Is your SIEM up to scratch? Unveiling the security risks of a poorly implemented SIEM

by Jamiu Akande

If cybercrime were a country, it would be the world’s third-largest economic power. The scope and impact of cybercrime is growing fast, making it more critical than ever that organisations have full visibility into their digital environment and its defences.

Security Information and Event Management (SIEM) is a cornerstone of modern cybersecurity. SIEM tools allow organisations to collect, analyse and react to security data from a wide range of sources, providing a vital overview of activity across a digital environment.

Under the eye of a SIEM solution, data from logs, apps, devices and security tools like firewalls and antivirus software come together to help organisations detect and respond to potential threats in real-time.

According to a recent study, 81% of organisations that use SIEM say that it has helped them enhance their threat detection abilities. A further 84% reported a measurable reduction in security breaches due to the use of their SIEM platform.

But to take advantage of all this functionality, a SIEM needs to be properly implemented, optimised, and maintained.

Like any cybersecurity tool, you have to set up your SIEM for success if you want to get maximum value from it. That means initially configuring it to meet the objectives of the business and performing regular evaluations to make sure it’s performing as it should.

Let’s take a look at some of the ways a SIEM can become unoptimised, the consequences this has on your cybersecurity, and how to keep your SIEM in top condition.

What a good SIEM should do

Firstly, here’s a reminder of what a functional, well-implemented SIEM should do for your organisation.

Data aggregation and log management

Your SIEM should collect and log event data from pre-determined sources like servers, databases, users, firewalls, and apps. The solution should then collate all this data, normalise it, and bring it together in one place where it can be viewed and analysed by security teams.

Real-time threat detection

A SIEM solution should be able to detect potential threats and notify the appropriate team members immediately so that they can investigate and respond quickly to secure systems and minimise possible damage.

Identifying insider threats

Your SIEM should be able to pinpoint insider threats by analysing data and alerting security teams to any anomalous behaviour that might indicate that a user’s account has been compromised.

Spotting data theft

SIEM solutions should be able to spot when sensitive data is being deleted, copied, or transferred outside of the system by unauthorised users, enabling teams to identify and stop data exfiltration.

Monitoring system changes

Insider threats can take many forms, but users tampering with security configurations or audit logs is always suspicious. Your SIEM system can flag up when events such as event histories being changed or logs being deleted occur.

Compliance management

With data and privacy regulations constantly evolving, SIEM solutions should outline data history and create a paper trail of what data was accessed, read, or copied, when, and by whom, helping your organisation meet compliance requirements.

The risks of a poorly implemented SIEM

As smart as modern SIEM solutions are, they still need to be properly implemented and configured to meet your organisation’s specific security requirements and objectives. Rules and policies need to be defined, alerts and notifications set up, data streams configured, and any related tools integrated with the SIEM.

Simply rolling it out and starting it up isn’t going to give you the protection you want against emerging and evolving threats. In fact, research has found that enterprise SIEMs are configured to detect just 24% of known MITRE attack techniques. The same report also revealed that 12% of SIEM rules currently active are broken due to misconfigured data sources and missing field elements.

A well-deployed SIEM will deliver real-time visibility into your security posture and enable you to identify and defend against threats quickly. A poorly implemented SIEM leaves your organisation vulnerable to serious cyberattacks and hacks.

Here are some of the ways a poorly implemented SIEM can put your organisation at significant risk.

Inadequate threat detection

A SIEM that’s not implemented properly will not effectively detect potential security risks, leading to potential data breaches, ransomware and malware attacks, and other cybersecurity incidents.

If it’s not set up in the right way, a SIEM tool may lack the correlation rules, detection mechanisms, or integrations with other tools needed to effectively detect and respond to emerging threats. These missing configurations create blind spots and gaps in the organisation’s security posture and leave its systems exposed to sophisticated attacks.

Any cyberattack can do huge amounts of damage to an organisation, but the sooner a suspicious event can be detected, the sooner it can be addressed and the impact mitigated. The longer an attack goes undetected, the more severe the consequences can be. Methods like Advanced Persistent Threat (APT) attacks, for example, are designed to go unnoticed for long periods of time, lurking within a system and stealing data, spying on users, or spreading malicious code.

In the case of the infamous SolarWinds hack, the breach was not discovered for over a year, giving hackers plenty of time to gain access to the networks, systems and data of thousands of SolarWinds customers in what is thought to be one of the largest-scale attacks ever recorded.

APTs aren’t the only type of threat that can fly under the radar if an SIEM solution isn’t well implemented. Organisations will also be exposed to:

  • Insider threats Poorly implemented SIEM solutions may fail to identify and prevent these types of threats by inadequately monitoring user activity and identifying unusual behaviour.
  • Phishing attacks SIEM solutions may leave users vulnerable to phishing attacks if they’re not configured to detect them by analysing email traffic and identifying suspicious activity.
  • SQL injections Poorly implemented SIEM solutions may not spot the injection of malicious code if they are not monitoring network traffic thoroughly and identifying unusual activity.
  • DDoS attacks Again, without proper network and server traffic monitoring, organisations are vulnerable to major outages as a result of unidentified DDoS attacks.
  • Data exfiltration Unusual data transfers may go undetected if monitoring is not properly configured, resulting in sensitive data being stolen, held for ransom, or sold by cybercriminals.

False positives and alert fatigue

Alert fatigue is a major challenge with any SIEM solution. If your tool isn’t set up to alert to the appropriate events or rules are too broad, it’s going to generate a high number of false positive alerts.

And nothing overwhelms and demotivates a security team like a constant barrage of false alarms. These false positives take investigation resources away from critical alerts, leading to valuable time being wasted investigating and responding to non-threatening events. And if security teams are bogged down in false positives, real security incidents may be missed or ignored.

Incomplete event collection

You can’t improve what you don’t measure, and that goes for cybersecurity too. If you’re not monitoring a data stream or log, you can’t detect any suspicious activity that might be happening within it.

A SIEM can harvest data from a huge number of sources to help identify attacks from any possible angle. Missing data sources or improperly configured analysis rules can lead to SIEMs missing unusual behaviour or other important indications of a potential security incident.

If a SIEM is not properly configured to collect and analyse all relevant security events and logs, it may miss important indicators of compromise or security incidents. This can leave an organisation vulnerable to all kinds of attacks.

Limited coverage and ability to respond

Many next-generation SIEM solutions not only integrate with other security tools for maximum visibility, but they can also be automated to perform certain manual, time-consuming tasks.

Failing to take full advantage of this integration and automation functionality limits both the surface area the SIEM can cover and the speed with which your team can respond to and mitigate potential threats.

Inefficient resource utilisation

A poorly optimised SIEM can eat up far more system resources than it needs to perform its job, and this can impact the overall performance of an organisation’s network, leading to potential system failures and downtime.

Inefficient resource usage can also be costly, sucking up budget that could be used elsewhere to shore up the organisation’s security posture.

Delayed incident response

If a SIEM is not appropriately configured to prioritise and escalate security events, your MTTR (mean time to respond) to incidents will be longer than it should be, allowing attackers more time to cause further damage within your network.

Compliance failures

SIEMs are really useful for helping organisations track and adhere to regulatory compliance requirements. But if not set up properly, the tool may not accurately collect and report on the necessary security events, and this can lead to compliance failures and even legal or regulatory consequences.

Reputation damage and lost opportunities

And then there are the less tangible but potentially far more destructive consequences of inexpertly implemented SIEM tools. Security breaches can destroy an organisation’s reputation, especially if it’s revealed that negligence or poor maintenance played a part.

Stakeholders, investors, and customers alike may lose faith in an organisation’s ability to operate effectively and protect sensitive data, resulting in poor performance and lost opportunities.

This can be especially detrimental in highly regulated industries, where potential clients or partners may choose to work with competitors that can prove they have a stronger security posture.

Major financial costs

Cybersecurity breaches have significant financial consequences. Immediate costs like remediation, legal fees, and fines can rack up quickly, and that’s before you take into account the cost of reputational damage and lost business. A poorly configured SIEM can contribute to these costs if it fails to effectively prevent or detect security incidents in a timely manner.

The 2017 Equifax data breach is a prime example. One of the largest credit reporting agencies in the world, Equifax, fell victim to an extensive data breach that exposed the personal information of millions of people. This breach occurred because of an unpatched vulnerability in an open-source software component.

Equifax’s SIEM did not effectively detect the attack, enabling hackers to continue tampering with sensitive data unchallenged. To date, the hack has cost Equifax more than $1.7 billion in payouts, legal and investigative expenses, additional cybersecurity, and product liability for the breach.

Spiraling licence costs

Inadequate routing and handling of data within the SIEM can lead to unnecessary ingestion of excessive data, triggering higher data processing and storage needs. This, in turn, results in the procurement of additional licenses or increased capacity, imposing inflated financial burdens. Essentially, failure to route and manage data efficiently can unnecessarily escalate licensing costs, draining budget resources where it could have been optimised for efficient cybersecurity measures.

How SIEMs become unoptimised—and how to prevent it

Even if it’s initially well implemented and accurately configured, a SIEM solution can become unoptimised, becoming less effective and leaving organisations open to attack.

There are a number of reasons that SIEM performance might degrade over time, exposing organisations to a myriad of grievous potential threats.

As a result, keeping any SIEM healthy and fully functional requires a little upkeep—especially as your digital environment changes, your company’s needs evolve, and new cyberthreats emerge.

Let’s discuss some key things to look out for and find out how to get consistent, accurate and timely alerts from your SIEM that protect your business.

Company growth

You can’t keep loading more cargo into a truck and expect it to be able to accelerate as quickly or turn as swiftly, and the same goes for SIEM. As organisations grow and their needs evolve, SIEM solutions become less effective if they’re not regularly updated and fine-tuned.

The bigger your business gets and the more users it adds, the more data it produces. An increasing volume of data can overwhelm a SIEM solution, causing performance to deteriorate and response times to slow, not to mention costs to escalate. If data isn’t managed properly, the SIEM may not be able to handle the additional load, resulting in missed or delayed alerts.

Scaling up your IT stack can have a similar effect. If you’re implementing new systems, applications, or infrastructure, your SIEM will struggle to accommodate the increased scope of data if it’s not scaled appropriately. Again, with too much data to analyse effectively, blind spots will occur, and overall visibility into your expanding network will be reduced.

Company growth also intensifies the demands on IT teams. With more on their plates, security teams may not have sufficient resources to maintain and optimise their SIEM solution. As a result of inadequate staffing, hardware and software can become outdated, and support can be limited, negatively impacting the SIEM’s performance and effectiveness.

Keep your SIEM optimised by: Choosing a SIEM product that is easily scalable and regularly reviewing performance to make sure it’s not being overwhelmed.

Neglecting maintenance and updates

Ongoing maintenance and updates are essential to the effectiveness of any SIEM. SIEM implementation isn’t a one-and-done project but rather an ongoing process of review and improvement.

The threat landscape changes fast, with new methods of attack emerging constantly. To ensure an SIEM is able to detect new threats and defend against new attack vectors, correlation rules and detection mechanisms must be updated regularly.

If an SIEM is not properly maintained and regularly updated, it won’t be effective at identifying and responding to new threats, leaving the organisation vulnerable.

Keep your SIEM optimised by: Conducting regular testing and simulating different types of security incidents to ensure the SIEM solution is functioning properly and that incident responses are  effective.

Not customising the solution

Every digital environment is different, and a SIEM solution should be customised and tuned to the specific needs of the organisation if it’s to offer maximum protection.

No system is going to fit every use case right off the shelf, and failing to tailor SIEM tools can create gaps in an organisation’s defences. Not aligning a SIEM with your individual processes and operations can also generate a huge number of false positives, leading to reduced visibility and missed alerts.

Keep your SIEM optimised by: Regularly auditing customisations and configurations to ensure they’re still relevant, useful, and effectively meeting the organisation’s specific security requirements.

Lack of training

SIEMs are complex solutions; neglecting to provide proper training to the users who’ll be interacting with them can lead to misunderstandings about the system’s capabilities, underutilisation, and misuse.

As threats evolve, new employees join the organisation, or team members take on new roles and responsibilities, adequate training must be delivered so that all users can leverage the SIEM to its fullest and human error is minimised.

Keep your SIEM optimised by: Investing in extensive training for all who interface with your SIEM solution. Make sure staff understand how to use the SIEM solution effectively, and that security teams understand how to interpret alerts and respond to security events in line with your incident response plan.

Mismanaged integrations

SIEM solutions are most effective when they’re part of a robust security stack, and are seamlessly integrated with other tools and systems to provide increased visibility. A SIEM is not effective when used in isolation, as visibility into the network will be significantly reduced.

Keep your SIEM optimised by: Integrating your SIEM wherever possible as new technologies are adopted or infrastructure is extended so that important security events are not missed.

Changing compliance regulations

SIEM solutions can be implemented to meet specific compliance laws and regulations as required in their organisation’s industry or region. Of course, adhering to these regulations means setting up the SIEM solution correctly in the first place.

But given that such laws can change over time, new regulations can be introduced, and businesses can expand into new geographical regions with their own checks and balances, organisations need to stay up-to-date or risk failing to comply.

Keep your SIEM optimised by: Monitoring any regulations or compliance standards relevant to your organisation, and ensuring any changes to these rules are reflected in the SIEM’s configurations so you don’t risk breaking them and becoming vulnerable to legal or financial repercussions.

Want some help from your own SIEM expert?

As experienced cyber security experts, we can help you implement or upgrade to a next-generation SIEM tool that uses machine learning and threat intelligence to detect suspicious activity.

Our vendor-independent, certified experts help you develop proactive ways to uncover and address threats to your environment by drawing on their in-depth experience and wide catalogue of services. Our SIEM experts can help implement, upgrade, migrate and optimise your SIEM platform to make sure your business is fully protected.

Find out how robust your security infrastructure is and identify vulnerabilities with our free SIEM Health Check service.

Book a free SIEM Health Check

By Jamiu Akande