With cyber security being such an important issue these days, many companies are investing in SIEM (Security Information and Event Management) technology for real-time analysis of security alerts. But if companies don’t step into the SIEM world with the right expectations — and follow through and use the technology properly — their investment may fail to deliver any real benefits. They may end up abandoning SIEM altogether, out of sheer frustration.
Jeff Mullarkey, CEO and co-founder of RKON, a leading IT managed services provider with expertise in cloud, emerging and advanced technologies, cites six reasons why so many SIEM implementations fail and what companies can do to prevent this from happening:
1. Thinking SIEM is a panacea to solve all security challenges right from the start
The first thing that’s often discovered when SIEM is implemented is how complex network operations actually are—and how many overlapping systems and conflicts are involved. This typically creates such an abundance of alerts that the projects are either abandoned or the output is ignored.
It’s best to look at SIEM as a tool for continual process improvement—not a final destination but rather a reasonable starting point that will need to evolve with an organization’s security needs over time. A one- to three-year window is a realistic timeframe for an organization to move from a basic “compliance” posture to more complex “security watchdog” capabilities.
2. Failing to grasp the technical challenges involved with SIEM technology
Organizations simply assume that SIEM will work easily and automatically right “out of the box.” They overlook—or underestimate—the technical complexities involved.
3. Not understanding the level of cooperation that’s required for SIEM deployment
For SIEM to work effectively, the entire organization needs to work together to address the following:
- Application development
- Patch management and change control in all departments
- Access control in all departments
- Server and authentication team
- Security infrastructure team
- Network team
- Storage team
- Audit and compliance
- Necessary changes in organizational IT roles and responsibilities
4. Not committing sufficient time and resources to system maintenance
Every time a system is patched or modified, there’s a good chance that the SIEM will either stop working or require “reintegration.” The SIEM team must be fully integrated into the organization’s operational workflow and change control—and should have influence over the architecture and design. This helps ensure that the systems are designed and implemented to standard and executed in a way that allows the SIEM solution to measure and report on them.
5. Lack of a mature IT operation
Besides cooperation, just delivering a rudimentary report may require an organization to:
- Reorganize IT completely.
- Create a functional CISO role that has independent reporting structure from IT.
- Change the internal culture so that it can operate less as a hierarchy (vertically) and more from a process standpoint (horizontally). The rubber meets the road the first time a lower-ranking person in one department has to ask a higher-ranking person in another to make a change so that workflow and process can flow across the organization.
- Eliminate power-hungry leadership—individuals who believe they should have complete say in their department.
- Develop mature roles and responsibilities (RASCI Model) along with separation of duties.
6. Thinking SIEM is just something you “install” and get working
Fact is, the biggest benefit of implementing SIEM is that it reveals how to mature an organization and its security across all areas—people, processes and technology. True security can’t be achieved until there’s a well-run, well-defined organization in place— where the technology works, the processes are well defined and followed, and the personnel put the organization’s needs ahead of theirs.
RKON’s Mullarkey advises that to avoid SIEM failure, organizations need to proceed slowly and methodically — with a step-by-step process that sets realistic goals at every phase of the implementation and works toward maturing the deployment over time.
SIEM can work. You just need to give it time and patience.
To read more about RKON's successful model for SIEM deployments, check out their guide, "Why So Many SIEM Implementations Fail - And How to Ensure Your Success".