Why SIEM alone is not enough to detect cyber attacks
Powerful security information and event management (SIEM) solutions alert organizations when something suspicious happens on their networks. Potential attacks can be detected at an early stage. This significantly increases security in the company. However, the use of security solutions has its pitfalls.
Ransomware and other malware, theft of business-critical data: According to Statista, nearly half of all businesses in Germany will experience a cyberattack in 2022. Despite this, almost two-thirds of small and medium-sized enterprises (SMEs) in Germany do not take any measures to detect attacks, even though attacks from the Internet are on the rise. This is one of the results of the DsiN 2022 Practice Report. According to the report, security incidents resulted in damage or significant costs for 75 percent of the organizations attacked.
Networks offer many gateways, and cyber criminals are constantly coming up with new and inventive ways to gain access. Companies need to be able to identify potential threats early and take immediate and effective action. This is only possible if they know what is happening in their own network. Powerful security management systems provide a comprehensive view.
How a SIEM System Detects Suspicious Patterns on the Network
SIEM solutions continuously monitor a network. They collect all the data relevant to IT security from multiple sources in real time. These include log files from firewalls, data and mail servers, network nodes, endpoints, applications, and intrusion detection systems (IDS).
A SIEM system then visualizes the data in a central dashboard. And t typically also analyzes and correlates the data. The software uses machine learning to automatically detect unusual patterns, such as conspicuous login attempts. Among other things, it compares data with previous attacks and recorded information, and sends alerts when irregularities are detected.
This alerts IT security teams to potential security breaches in a timely manner. They can then decide how to respond to the incident. Although other tools are usually required to defend against attacks, a SIEM solution can significantly reduce the Mean Time To Detect (MTTD).
Organizations can also begin monitoring with a SIEM system in stages: For example, they can begin by integrating the most important processes and business-critical applications, such as the firewall, email system, and Active Directory, and then expand the solution later.
The pitfalls of deploying a SIEM solution
However, having a SIEM system in place is no reason to sit back and relax, as there are a number of challenges associated with deploying this security solution: Small and midsize businesses, in particular, often lack IT staff. According to Bitkom almost 75 percent of German companies complain about a lack of IT specialists. But for SIEM software to work effectively, you need security experts who can analyze alarms and find out what is behind them.
But even if you have enough security analysts: They are often overwhelmed by the task of sifting through the flood of data and alerts from the SIEM. Some of these are false positives because not all alerts are relevant: The security solution may detect anomalies, but it does not know how much of a threat they are. IT staff must still investigate alerts by tracking user activity or searching through log data and this takes time. This, combined with the sheer volume of alerts, can lead to alert fatigue: Amongst the many false positives, analysts miss or ignore warnings of impending attacks, leading to the worst-case scenario where an attack goes unnoticed.
A SIEM system must also be customized and calibrated to the needs of the organization and its infrastructure. This is a complex task: Since it involves defining use cases, parameters and complex correlation rules to which the security solution should respond and adjusted, if necessary. If necessary, they must be adjusted. All of this is only possible if security teams know what attacks are coming and what they might look like. The effort required to operate a SIEM solution is significant.
The Solution: SOAR, XDR, and Managed Services
Additional tools that work in conjunction with SIEM software can help ease the burden on an organization’s security teams. For example, they can be used to automatically respond to pre-defined events. A SOAR (Security Orchestration, Automation, and Response) solution minimizes the need for manual intervention with a multi-tiered system. However, playbooks, appropriate alert levels and response patterns need to be defined for this complex security solution and this requires a dedicated Security Operation Centre (SOC). An XDR (Extended Detection & Response) solution can also complete the SIEM system, and SIEM software with XDR capabilities is available. It uses artificial intelligence (AI) to independently assess the situation and respond to problems without the need for IT staff intervention.
Attack detection as a managed service requires the least effort from companies. The SOC, with SIEM and possibly SOAR or XDR, is then operated around the clock by external specialists. These specialists monitor systems, analyze alarms, and evaluate indications of potential threats. This frees up IT teams to focus on their core mission, and keeps the business running safely.
The bottom line: A SIEM solution protects the IT infrastructure, but not by itself.
A SIEM solution significantly accelerates the detection of cyber-attacks. However, to ensure that the solution provides the highest level of security, and that “alert fatigue” does not become a problem, the SIEM system must be customized to meet the company’s unique needs and compliance requirements. Managed services are often an option, especially for small and medium-sized businesses.
