Configurated

Misconfiguration occurs when a secure configuration is changed either accidentally or by oversight.

Once misconfiguration takes place, the malicious actors can find porous holes to penetrate your “secure” network. Sometimes, the “bad guys” misconfigure systems deliberately to introduce vulnerabilities or to keep suspicious activities undetected.

A security configuration management system such as Tripwire’s should be considered to monitor critical systems and report misconfiguration events. Tripwire is an open-source security software and data integrity tool used to monitor and alert Network Administrators when a specific change on a file or a system occurs. Several other useful tools include PowerShell DSC, Docker, SaltStack, Chef, Puppet, and CFEngine.

 

  1. Prevent Pesky False Positives

As per the Cisco Security Capability Benchmark Study (2017), “only 28 percent of investigated security alerts turn out to be legitimate”.

Some Managed Security Service Providers (MSSPs) are still using a traditional approach and hire a larger team of experts to review every alert. However, this approach doesn’t work well as there can be thousands of alerts per day, and managing them one by one can turn out to be an unachievable undertaking.

MSSPs and SIEM vendors need to adopt a more sophisticated approach to manage their SIEM to thwart or eliminate a plethora of false positives.

 

Best Practices

  • Alert Definition. The security professional must define an accurate notification or alert as anything that requires immediate action—and that is it. Anything else that raises alerts will be handled as a false positive.
  • Configuration Management Database. Your SIEM must look at the configuration settings to ensure that suspicious activity is legitimate. For example, your SIEM may raise an alert and notify you that it has detected an SQL injection attack. At the same time, you realize that your server in question doesn’t have an SQL database installed. This contradiction indicates that the alert was not legitimate but simply a false positive. To prevent similar situations, your SIEM must have a configuration management database to determine if the attack is legitimate and help you get rid of pesky and illegitimate false positives.
  • Finetuning Default Configurations. The out-of-box SIEM solution can have too many default correlation rules that may not fit your organization’s specific security requirements, are irrelevant and thereby generate false positives. For instance, your SIEM solution may identify a legitimate remote vulnerability scanner belonging to your organization as a cybersecurity attacker and raise an unwanted alert.

Sometimes, even a single rule can trigger hundreds of false positives. Therefore, your Security Analysts must review and disable irrelevant rules that may increase your SIEM vulnerabilities.

It is also imperative to fine-tune configurations either by SIEM consultants or in-house.

  • Threat Feeds and Geolocation Data. Your SIEM system should also incorporate a threat feed and geolocation data to be effective. To get higher accuracy, numerous SIEM solutions allow enterprises to blend their data into their systems. A threat feed, in fact, can be utilized to enhance the accuracy of events via cross-correlation.

For instance, a threat feed can rank the range of IP addresses as “high-severity”  threats if they belong to the known hacker cell. Your SIEM can also use geolocation data to either increase or decrease a criticality based on the destination of your network traffic. By using geolocation data, your SIEM will be able to automatically know the difference between foreign network traffic, remote network traffic, and inter-office network traffic.

Be careful using low-quality threat feeds as they can accelerate false positives exponentially.

 

  1. Reduce Noise

The Netwrix SIEM Efficiency Survey (2016) has revealed that “83% of SIEM reports involve too much noise data. However, most enterprises who successfully integrated their SIEM with IT auditing solutions became more satisfied with the reporting capabilities because reports contained less noise.”

In the research paper “Successful SIEM and Log Management Strategies for Audit and Compliance”, the SANS Institute recommends that especially during audits, “providing an unambiguous definition of what constitutes threats can rapidly reduce much of the noise of common logs”.

The more accurate security events are, the more noise will be reduced. Since noise is directly correlated with false positives, reducing false positives will help reduce noise significantly.

 

Log Types and Relevance

Most SIEMs collect all log data without considering that innumerable logs can be useless or irrelevant. To understand the relevance of logs, you need to be aware of the different log categories and then determine which log type is relevant to the organization’s security posture.

Most important log categories:

  • Alert: An alert can be anything that indicates that something critical is happening. In general, alerts are triggered by the systems and security-related devices, but it’s not a hard and fast rule. In this way, not every security alert is useful for you because low-level security alerts are negligible and can be discarded to avoid pesky noise.
  • Error: Error log messages are utilized to relay errors that take place at numerous levels in a computer. For instance, your operating system might generate the error log when it cannot synchronize buffers to the disk. Should this type of log be related to your SIEM requirements?
  • Warning: A warning is a type of notification that alerts you about potential future problems that should be fixed but could be overlooked without causing any threats. Therefore, your SIEM solution should not consider these types of unwanted warnings as they might lead to unnecessary noise.

Irrelevant logs can certainly contribute to making a pesky noise in a usually silent working environment. Under such circumstances, your SIEM should collect only the logs that are relevant or may help in detecting the aggressive attacks.

This requires your SIEM to have strong “Log Management” capabilities. An MSSP could provide this log monitoring capability as well.

 

SIEM vs. MSSP checklist

 

  1. Process Non-Security-Related Data

Processing data which is not related to security could seriously affect your SIEM performance.

Various SIEM solutions often receive a broad spectrum of noise such as performance data, compliance data and IP packet traffic, all of which creates unnecessary burdens and becomes resource-exhausting activities on your systems.

To overcome this issue, log categorization and standardization could play a vital role. If your SIEM is only processing security-related data, then you will notice a significant change in the Events Per Second (EPS) ratio.

It’s imperative for the SIEM to be configured in a way that only processes security-related data, rather than wasting resources for non-security-related data.

 

 

Conclusion

Many organizations still have misperceptions about SIEM solutions and assume that SIEMs are protecting their IT environments effectively. Unfortunately, this is not always true. SIEM solutions do have some limitations that must be addressed to help secure organizations.

However, SIEM security experts have also discovered various solutions for SIEM limitations in order to make it more effective.

These solutions involve the 24/7 maintenance of your SIEM and the deployment of some additional controls that would help your SIEM to be more reliable when dealing with cybersecurity threats. Organizations with proper maintenance and additional controls in place will certainly defend cyber-attacks in a more effective and timely manner.

SIEM vs. MSSP Checklist

Nicandro Scarabeo
About author:
In his position as Senior Product Manager at Hitachi Systems Security, Nicandro Scarabeo has initiated and consolidated collaborations with universities from Italy, France and Canada. Having joined Above Security in 2010, he currently leads the company’s research unit with the goal of applying methods to correlate primary sensor security data, extracting knowledge from high volumes of security-related-data, introducing new sources of information for security analysis purposes and identifying methods to evaluate the performance of the system. Nicandro Scarabeo completed his Ph.D. at the University of Cassino and Southern Lazio, Italy, in the Department of Electrical and Information Engineering in March 2016. He obtained his Master’s degree from the Mobile Communication Engineering Department at Aalborg University, Denmark.

Stay up to date! Subscribe to our Blog

Topics

Recent Videos

What is Penetration Testing?

What is a Vulnerability Assessment?

What is a Control Assessment?

More