SIEM: So Many Alerts, So Little Time
Software vendors participate in industry events for various reasons. We attend to share information as speakers and to learn as attendees. You’ll see us sponsor tote bags, snack stations, and even lunch. We are there to raise awareness of our solutions and generate leads for our sales team. We like scanning badges as much as you like getting schwag but for most vendors like us, the best use of our time in the booth is not spent waving a scanner.
It is “events season” in the security world and PhishMe has been an active participant in events like RSA, FS-ISAC and more. SecureWorld, hosted at the Cobb Galleria in Atlanta, offered an particularly enthusiastic crowd, well-attended sessions and an expo floor filled with vendors interacting with conference attendees. We made some new friends with our neighbors from PhishLine and enjoyed meeting everyone who stopped by our booth to learn more about how we’re helping companies deal with the latest email-based phishing and malware attacks. It’s a great opportunity for us, as a company serving the InfoSec community, to learn more about the latest problems companies are trying to solve and to hear firsthand about the state of cybersecurity from those in the trenches.
All of this activity led to a successful industry event and a lot of fun. However, there is one key benefit of attending industry events like this that is rarely discussed. We were fortunate enough to experience it this year at SecureWorld: the conversations.
One particular conversation stands out from the rest this week. We met a gentleman whose main responsibility is the company’s Security Information and Event Management (SIEM). He has successfully worked with internal teams to integrate logs from their AV, DLP, IDS and a few other appliances. After hearing so many stories about scaled back SIEM implementations or completely stalled deployments resulting in expensive shelfware, I offered my congratulations and started asking about this significant achievement. I was eager to take notes! Everybody needs a win now and then and we usually only hear about the bad news. So, I was surprised and a little disheartened when his reply wasn’t about the success but rather the frustration in getting other teams to leverage the information coming out of the SIEM. At best, the response has been sluggish. Security teams are always busy and automated ticketing systems can be overwhelming. But still, I have to wonder if responding to tickets initiated by the SIEM is a higher priority at Target these days?
We can probably all agree that security alerts should be handled and followed-up. But, “should” is not necessarily reality. In a recent article published on DarkReading, Joshua Goldfarb discussed that security professionals often experience alert fatigue and become desensitized to security alerts. The reasons, argues Goldfarb, is that many organizations experience a low signal-to-noise ratio, meaning that there is a high volume of signals, the majority of which are noise. He offers the recent breaches at Target and Niemen Marcus as examples of instances where alerts were issues, but were not handled properly by internal security teams.
I also have to wonder if better information about the day’s top threats could help elevate the important SIEM alerts to make sure critical issues are addressed quickly? Could threat intelligence be used by the SIEM to escalate specific tickets that would otherwise remain under the radar of the dedicated but stressed InfoSec team?