Even as organizations claim their efforts to deploy system data into security information and event management (SIEM) tools is largely driven by the need to find real-time information to thwart attacks, they still face challenges, concludes the newly released InformationWeek report "IT Pro Ranking: SIEM." Chief among the difficulties: the complexity and cost of using these suites could keep enterprises from getting the full value out of their SIEM tools.
Based on a survey of 322 IT decision makers, the report showed that the largest cited driver for SIEM use was the real-time detection and response to threats, with 44% of organizations stating that as the main reason they use SIEM. But at the same time, the types of data fed into the typical SIEM and the challenges staring down IT managers in launching and maintaining these systems indicate that most deployments are not sophisticated enough to achieve these objectives.
"In most cases, they're really not fully utilized or even half utilized. They're often installed in a basic configuration and put in maintenance, and then not much more beyond that," says Dean Francis, enterprise architect at Fusion PPT and author of the report. "It may be put in place due to a requirement, but without that care and feeding, it's really basically a log manager."
According to the report, organizations are still primarily using their SIEM tools to keep an eye on firewalls, which was the most-cited event data source, named by 66% of organizations. Dean says he was surprised to see feeds from IDS/IPS rank sixth and switches and routers rank seventh in popularity of data sources, named by just about one-fifth of organizations in each case.
While this may be somewhat discouraging, there may be a silver lining in it, as two data source categories ranking above these network devices was applications and databases. This suggests more applications are kept under tabs to detect malicious activity.
"This could indicate that applications are actually being built to be tied into logging, which may be feeding into SIEM, which is then doing aggregation and correlation of that information to see what's happening there," says Francis.
Nevertheless, organizations still struggle with SIEM deployments. The survey showed that 44% of organizations report that managing the general complexity of SIEM products is their No. 1 challenge in this area. Meanwhile, 37% of organizations say the lack of SIEM integration with network management tools is a challenge, and 34% say they have trouble building correlation rules so essential to that real-time threat detection. According to Francis, a lot of the issues organizations have with SIEM tools come from a lack of resources, as many organizations fail to fund SIEM maintenance after the initial push to deploy.
"Complexity is a big issue, as is issues with total cost of ownership," says Francis. "It is not just an issue of acquiring and installing a SIEM. You have to do quite a bit of integration, configuration and ongoing maintenance. And you've got to have dedicated resources for it if you want it to be responsive."
And that's just the organizations that actually deploy SIEM. A survey by SANS Institute released this spring showed that just 22% of organizations that collect logs utilize SIEM systems. Francis says it may be time for a reimagining of the space.
"By and large, the general theme is that SIEM is still fairly reactive--we're always behind the curve and trying to get ahead of the threats," he says. "I almost wonder if there is a different model where we wipe out these models and go to a whole different approach that could leapfrog over the current technology, almost like Google did to the competition for search so many years ago."