SIEM in the Era of the Cyber Security Skills Crisis

Posted by Haim Zlatokrilov on Jun 4, 2019 12:14:25 PM
Find me on:

The much talked about cyber security skills shortage is getting worse.  While SIEM was supposed to help lower the workload of security teams, this hasn’t actually been the case.  An overview of what to look for - and what to look out for - when considering SIEM.

The much talked about shortage in skilled cyber security employees has evolved into a full blown crisis, with a variety of repercussions.  Analyst John Oltsik of the Enterprise Strategy Group (ESG) just published the results of a survey of 267 cyber security professionals titled “The Life and Times of Cybersecurity Professionals 2018,” and his conclusions are grim.   Nearly all the parameters have worsened in comparison to past years.  About half (48%) of organizations admit to at least one security incident over the past two years, and 40% more either didn’t know if their organizations suffered a security incident or preferred not to say. When asked to identify the root causes of these security incidents, 24% admitted that the cybersecurity team can’t keep up with a growing workload.

CISOs at organizations considering purchasing their first SIEM have heard these woeful tales and understandably stopped to think if they have the resources necessary to make effective use of a SIEM.

To address this challenge, many organizations are considering using MSSPs assuming they have better knowledge and skilled employees, but this comes with its own set of baggage.

Managed security services providers (MSSP) promise to provide an outsourcing of security management, but the main issue there is that, more often than not, the level of quality is not as would be expected in comparison to in house security analysts.  The MSSPs will typically be located out of the organization physically, and thus organizations complain of having little visibility into what they are doing.  Additionally, their level of understanding of the organization – it’s business priorities, the threats that are most problematic, etc. – falls from the level of company employees.  As a result, MSSPs may flood the organization with alerts, may not effectively weed out false positives, and create more work for the client.  After this experience, many organizations are doing a u-turn and looking to bring their cybersecurity management back in house.

In the ESG survey, 28% of respondents said the burden on the cyber security team is due to the fact that the organization depends upon too many manual and/or informal processes for cybersecurity.  An additional 23% placed on the blame on “managing the complexity of too many disconnected point tools for cybersecurity.”  Both of these responses showed an increase in comparison to the year before.  ESG’s conclusion?  “It’s likely that an increasing cybersecurity workload along with a reliance on manual processes exacerbated challenges associated with purchasing, testing, deploying, configuring and operating disconnected point tools over the past year.”

Security professionals recognize two basic facts that not all security vendors have internalized:

  1. In order to overcome the avalanche of security data and false positives - advanced technologies must be used to minimize false positives as well as the average time spent by analysts per case.
  2. Security knowledge and experience must come as “out-of-the-box” so that security teams will not need to invest endless time on researchingsecurity tools, their functions and behavior, common cyber tactics and techniques etc. Since those are constantly changing, the knowledge must be up to date.

The answer to the pain points of security event management must include advanced cyber capabilities based on vast knowledge and real-life experience.  These capabilities are beginning to become available today through Artificial Intelligence algorithms and machine learning, together with automation of procedures designed by cyber security professionals.  The best of breed next generation SIEM solutions offer different levels of these capabilities, and these are SIEM products that are purchased “off the shelf” (with adaptations according to the client’s needs and the vendor’s approach).  MSSPs are a sufficient solution for some organizations, but in the long run will not achieve the level of security that these advanced SIEMs provide when operated by internal teams.

I’ll conclude with one last stat from the ESG survey.  91% of respondents believe organizations are either extremely or somewhat vulnerable to cyberattacks. Whatever it is the security industry is doing, it’s not doing it well enough. 

Topics: SIEM, cybersecurity, NG-SIEM, MSSP