Three Reasons why SIEMs are not Enough
Security Information and Event Management (SIEM) tools are often used to detect threats. Rules are set up to monitor the environment and once a rule is violated, it triggers an alert. Security Operation Centers spend months configuring the rules to ensure that they are triggered only when malicious behavior is present. However, as you will learn from this blog, it is very easy to break rules and the SOC doesn’t even know! So, when there are fewer rules being triggered which means fewer alerts, the SOC doesn’t realize that there are actually threat actors in the environment, and that is not good.
- 25% of the time, the rules are broken.
- The rules, out-of-the box, are not suitable for the environment, and are broken. The SOC team needs to configure the rules to customize them to the environment. Additionally, patches, updates, and new software when introduced to the environment can all break the rules as well! After the SOC team has spent so much time carefully configuring the rules, a simple patch can cause a change in the cloud architecture that the rule does not recognize, so the rule no longer fires. This can give the SOC a false sense of security as they are not getting alerts, so they assume all is well. It could actually be a dire situation as not only are threat actors likely to be in the environment, they are moving about the cloud completely undetected with rules no longer able to effectively monitor the cloud.
- Constant management increases operational costs.
- With it being so easy to break the SIEM rules, this means the SOC really needs to examine all the changes in the environment and review how this impacts rules. Security teams must constantly review patches, updates, application changes, and development changes and review which rules are impacted and then update those rules. This operational overhead is just exhausting. It is also expensive – with 75% of the total cost being for installation, management, and staffing!
- Without intent or context, the SOC can waste significant amounts of time chasing alerts.
- Rules are a black and white response to a security issue. The intent behind the activity is not a factor into whether or not a rule triggers an alert, in some cases, it was found that only 15% of rules was creating 95% of alerts! These noisy rules means that security analysts are wasting their time on benign activities. Adding insult to injury, during this time, a threat actor could be moving about their environment.
SIEMs can help organizations that have many behaviors or activities that are binary in terms of their response. However, for organizations that have more complex clouds, and most do, those teams really need a platform that looks at the context, the intent behind the activity, and tells the attack story. This makes it easy for SOC to understand why a behavior is concerning, so they know how to address and can do so quickly.
To learn more about Skyhawk Synthesis Security Platform which leverages AI and ML to identify malicious behaviors and the intent behind them, check out our whitepaper on the Three Common Use Cases for Cloud Threat Detection.