Good SIEM Setups Go Bad

SIEM is a system, that collects logs and other security related data for analysis.  In most cases, it installs an agent someplace that gathers security-related events from the various pieces of hardware on a network, be it a laptop, server, firewalls and etc. Then looks at what’s going on and flags anomalies.  The idea is that it’s supposed to let you know what’s going on.

     With that in mind, let’s look at it from the perspective of when “good SIEM setups go bad”.

     Why do companies invest in SIEM technology?

The classic scenario is when management takes a decision to buy SIEM after something bad already happened.  They want to make sure that it doesn’t happen again.  This is a typical example of fixing the barn door after the horse is gone.  The problem is you’re not only missing a barn door to fix, but the barn as well.  Unlike an Amish Barn raising where lots of hands make work light, we’re doing this with cost restraints and very little time.  Management wants action yesterday, and while money might not be an object for a while, it will become one.  You’ve got work and lots of it to complete and the clock is ticking!

         SIEM systems can get very expensive very quickly

In the case of most small and even medium businesses it can easily cost too much.  There are alternatives.  You can hire someone who does SIEMs for a living (we call these Managed Security Service Providers or MSSPs for short) and let them keep an eye on things.  These services aren’t always cheap, and then you have the added thrill that you’re not their only customer.  It might take hours, even days or weeks for something odd to be brought to your attention and by that time, it’s too late.  Remember, they’re interested in making money which means a few administrators watching multiple accounts.  They’re also facing another problem, one you’ll face even if the technology is in house.  They have to learn what is and what isn’t business as usual for you, what’s important to you, and so on.  So before you ever sign on the dotted line, you need to understand that yourself.

If you do bring it in house, you’re going to need help setting it up.  Yes, the vendor can give you help, but at the end of the day, it’s your environment and you need to figure out what information you really need.  The best idea would be to get the checkbook out and bring some help in.  Get someone who has done this and let them figure out what you need to watch for.  Let them set it up.  And then hope that the run books they leave behind gives you a good picture how it works, what’s happening and so on with the system, and most importantly, how to do it yourself.  Either way you cut it, there’s costs and lots of that involved, not to mention time and lots of that as well.  If you’re a small company and can’t afford outside help and this is one more hat you’ll wear, expect it to be a take a lot of time.

    SIEMs also tend to be very noisy

We run into two problems with this.  First is a training issue.  In the beginning, there’s going to be a lot of false positives.  So in addition to learning how to run this great new tool, it takes a long time to learn what’s normal and what isn’t.  It’s also been my experience that management might just want the notifications to go to them as well.  Expect to hear about it.  A lot of frustration will be weeding through the false positives.  More than a few companies have tossed up their hands and walked away simply because the weeding process takes so long.  As time goes by, and management keeps screaming to know what’s going on your frustration level will climb.  It’s this noisy element that makes a lot of potentially good setups go bad.

This frustration has the potential to negate the good a SIEM can bring.  In short, they generate so much information that they end up being ignored.  It takes a long time to eliminate the false positives (again, might take months).  You’ve got to learn what’s important to you, weed out the bad, and then build what you need.

One of the biggest issues is change happens in IT and it happens fast.  This is one of the biggest headaches you might encounter.  Depending on your organization, you can change flavors of software on a monthly basis (happens, especially in healthcare and financial companies).  You might have several different types of Operating Systems, for example, Windows, Linux, and UNIX, all under the same roof, and all demanding different approaches.  With just the three different types of OSes mentioned, let’s say I wanted to monitor for failed logons.  Right there we could potentially be talking three different rules.  That’s the easy part.  Now you’ve got to take all that information and be able to draw a meaningful conclusion from it.

     Scalability is another issue people don’t consider

While we tend to think in terms of this being a single or a few devices, remember that they generate a lot of traffic.  They look into systems, get information, which in turn generates network traffic, which in turn is shuttled about (and stored someplace so there’s something else you need to think about).  Add to this remote or traveling employee’s and you can easily put yourself into the position of where you’re bogging things down more than it’s worth.

IT isn’t the only thing that changes.  Companies change.  Hopefully, they change by getting bigger.  Can the system grow with you?  How about if the company shrinks?  What then.  Can you go smaller? And if so, does it still represent a viable investment?

Finally, any good security system has to tell you about things that are happening right now.  Few of us would consider an alarm system for our home or business that reported a break-in hours or months after the event.  We want to know about right now.  And that’s when you better have a plan on what to do about it.  But that’s another story.

So, in conclusion, before getting a SIEM up and going, there are a lot of things to consider.

  • You need to have a plan. What are you watching for, and how are you doing this.
  • Do you have the experience to get it up and going, or can you get someone aboard who can?
  • Do you have the time? Does management understand that this is not a Band-Aid solution?
  • Do you have the money?
  • And what are you going to do with the information it gives. If months and years go by, it suddenly informs you you’ve been hacked, how do you react to that information?

SIEMs are a great idea but they aren’t, by any stretch of the imagination a quick fix.  They represent a huge investment in time and money, and unless management understands that you’ll end up tossing good money after bad.

Related materials:

Richard is a freelance IT consultant, a blogger, and a teacher for Saisoft where he teaches VMware Administration, Citrix XenApp, Disaster Planning and Recovery for IT, and Comptia Server+