Natives restless with SIEM, study shows

A security technology that was supposed to be the solution to porous perimeter defenses is losing the hearts and minds of IT professionals, according a survey released Wednesday by a maker of network security solutions.

Security and Information Event Management (SIEM) is designed to monitor network activity with an eye toward identifying Black Hat ills such as Advanced Persistent Threats, cyberespionage and data breaches.

What surveyors for elQnetworks discovered, though, is considerable discontent in SIEM shops over their deployments. Nearly a third (31 percent) of the 191 IT pros interviewed for the survey said they’d ditch their SIEMs  if they could find an alternative that would save them more money.

Managing a SIEM can be a headache for many organizations, the surveyors found. Deploying a SIEM took a few weeks to more than a month for nearly half (44 percent) the IT pros interviewed.

“Not only did it take weeks to get the product installed, it took even longer to start seeing stuff from the product that provided value,” eIQnetworks Senior Director Product Management Brian Mehlman said in an interview.

Once installed, a quarter of the respondents said they needed to bring in hired guns for more than a month to iron out system kinks.

In addition, more than half (52 percent) of those surveyed said they two or more full-time employees to keep the SIEM humming.

Moreover, motivation behind installing a SIEM had more to do with compliance than results for more than a third (35 percent) of the organizations.

A majority of breaches go undetected due to the complexities involved in correlating security and configuration data across IT assets, inadequate security controls, and lack of actionable and timely security intelligence, elQnetworks said in a statement.

While there are companies dissatisfied with their SIEM deployments, it’s not necessarily the software’s fault, maintained Anton Chuvakin, research director for security and risk management for Gartner.

He acknowledged that the industry may have oversold itself during its infancy. “Many security problems are overhyped, but SIEM was probably more overhyped than some of the products,” he told CSO Online.

[Also see: Advanced persistent threats can be beaten, expert says]

SIEM makers oversold the “black box” aspect of the product and discounted the analytic aspects, he continued. It’s like being sold a car as a device to get you from point A to B without being told you still have to drive the car to  get where you’re going, he explained. “They were told they were being sold a limo, when what they were being sold was a car,” Chuvakin said.

Quite a few vendors explained the security and monitoring capabilities of their SIEMs he continued, but they didn’t fully explain the monitoring and analytical maintenance that had to be done to make the software effective.

Since SIEMs were introduced in the late 1990s, they have become easier to use, he noted, but they still required skilled people — either in-house or through a professional services organization — to work. “Someone who knows what they’re doing still has to be behind the steering wheel,” Chuvakin said.

Organizations dissatisfied with their SIEMs typically don’t understand the manpower requirements needed to make the systems work, he observed. “It isn’t like a firewall where you can configure some rules and forget about it,” Chuvakin added.