What value does your security incident and event management (SIEM) platform really bring to your organisation? So many platforms are still merely an alert aggregator to simplify reporting, with cost models driven by event volumes. As IT estates proliferate, specialist SaaS products become commonplace, “shadow IT” continues to grow and API microservice economies drive “chattier” network services and webs of systems, this can continually drive cost (or lead to services going unmonitored) without offering any additional value or risk mitigation to the organisation. The panacea of the “single pane of glass” prevents analysts having to jump onto multiple consoles and allows easier reporting of management information, but at what price is this convenience bought?
Event volumes are growing rapidly, the impact to organisations from loss of their IT systems causes increasingly more disruption to their overarching business and the time between compromise and breach/disclosure is shortening, requiring responses to go beyond human intervention times to de-risk organisations. If your SIEM is not providing automation to accelerate investigations in a landscape of ever-increasing threat volumes, then your analysts will fall further behind and risk burning out in the process. If your SIEM cannot execute remediation directly (through your response playbooks—you have those, right?) then the security team will still need to jump onto appliances to apply the fix or change the policy. And if they have to do that, they may as well have gone onto it to check the alert and do the investigation. This is the problem statement that the Security Orchestration and Response (SOAR) market is majoring on and while it is not a magic bullet, it is certainly worth careful consideration. You could also leverage broader operational tooling for your endpoints, hosts and networks to achieve many of the same things without needing a specialist capability.
"The time between compromise and breach/disclosure is shortening, requiring responses to go beyond human intervention times to de-risk organisations"
Your tooling choices should start by considering the impact they have on these three measures, in order of priority:
1. Speed of response – how rapidly does it allow you to respond to an emerging issue?
2. Scale of response – how does it allow you to apply intervention or mitigation across a broader sweep of the portfolio?
3. Impact of response – how does it allow for greater mitigation of threat or protection of your platform?
If your response capability is not resourced to match the noise being generated by your tools, then think hard about whether it offers a genuine value proposition or whether by removing it and driving automation through better policies at the appliance level, you free enough funds to reinforce your team or drive automation and remediation where it’s hurting you. Diverting funds from tooling to recruitment, retention and training to better resource your team or to make better use of your existing capabilities may well offer more value than adding another weapon to your cyber arsenal. If your team is unable to respond effectively and to drive intervention (or at least effect isolation of a compromised resource) from the information and tooling presented to them, then the best they can hope to achieve is clarifying the level of compromise/loss following an incident and to effect what mitigations they can to reduce the organisation’s attack surface. You have to focus on the effectiveness you are delivering to your operations function.
Else sooner or later, you will watch your estate burn. From a single pane of glass.