Escaping Dante’s SOC Inferno: The Treachery of SIEM Lies
For those of you who haven’t yet got around to reading Dante’s “Divine Comedy”, it is a long narrative poem, originally written in Dante’s native Italian. The full work took Dante around 12 years to write. The poem contains over 14,000 lines of text covering a period of 7 days – so there’s clearly a log file comparison to be had here if you squint hard enough. The Nine Circles of Hell are from the first section, called the “Inferno”.
The ninth circle, Treachery – the deepest circle of hell, is where Dante finds himself trapped in a frozen (data? Aha!) lake containing traitors. Literature lesson over – what we really need to talk about is the treachery, or indeed lies, that we believe are causing problems for SOC analysts. Are you sitting comfortably? OK good, let’s begin….
Dear SOC analysts, you and your organization have been misled by the SIEM industry for years, here’s why…
Lie #1: More data equals better security
SIEMs have been around for more than 15 years and are considered key to many security strategies around the world. The common trend is to add ever increasing log volumes in the pursuit of missing nothing, but despite this trend threats are still being missed and attackers are still getting through. Meanwhile, your organization sees rapidly increasing costs, which benefits only your SIEM vendor. But that’s the secondary problem.
Lie #2: SIEMs are good at detection
The real problem is many people still think SIEMs are good at threat detection. But in reality, without you the trusty SOC analyst, the “S” in SIEM is a fallacy.
Threats have been evolving faster than anyone can comfortably keep up with. Attackers are highly motivated – they’re automating faster than you can say “phishing triage” and reaping the profits from their efforts. And as the attack surface continues to grow and evolve, it’s inevitable that attack vectors will continue to get harder to detect and the volume of attacks exponential. Security isn’t getting any easier, but there are ways to break the status quo.
In the arms race of attackers vs defenders, security vendor countermeasures have made huge advances by adopting analytics, automation and machine learning. Yet the detection capabilities of the SIEM itself haven’t really changed in years. They have become bloated dumping grounds where valuable security data goes to die.
Lie #3: SIEMs allow you to see the whole picture
SIEMs to this day are still entirely dependent on you — the skilled SOC analysts building rules and running queries to fight the good fight. Most organizations can maintain somewhere between 20 and 200 rules and yet we know there are several thousand different threat indicators in your data. These missed events (false negatives) represent significant blind spots in your security posture yet incredibly people still seem to think false positives are a more important concern. This should be really obvious, but nobody wants to admit it or talk about it.
The only way to make sense of this is to recognize that many SOCs have been distracted by metrics and operational efficiency because of the shortcomings of SIEMs. Many organizations get so focused on rules and the effort involved to maintain them that they almost forget about the wider threat spectrum.
Lie #4: Correlation rules are AWESOME
The rules approach provides 10% coverage of the threat spectrum at best. OK, I made that stat up, but I don’t think I’m far off. Either way, SIEMs are still dependent on you building and managing those rules. And I would bet my hat that the thought of removing rules that have never ever triggered fills you with horror – because what if you then missed something that rule would have detected? And here’s a key point; simply adding more data doesn’t reveal any additional threat intelligence without the necessary rules, it just costs more money. What other critical security solution would you be happy with at that performance level? The SOC of the future needs to recognize the importance of moving away from the dependency on rules by adopting tooling that truly helps you do your job. By adding intelligence to your SIEM, you can have over 90% coverage of the threat spectrum with the right log sources and at the same time get minimal false positives, automated event timelines and alerts prioritized by severity. This is the quantum shift you need to make the most of your valuable time and expertise.
Lie #5: SIEMs remove the manual, repetitive work
You need to be free of those mundane repetitive tasks (think: writing rules, the constant merry-go-round of query/pivot) in order to work your magic. Ask yourself the question – does your current role make you feel more like a SIEM expert (read: DBA) or security expert? For too long your time has been spent squeezing proverbial blood out of a stone, instead of focusing your knowledge and precious time investigating and responding. It is both empowering and less monotonous to burst the red team bubble and focus on the original mandate of protecting the organization.
So, what business value does a SIEM provide for your organization?
Truth #1: SIEMs allow you to store your logs
This isn’t the end for SIEMs. Far from it, they’ve just pivoted. Those 15 years of maturity have made SIEMs excellent at collecting logs in many formats from multiple sources, normalizing it and storing it.
Truth #2: SIEMs (and log management tools) can be great for other teams in your organization
SIEMs do have highly developed search, reporting and visualization capabilities, but then so do a lot of more generic log management tools. These deliver significant business value to a multitude of business operations such DevOps, ITOps, network management, order processing, ecommerce, performance monitoring, manufacturing, call centres, customer communities and even social media. The key difference from detecting threats is these required business outcomes are easily defined and are much more well suited to the capabilities of a SIEM.
Truth #3: Correlation rules can be useful for some tasks (but there’s a but – actually two buts)
Correlation rules have limitations. For the most part when you’re creating them, you’re looking back at what you know, or you’re using your best guess the future.
Pretty much every organization on the planet must adhere to some form of compliance. But as you and I well know, compliance does not equal security. Correlation rules do have a place here, for example for compliance purposes if you need to demonstrate that all your endpoints have active anti-virus products running on then you will have a rule that says “Alert if antivirus software is disabled on any network-connected computer.” But think about what happens when you receive this alert? What do you currently do next? Manually trawl through logs to find out why the AV was disabled? Log a ticket with IT to have the AV reinstalled, or have them just wipe the endpoint? Was it due to a malware infection? Or was the AV software just broken (again)? Your rule alone doesn’t tell you what’s happened, why it’s happened, or give you any clues as to what to do about it. Context matters.
Truth #4: There is a way out
Analyst friends, you deserve better than this. On behalf of the industry, we’re sorry the (S)IEM market has let you down. We at Exabeam are here to help you add intelligence to your SIEM to escape this manual, repetitive, mundane hell.
So there, we’ve said it. SIEMs can provide significant business value as log management, business operations and analysis tools, but not for their original purpose of detecting threats. Ultimately, they don’t truly help you do your job.
We’ll continue our quest to help you escape the nine circles of SOC hell — next in the series we’ll cover the eighth circle: Fraud. And don’t forget to subscribe to our blog to get notifications when new blogs are published.