In response to media coverage of incident response burdens based on recent surveys — including a recent survey from from next-gen SIEM developer Cyphort which codifies the burdens that legacy SIEMs place on security teams, two security professionals commented below.
Dr. Hernan Londono, CTO at Barry University:
“Really it’s a problem of prioritizing what appears to be a critical event over what seems to be not a major event. In any case, never optimally, you never have the chance to look at all alerts in any given day.”
“So what we know from having operated a SIEM for years now, and based off the number of alerts that we received, we calculate that between 15% and 20% of the alerts are maybe real incidents. The rest, potentially, are noise.”
“What I like about the approach of more advanced solutions such as emerging anti-SIEMs is that the technology automates a number of different process that were very distributed, and that previously took a lot of hours and time from analysts. Our deployment now lets the analysts concentrate on other very critical aspects of cybersecurity which really are not related to discerning whether something is noise or not.”
Vladislav Ryaboy, Director of Global Security Operations at Crawford and Company:
“When the SIEM was deployed within the organization, our main goal was to absorb and consolidate the amount of events in a single console. As they say, “Be careful what you wish for.” Now, we are flooded with thousands and hundreds of events and alarms on the weekly, monthly, and yearly basis, but the problem we’re seeing is that those are not, most of the time, actionable alarms and events. They are probably, rather, symptoms of the security incident which really needs attention.
“In our particular situation, we have three people completely, entirely dedicated to upkeep of the SIEM within our environment.
“A next-gen approach to SIEM provided that missing link within our chain. It provides our ability to become more cost-efficient, more productive, and more knowledgeable about our own environment. Its ability to provide the visibility in the contextual representation of any particular threat is something which we love about the product and would like to leverage it globally.”