Security industry blogs, magazines, and websites frequently report that many security teams are frustrated by the limitations of their SIEM tool. Analysts find dealing with data collected from numerous hosts within an enterprise to be a daunting task. The time necessary to acquire security data, the rigidity around how the data can be analyzed, and the speed at which data can be processed make these tools less useful than they should be.
To put a finer point on their understanding of the frustrations endured by security teams currently using a SIEM tool, Panther Labs surveyed IT security professionals to understand their experience better. This article will highlight some of the critical findings of Panther’s research as published in their State of SIEM 2021 report.
The Panther research clearly shows that the time it takes to configure and deploy SIEM tools properly is far too long for most users. For nearly 18 percent of the users surveyed, it took a year or more before they could begin receiving high-value alerts, and the average time was over six months. Security teams become frustrated with the extended deployment and configuration requirements because they can’t do their jobs correctly. Managers feel pinched as they try and justify the cost of a solution that takes so long to bring fully operational.
And speaking of speed, another area that many IT security professionals are unhappy about is their SIEM’s query speed. Almost half of the respondents listed slow query speed as an area where their SIEM solution did not meet their expectations. Legacy SIEM tools were never intended to handle cloud-based workloads, and they struggle to process the amount of data that modern security teams need to monitor and analyze.
Another concern illuminated by the Panther survey is the ability of traditional SIEM solutions to scale. Today’s platforms fail in both scalability and the ability to perform at scale. The scalability of the cloud is why organizations move their infrastructure off-prem. The report shows that security teams often use a SIEM platform that is not scalable enough to meet fluctuating workloads or fast enough to keep up with security-relevant data while operating at scale. In that case, additional risk must be assumed by the organization.
About three-quarters of respondents said their SIEM covers only about 75 percent of their security data. Seventeen percent believe that number could be as low as 25 percent. With visibility into only 75 percent of the security data, teams wonder how to provide adequate protection. Attackers only have to be right once in a while, but defenders must be right every time.
Panther Lab’s State of SIEM 2021 illustrates that as businesses move to the cloud, manual threat detection processes can no longer keep up. To operate at cloud-scale, threat detections must be like software, or in other words, detection-as-code. Detection-as-code is a flexible and structured approach to writing detections. It applies software engineering best practices to security, enabling teams to build scalable processes for writing and hardening detections to identify sophisticated threats across rapidly expanding environments.