We sat down with Malcolm Harkins, Chief Security and Trust Officer at Cymatic and former Intel CSO, for an overview of why SIEMs can be tricky, where the problems occur, and how savvy security leaders can make more use of SIEM software.
Knowing everything doesn’t help
SIEM (security information and event management, pronounced like “sim”) is a tool that monitors and captures the logs and outputs of a technology stack. It watches the comings and goings of people and data as users log in and gain access. Modern SIEMs even track how those users behave. This type of monitoring is useful for detecting unusual events that could be malicious, and the record-keeping helps with compliance audits.
However, security leaders anecdotally report practical difficulties in deploying and managing their SIEM tools. Malcolm experienced the early years of SIEM back at Intel:
“Back in the day, large companies were looking around at their tech stack and realizing they have all these controls and inputs, their firewalls and antivirus software, but they had no way to coordinate them. SIEMs were a way to do that. But they were insufficient because teams were finding there was a lot of noise.”
This data deluge is an unforeseen issue for tech companies in general—with such an emphasis on big data and no practical way to separate the quality from the noise, finding meaningful insights becomes problematic. How is data managed, stored, accessed, deciphered?
SIEMs suffer with data deluge. Organizations continue to add cloud products and various point solutions that need to talk to each other through API layers, all needing to be accessed by growing numbers of users. With so many inputs, false positives can be a major issue in SIEM reporting. Malcolm points out that if security teams are spending too much time figuring out whether an alert merits a response, they could overlook meaningful information.
“SIEM is basically a signal aggregator. But SIEMs, like many other aggregators, have what I refer to as ‘Detection Deficit Disorder.’ They can’t sufficiently detect these signals.”
In recent years, more sophisticated technology has evolved to fill in the SIEM gaps. There’s UEBA (user entity behavior analysis) for detecting internal threats—whether intentional or accidental—and SOAR (security orchestration, automation and response) to better coordinate those signals and provide an automated framework for incident response. Vendors even promise to detect “zero-day” incidents: malicious activity that’s never been seen before. However, even as SIEMs and supporting technologies evolve, the challenge of detecting the events that matter, Malcolm says, is a fundamental problem.
Focus controls on exploitabilities
Modern cybersecurity threat management has a focus on cataloguing vulnerabilities, a situation Malcolm doesn’t see as optimized.
“We’re obsessed with vulnerabilities, whereas we should be focused on exploitabilities. Just because something’s vulnerable doesn’t necessarily mean that it’s going to be exploited.
“We need to better focus on the signals that matter. If we have too many useless controls we just create more noise. We need to look at those controls. Go for higher efficacy, and remove the shitty ones.”
Ironically, an excess of controls means less control, because systems become too complex and the tool becomes useless. Malcolm points out there are, in fact, certain controls that bad actors may actively exploit to create confusion.
“Look at DLP [data leakage prevention]. DLP solutions don’t work, other than to prevent accidental leakage. If I want your data and you have DLP in place, guess what, I know it’s there!”
Because malicious actors do their homework, too. By advertising their security tools, vendors are planting flags at defences hackers will then know to avoid. So, the “shitty controls” Malcolm refers to often sound great but don’t do much protecting and may even create an “exploitability”.
SIEM isn’t the solution, it’s part of the strategy
The problems security teams experience with SIEMs, it seems, are not with the SIEM products themselves but with the inputs that surround the SIEM, those control points. Malcolm uses an accessible metaphor to explain the situation:
“Imagine if SIEM is the car engine in your security strategy. While the engine works fine in principle, I could still have crappy fuel. I could have bad tire pressure, old brake pads. The car isn’t going to run well without all these parts in good working order.”
This also points to the solution: If all those inputs are in working order, optimized to work with the SIEM product, security data can be better calibrated.
But what about those large, mature companies that have decades of legacy software within their tech stacks? Can they untangle those layers of legacy inputs? Malcolm, who’s been around the block working with and advising large companies, says it’s not impossible.
“You can think tactically. You can identify what needs prioritizing and then tactically re-engineer that right now, and strategize from there.”
MSSPs: The benefits will cost you
With SIEMs, anecdotally one of the main pain points is setting it all up, knowing what you’re looking at and managing it. Many turn to managed security services providers (MSSPs) to help with deployment and configuration. Malcolm says MSSPs can be a good solution, especially if they can manage the reaction to events on your behalf, enabling teams to totally outsource security operations.
“I know a company that’s not just an MSSP, but a ‘managed security output provider’ … an ‘MSOP’ … I just invented that.”
An “MSOP,” as Malcolm coined, also referred to as “cybersecurity-as-a-service” (CSaaS) by vendors such as Cyvatar, can help not just set up and manage the SIEM but also play an active role in managing security strategy. But just as this starts to sound like a great idea for teams already run ragged, Malcolm issues a warning:
“Sometimes they’re just managing your reaction, your posture… If they know better than you do what your posture is, what your tech stack is, who your partners are, they’ll be there just as much as they need to, perhaps offering you what seems like a good discount without actually adding extra protection.”
So how can you know that an MSSP/MSOP is actually offering the protection you need? Malcolm, ever the security pragmatist, offers a solution:
“You can run a breach and attack scenario in a virtual environment on the MSSP’s response.”
In other words, test the testers to see if they offer value and do the jobs they claim to. Those price tags need to be justified if IT teams turn to third party help for SIEM deployment.
Did we mention strategy?
So how does a security leader take these steps to creating an environment that enables their SIEM product to produce meaningful data?
The main thing is to realize that slapping a SIEM product into a tech stack doesn’t mean anything if there isn’t a coordinated strategy. In the world of IT and business, where teams are often siloed with their own goals, strategy can end up being a nice-to-have. Through this lens, security teams are seen as a service that should fix the problem, rather than part of the solution from the beginning. But that is the problem according to Malcolm.
“This should begin with IT. It can’t be something for security teams to come in and solve. It doesn’t work like that. If you have a building that needs upgrading, how are you going to do that if nobody can give you the blueprint?”
A weariness enters Malcolms voice. As a cybersecurity professional, Malcolm speaks about security in the inclusive. It’s always what “we” need to do about this. It’s a fight he knows needs everyone to be up for, but has often experienced the opposite, that there’s a disconnect where everyone’s waiting for a solution from someone else.
“Say, for example, I’m asked to come in and advise a 3-5 year security strategy. I ask them, ‘OK, what’s your IT 3-5 year strategy?’ And they say they don’t have one … I can’t tell you how many times I hear that.”
With business goals and IT goals so aligned in this digital age, teams have the opportunity to define what security data is meaningful for their organization and what their exploitabilities are. Otherwise all the extra noise could be the perfect distraction the bad actors have been waiting for.
SIEM, like all security products, is no silver bullet for cyber threats. But, with refined inputs and outputs, as part of a coordinated strategy, SIEM products can help organizations understand their threat landscape on a dynamic level.