Unlike security cameras, going from installation to insight with a traditional SIEM is far from straightforward. In this infographic, we’ll cover a few common problems with SIEM technologies, and how you can avoid those pitfalls with AlienVault Unified Security Management.
SIEM is too complex. Collecting the right data, aggregating it, normalizing and correlating disparate technologies for that one common view is not a trivial task. And most of the time, the SIEM vendor will expect the client or the client’s service provider to bear the brunt of that deployment challenge. “Feeding the beast” requires multiple hours spent with system administrators who manage those data sources to reroute the event information over to the SIEM. Technically, this isn’t so complex for a single system, but at scale it can get very complicated. In some cases, this can take months.
SIEM takes too long to deploy. Most organizations looking to invest in a SIEM do so with a sense of urgency. They need answers and they need them now. Questions like “What’s going on in our network?” “Who is attacking me?” “Are we leaking data?” “Which threats require my attention now?” “What’s going to be an issue for our audit next week?” will need to wait to be answered until integration is completed (typically months after the initial installation). The event correlation rules that provide the “security intelligence” advertised by the vendor will not be of any use until external data sources are pulled in and fine-tuned.
SIEM is too expensive. The licensing costs for the SIEM are just the start. Since virtually nothing is functional out of the SIEM box, organizations will likely need to hire expensive consultants and architects to design and implement the integration, fine-tune the data feeds, and schedule imports across all of the various external data sources. Additionally, in order to make sense for each organization’s business and security priorities, these teams will also need to customize event correlation rules so that the alarms are relevant to them. As a result, consulting services fees can often exceed the software licensing costs. So prepare to double the cost of the software alone, just to get meaningful information out of your SIEM.
SIEMs are too noisy. More doesn’t always mean “better” when it comes to alerts and alarms. Typically, out-of-the-box, SIEMs will err on the side of alerting on items that aren’t considered relevant or important to an organization. When everything requires your attention, nothing will get it. Furthermore, these alerts often lack the actionable intelligence security analysts need in order to respond and investigate. It doesn’t help me to know that a particular event occurred if I don’t know what to do about it.
SIEMs aren’t typically “cloud friendly”. Let’s face it. Whether you planned it or not, there are some corporate assets that are already in the cloud. Depending upon where you are on your “cloud evolution”, you probably have a mix of assets in your data center as well as a public cloud like Amazon’s EC2 or other provider. If so, it’s highly likely that your SIEM implementation doesn’t provide visibility into those assets that are within the cloud provider’s network. Even if these assets don’t house mission-critical or sensitive information today, they may in the future – and security visibility at that point is essential. Ultimately, your SIEM should go wherever you do… whether that’s in the cloud, on the move, or in your data center.