The Problem With the SIEM

By David Mertz on January, 18 2021

Get latest articles directly in your inbox, stay up to date

Your Security Incident and Event Monitoring (SIEM) tool, whether on-premises or provided by a Managed Security Service Provider (MSSP), is designed to perform the following core functions:

a) Capture logs pushed to it from critical systems.
b) Interrogate those logs to identify alerts, anomalous behavior, and vulnerabilities.
c) Provide reporting of activity so the identified issues can be reviewed for potential threats.
d) Securely stores logs to meet regulatory, legal and policy requirements.

Doesn’t that sound like a great security tool?

Now, the more important question. Is your SIEM fulfilling its promise as a great security tool for your organization?

Chances are it is not.


Research by Verizon and Ponemon Institute research suggest a significant gap between expectation and delivery. The research found that more often than not, there is sufficient evidence in the logs for a SIEM to identify a bad actor. Yet, there was only a 1-in-3 chance the SIEM generated alerts indicating the presence of the bad actor.  Average time to catch the bad actor(s) in organizations which had implemented a SIEM was about 90 days, with some incidents taking over 180 days. This appears to indicate that it is more likely that SIEM will catch the bad actor by chance, than by strategic design.

This is all very discouraging.

Which begs the question: Is it actually a SIEM problem or something else?

After all, the SIEM is a tool which is principally designed to dig through logs and identify anomalous behavior and/or opportunities that can be exploited by bad actors. It has the ability to gather data from every system in the network – whether on premises, sitting in a third-party data center, or in the cloud.

Admittedly, not all SIEM tools are equivalent. Just ask the vendors who sell them. However, most do a decent job at what they do. This blog is not recommending or disparaging any SIEM. Nor are we going to go into the advantages and disadvantages of one product over another.

Rather, what if the problems occur whether it’s the Mercedes Benz or the bicycle of SIEMs? What if it is more about how the tool is implemented, managed, and used than about the tool itself?

That would make it something altogether different. 

Over the last decade, Online has performed thousands of security and risk assessments and provided strategic trusted advisor security consulting support to organizations of all sizes across Canada and the US. Online found and continues to find that too often a SIEM (whether on prem or using a MSSP) is implemented with the belief that this is a plug and play tool.           

  1. Point logs.
  2. SIEM Monitors and it sends alerts.
  3. On to the next fire.

The result is often either few alerts are logged, interpreted to mean ‘we are good’, or there are floods of alerts without the resources to properly address them. In either case, there isn’t a real understanding of why either result occurs or if the result is even reflective of what is happening in the environment.

Meaning that your SIEM tool - the best tool in the security toolbox to identify near real-time vulnerabilities, anomalous behavior, and the fingerprints of bad actors - is more likely to meet its promise by happenstance than design.

Far too often we have found the problem is not with the tool.

Our finding has been that the reason any organization is unlikely to identify bad actors or new vulnerabilities is not because of the tool; it’s because of the way the tool is implemented, governed, and administered. This implementation, governance, and administration is called Security Monitoring Operations or SecMonOps.

Online has identified this as a major business and security gap, and has subsequently introduced a new focus on SecMonOps in our security and risk assessments. We are working with Clients to not only identify these gaps in the SecMonOps, but also to help them build a SecMonOps that is better suited for sustainability, identification of bad actor fingerprints, and identifying vulnerabilities before the bad actors can.

If you’re interested in your SIEM implementation catching bad actors by design and not happenstance, we can help.


Interested in more content around for Security Monitoring Operations? Click the link or image below for more on implementing a SecMonOps program!


Submit a Comment

Get latest articles directly in your inbox, stay up to date