Oyie – how to write this. My reaction to his article swung between humor and WTH is your expectation of what value a SIEM provides? I will try to summarize and talk a little to each of this three points.
"SIEM promised security professionals the opportunity to collect security data from across their network; to provide a consolidated and unified view of their security position. Yet, Advanced Persistent Threats with no common signature or vector now strike indiscriminately[…]. SIEM doesn't even provide the visibility to quickly identify the mode, vector or target of an attack even when an organization knows it is coming!"There are no common signatures or vectors to advanced threats and yet because SIEMs suck in data from around the network it is supposed to be precognizant....across the board to every threat...ever. I know at some point my car will have mechanical issues. While there are a number of lights and gizmos on my instrument panel that I don’t know are there until they light up (low tire pressure, check engine, etc) I recognize the fact that there are going to be ‘0 day’ issues with my car in terms of things that the instrument panel isn’t designed to alert on. I don’t necessarily blame the instrument panel for that fact - or the people who designed it for that matter.
"SIEM promised to enable ALL security data to be collated via a single console. Yet, breach detection still requires teams of people to sit inside darkened rooms with a multitude of printed reports, in order to manually cross check data in an attempt to identify anomalies."I’m not sure if he is going after ‘SOC in a box’ from early SIEM sales pitches, the need for a SOC, or an IRT investigating a breach. Here’s the reality folks – how many millions of events do you have coming into your SIEM per day or billions per month? Having daily/weekly reports that focus on aspects of all that data only makes sense unless you can read .01 sized font I guess. The irony will be when he posts his follow up article to pitch SecurVue if he says something like it provides a ‘single pane of glass’ to view security data.
"SIEM promised to equip security professionals at large organizations to identify breaches quickly and enable them to take action. It delivered for a while, when attacks were signature-based or attacks exploited known vulnerabilities, but in a world of advanced, persistent cyber- and insider-based threats it offers no visibility into attacks exploiting misconfigured or badly secured networks."He’s already established signature based detection has issues (no one would argue that). That said I don’t get the logic. It is almost like he is saying it is the SIEM’s fault if you deploy your IPS to protect areas of your network that don’t contain anything of value and a malicious actor strikes somewhere else. The purpose of having a SIEM though is to look at more than just one source. If you have a misconfigured firewall that exposes an internal server it shouldn’t you can see that in your SIEM and take action. Or you could ignore it I guess but that isn’t a failure of your SIEM either.
At the end of the day having a SIEM isn’t a silver bullet. I’d even go so far to say that if you have a SIEM and haven’t staffed it appropriately and made an attempt to dial it in it might be worse than not having it at all. It simply isn’t a technology that will give you tremendous amount of nuanced data relative your environment out of the box. Are SIEMs hard to use? I don’t think so (here and here). Note though that is a different question than does it require work or have you bought the right SIEM in the first place. There are any number of things I wanted to write but didn't. I almost feel like I should write a few articles on what this technology provies (as in managing expecations) and how to extract value from it.
No comments:
Post a Comment