Information security management in companies has taken on a critical role after Russia attacked Ukraine and the IT systems of Western companies. The operational service instance of security management goes by SOC (Security Operation Center). SOC operation is firmly based on directing log data to the SIEM system for analysis. Companies are not satisfied with SOC based on SIEM solutions. The services are too expensive and ineffective. Reading CEO Carlo Massina’s SIEM: Stupidly Irrelevant Electronic Messaging blog, I see that my customers are not alone with the problem.
Only 1% of all attacks are detected based on logs.
This fact is hardly a surprise considering the reported data breaches in recent years. The SIEM system is the root cause of increased vigilance in companies. SIEM has been providing a false sense of security for years, silently eating into a company’s IT budget. In addition, it has been found that 75% of companies that fell victim to ransomware had their antivirus (EDR) and updates in order. These two traditional cornerstones of corporate information security are crumbling at an accelerating pace. Besides the essential task, i.e., log management, SIEM solutions have been more or less unsuccessful. System vendors have tried to add new features in the hope of achieving something worthwhile. Examples include UEBA, SOAR, Threat Intelligence, and Machine Learning. Despite this, the SOC/SIEM analysis staff drowns in wrong interpretations and drifts to the brink of burnout. Despite the additional features, it is an expert’s job to find a needle in a haystack.
It is estimated that only one percent of attacks are detected using a log-based SIEM service. Therefore, I am not surprised by the experts‘ interpretation of SIEM: Stupidly Irrelevant Electronic Messaging.
Customer feedback: Expensive and useless
In the interviews, the companies report the same observation. Shining devices and marketed SIEM software produce sound alarms but cannot distinguish the essential from all the noise. First, companies receive hundreds of alerts a month, but no one has a way of telling if the alerts are accurate. Customers or partners don’t have the time or skills to respond. The service process tries to fix the fundamental problem, but processing old transactions weeks later does not seem meaningful. The result is that the alerts are ignored. At the same time, we constantly receive news about data breaches. Current solutions, technology, and methods of operation cannot protect us.
The future may not be so expensive but more functional.
A SIEM solution has its place in log management, but it doesn’t seem to improve data security, let alone prevent data breaches or falling victim to ransomware. As business applications and data disperse to the cloud, as users disperse to remote work, critical Internet services and demanding industrial Internet solutions require a new strategy for business networks and their professional protection. We need better security technology and services to replace Stupidly Irrelevant Electronic Messaging services.
Hannu Rokka, Senior Advisor
5Feet Networks Oy