SIEM has a reputation as a helpful and must-have solution to improve security for any enterprise. However, Forrester experts say that SIEM has certain limitations, which makes it inefficient without additional investments in technology and personnel.
Key SIEM Limitations
- SIEM has limitation of being good at analyzing the collected data. It provides huge amount of monitoring data/logs but SIEM report data is not actionable, hard to understand and contains too much noise.
- Another concern regarding SIEM reports appeals to the lack of necessary information. When it comes to auditing and reporting, companies are interested in whether this influences the process of passing IT audits or validating internal security policies. Companies often complain that they have issues with finding necessary audit data upon request. Some experience situations in which SIEM reports must be adapted to make them more understandable for non-tech employees or external regulators.
- Third serious limitation of SIEM deployment is that it requires considerable investment. Costs are associated not only with inflating SIEM solution prices but the necessity to train or hire security specialists for SIEM data analysis and operation. Consequently IT managers started to consider options that could help reduce SIEM expenses.
“This disconnect between expected and actual value of a SIEM is largely predicated on the difficulty of getting the SIEM to the point where it is generating value in the form of actionable security and other system environments intelligence,” said Daniel Kennedy, information security and networking research director at 451 Research’s InfoPro.
Ways to Overcome SIEM Limitations
Obviously, SIEM is a starting point for security analytics and smart data management but it need additional tools for data analysis. In order to gain more value from SIEM deployment IT departments often decide in favor for additional personal but loose cost-effectiveness following this strategy.
Another way to overcome SIEM limitation is to integrate it with data management solution that would bring more context to the SIEM reports.
Integration should meet following requirements:
- Providing information about event logs in readable format
- Enabling quick search across the data
- Ensuring reduce of the amount of event logs that need to be processed.
According to the last Netwrix SIEM Efficiency Survey about 86% of those who integrated their SIEM with IT auditing solution claim that it helped them overcome SIEM drawbacks. The majority of enterprises have fewer complaints about report quality, can search through audit data more quickly and don’t need to adapt the reports for non-tech employees.