SIEM Still Creates Complexity and Administration Challenges
Based on a series of Twitter polls hosted by Sumo Logic, 40.3% of Twitter users that responded said that SIEM is valued most as a “security control” whilst less than a quarter saw it used for threat detection or data collection.
According to 5766 votes, threat detection accounted for 23.3% of responses, while data collection accounted for 24.3%. Commenting, Michael Thoma, principal consultant, risk management at the Crypsis Group, told Infosecurity that a SIEM can be used as a form of security control as some SIEMs can detect if a user was added to a domain admin account without a ticket and use APIs to disable that user automatically.
“There are many tools that can supplement threat detection in lieu of a SIEM,” he explained. “In fact, a SIEM is typically centralization of the technology platforms that alert and log in the first place. For instance, you may have an Intrusion Prevention System (IPS) that is sending events and alerts to your SIEM based on malicious network activity. The SIEM can allow for additional correlation and retention of system logs, but the IPS by itself can still provide alerts on what is happening within your environment.”
In another Twitter vote, of 621 respondents, 38.5% said that administration was the biggest struggle of SIEM complexity, whilst 32% cited deployment and 29.5% opted for operations. Thoma said that SIEM is “absolutely one of the most valued security controls for security operations and IT teams; however, it's only as useful as its implementation.”
He claimed that SIEM engineering and management requires a dedicated team that is both intimately familiar with the platform itself and the internal infrastructure and operations. “A SI ..
Support the originator by clicking the read the rest link below.
![Gamified Learning: Using Capture the Flag Challenges to Supplement Cybersecurity Training [Guest Diary], (Sun, Mar 17th)](upload/sources/90591557817151.jpg)
