Top tech enterprises use Security Information and Event Management (SIEMs) to visualize, detect, and shut down attacks — but the technology once viewed as the ‘Swiss Knife’ of security is now being questioned under intense scrutiny.
A new study found that almost half of the organizations have two or more SIEMs running in their environments. Still, when put to the test, many SIEMs failed to detect common attacks.
Techopedia rounded up cybersecurity experts to discuss SIEMs, and understand whether they are still the right technology in the current cybersecurity world.
Key Takeaways
- SIEMs struggle to detect modern attacks. While SIEMs provide data, they miss a significant portion (81%) of the techniques attackers use according to MITRE ATT&CK.
- Alert fatigue is a major problem. SIEMs generate a high volume of alerts, many of which are false positives. This wastes security analysts’ time and resources.
- SIEMs are expensive and complex. They require significant investment in personnel and expertise to function effectively.
- New security tools are emerging. New cloud SIEMs, Extended Detection and Response (XDR), Security Posture Management (SPM), and outsourced services are seen as a more modern approach.
Live SIEMs ‘Only Detect 19% of Known Attacks’
On June 13, CardinalOps released its fourth annual report on the State of SIEM Detection Risks. The report analyzed real-world data from live SIEMs including Splunk, Microsoft Sentinel, IBM QRadar, and Sumo Logic. CardinalOps tested SIEMs using MITRE ATT&CK techniques.
From reconnaissance to initial access, persistence, privilege escalation, and exfiltration, MITRE ATT&CK is a globally recognized knowledge base that companies use to test their systems against known cybercriminal tactics.
CardinalOps found that while SIEMs provide 87% of the data organizations need, enterprises are still struggling to detect attacks. The report revealed that SIEMs only have detections for 38 (19%) of the 201 techniques covered in the latest MITRE ATT&CK framework.
More concerning, an overabundance of security tools and overlapping solutions are on the rise. Almost half (43%) of organizations say they operate two or more SIEMs. CardinalOps explained that misconfigurations are making the situation worse.
“Nearly 1 in 5 SIEM rules are broken — 18% of SIEM rules will never fire due to a common issue like misconfigured data sources and missing fields.”
Yair Manor, CTO and Co-Founder at CardinalOps said in a press release that security teams are struggling.
“These findings highlight the difficulty that organizations face in building and maintaining effective detection coverage. Security teams continue to struggle with getting the most out of their SIEM and worse, often falsely believe that they are protected when in reality they are at great risk.”
Tamir Passi, Senior Product Director at DoControl — a multi-layer defense provider for SaaS applications told Techopedia that the study reveals a gap that underscores a fundamental challenge for security operations centers (SOCs) worldwide.
“Fact is, SIEMs are too much of a Swiss army knife.”
Passi said that highly focused systems that understand specific event data and context are gaining momentum as digital environments become more complex and hard to manage.
When Security Teams Are Cloud-Blind
A January 2024 report from Exabeam and the International Data Corporation (IDC) found that organizations around the globe can only visualize or monitor 66% of their IT environments.
Adam Geller, CEO of Exabeam, told Techopedia that the findings that claim organizations can cover 87% of all MITRE ATT&CK techniques with the data SIEM tools provide are “contradictory”.
“To effectively detect, investigate, and respond to today’s top threats, SIEMs must have a cloud-native infrastructure and scale,” Geller said.
“This lack of visibility means that security teams are blind to any advances in those environments — leading to SIEM inefficiencies.
“It’s not that SIEMs are failing; it’s that many legacy SIEMs are still operating on-premises.”
As digital infrastructures migrated to the cloud, Geller said they cannot provide a holistic view to understand data, or sufficiently protect an organization.
“Today’s adversaries are smarter than ever and will not back down in attempting to get their hands on sensitive data — and the majority of it lives in the cloud today,” Geller added.
The Millionaire Costs of SIEMs
The cost of SIEMs varies depending on an organization’s infrastructure. Small and medium businesses might pay anything from $10,000 to $100,000 per month for a SIEM. However, SIEMs are not built for small and medium businesses.
They are advanced tools developed for big customers and usually deployed in-house, and the top marketplace for SIEMs includes large corporations, international organizations, and governments.
Michael Hasse, Cybersecurity and Technology Consultant spoke to Techopedia about the resources organizations have to invest (time and money) when operating SIEMs.
“SIEMs are complicated and not terribly effective without a good 24/7 SOC behind them. You can expect to spend $1 million minimum for one (SIEM) to be operationally effective.”
Hasse added that SIEMs are either poorly deployed or lack the administrative resources to be kept up to date. Additionally, SIEMs are often poorly integrated into the cybersecurity architecture, leading to performance deficits.
“Whenever somebody asks me about implementing a SIEM the first question I have is always: ‘Why?'”
Panther — a company working to turn cloud noise into security signals, compared SIEMs with the song ‘Hotel California’, citing its lyrics; “You can check out any time you like, but you can never leave”.
In 2021, Panther reported that about 40% of organizations said they were overpaying for their SIEM when considering the technology’s capabilities.
Too Much Noise Doesn’t Make It Music
Studies suggest that security teams spend a significant amount of time, anywhere from 25% to 70% of their working hours, dealing with false positives.
This issue is becoming a significant concern as it not only depletes resources but can lead to burnout and alert fatigue. Ineffective SIEM configurations are one of the top factors contributing to alert fatigue.
The Sophos State of Cybersecurity 2023 report found that more than 90% of organizations find threat hunting a challenge. A vast majority (71%) of organizations have significant problems when trying to understand which signals or alerts need to be investigated. The same percent reported challenges prioritizing investigations.
Understaffed security teams and high levels of background noise are making basic security operations a nightmare, with large companies receiving thousands of alerts every day.
Chris Hills, Chief Security Strategist at BeyondTrust, an identity and access security company, told Techopedia that one of the biggest challenges with SIEMs is how to navigate the noise.
“Similar to EDR solutions, SIEMs are no different in the fact that they are noisy, and by noisy, I mean the amount of data and alerts that are false positives,” Hills said.
“This creates a needle in the haystack approach when it comes to an analyst trying to determine a real risk.”
SIEMS Are ‘Not Built’ To Detect The New Top Vectors of Attack
SIEMs are built to detect ‘known malicious behavior’, such as techniques defined in MITRE ATT&CK. “While there are 201 techniques in version MITRE ATT&CK v14 framework, trying to configure your SIEM for all of the detections isn’t a realistic outcome,” Hills said.
Cybercriminals have also caught up on SIEMs and what type of attacks they can detect, rapidly pivoting to using stolen credentials, privilege escalation, misconfigurations, phishing, and security culture gaps, as their go-to vector of attack. SIEMS are not built to handle any of these.
“SIEMs aren’t designed with this in mind, which is why the more modern approach has been security posture management, identity threat detection and response, and a more unified visibility across identity infrastructures in order to uncover risks and even potential security issues,” Hill said.
The Bottom Line
Nick Hyatt, Director of Threat Intelligence at Blackpoint Cyber, a company taking a modern approach to cybersecurity, speaking to Techopedia summarized why enterprise SIEMs are failing.
“SIEMs are resource-intensive — you have to have the right log sources configured, the right rules are written, and post-processing of data to actually glean anything useful out of the alerts it triggers, and then taking action to respond to the triggered alert,”
“In terms of usefulness, SIEMS can often be more of a hindrance than a help — sometimes they’re just a checkbox in terms of compliance and don’t actually do anything useful beyond act as a base upon which other layers are built to secure environments.
“Ultimately, SIEMs often become a major cost that doesn’t provide a return on security investment.”
Chris Clymer, Director and CISO at Inversion6, a company providing expert CISO security services, network solutions, and other services, told Techopedia that it is not shocking to learn that SIEMs are failing.
New hybrid SIEM-cloud services, outsourced solutions, SOAR, MDR, XDR, Dark Web Monitoring, and other new technologies are gaining momentum as SIEM’s reputation fades away into the complexities of modern technological innovations and new trends.
“Every shiny new security tool goes through a lifecycle from being the solution to world hunger to being deprecated by something newer with better marketing. SIEMs are definitely in the back half of their lifecycle at this point.”