Why big data and SIEM don't always equal big answers for security

Enterprises are investing in big data solutions like SIEM to help them better detect cyber attacks - so why do many IT pros feel that SIEM still leaves them short on answers in many areas?

Related topics
Analytics
Data

Related articles

The top 5 enterprise data security priorities for 2016
Big data doesn’t come of age: 5 growing pains facing businesses today
Big security: big data and the end of SIEM
Google launches 'big data' analytics service

Share article

Short of time?

Print this pageEmail article

In a world where high profile breaches are continually on the rise, shouldn't a solution like SIEM be worth its weight in gold?

The need for large enterprises to use and store huge amounts of information has given birth to big data. With the imminent arrival of tighter EU regulations organizations need to know a lot more, if not everything, about what is happening within their networks if they are to stay compliant and avoid large fines for breaches of sensitive data.

Security information and event management (SIEM) systems are helping organisations make a start. But the amount of data they produce is so abundant and confusing that detecting malicious activity can be like looking for a needle in a haystack and it can take days before they have the details they need to pass on to the IT security team. All too often IT Pros with access to SIEM systems are none the wiser about what is really going on in the IT infrastructure.

SIEM deployment is complex and expensive yet the large volumes of collected data leave administrators with much to do before they can extract any meaningful results. Often they are presented with a sea of information and a lack of actionable insight that inevitably leads to missed security incidents. One of the issues with being alerted to all network events is that more than half of them are false alarms. 

The 2016 SIEM Efficiency Survey, conducted by Netwrix in an attempt to understand organisations’ experience with SIEM solutions, revealed that enterprises are not that happy that this big data is failing to provide the answers they hoped for. The top four issues reported by IT Pros using SIEM systems are:

Too much data, too little actionable information

In the survey, 81% of respondents thought that SIEM reports contain too much extraneous information. Records often reveal several or even dozens of entries, much of it completely innocuous, for every change made to a system.

> See also: The critical difference between SIEM and UBA - and why you need both to combat insider threats

Such large volumes of irrelevant data make proper analysis complex and time-consuming. Meanwhile actual threats can lie hidden amidst the noise, delaying an appropriate response. 

Unfriendly to non-techies

Most respondents agreed that SIEM reports are very technical and hard for non-technical executives to understand. The Netwrix survey found that 63% of respondents considered the technical nature of SIEM reports a major pain point. More than a half of the surveyed SIEM users (57%) had to spend time re-writing SIEM reports for their non-technical colleagues.

Lack of context

The broad-scope of structural changes monitored by SIEM systems is good but lacks context. In the survey 68% of respondents in the survey said that reports often just indicate a change without specifying what the change is.

IT Pros still need to put in a lot of work to understand a particular sequence of events and its consequences. Without the ability to frame data in the context of events, users, systems and so on detection and investigation of security incidents is unnecessarily complicated and the number of false positives high.

Unable to provide quick answers for compliance audits

When it came to retrieving requested data for auditing purposes, 65% of respondents had issues. The main contention was that SIEM reports contain redundant data which requires special knowledge to interpret. For the majority of users SIEM systems did not save them time fulfilling compliance audit requests.

Another issue mentioned was the high cost of SIEM ownership although some of this can be resolved by dispensing with some SIEM limitations. For example organisations that switch to a charged-per-traffic SIEM model could benefit from reductions in the amount of data processed.

Some organisations already use third-party solutions to in this way so that only refined SIEM data is analysed.

> See also: The top 5 enterprise security priorities for 2016

In summary, the fact that SIEM systems provides data on absolutely everything is fine, but the ability to extract the most important information for further analysis and speedy decision-making is now what is needed most.

The evolving threat landscape and increasing number attack vectors means organizations are in a race against time to stay ahead of cyber threats - this means greater, more granular visibility of what is happening within enterprise IT infrastructures for ready access to actionable intelligence and truly big answers.

Sourced from Peter Smith, Regional Sales Manager for Europe, Netwrix