Security Information and Event Management (SIEM) has been the solution of choice for many organizations over the years, but is it keeping up with the current demands of security teams? If you’re considering SIEM as a cybersecurity solution, listen in on this conversation with Justin Davis, Senior Systems Engineer, for what you need to know about SIEM before making additional investments.
What to Know Before Reinvesting in SIEM
February 22, 2023
Guest: Justin Davis, Senior Systems Engineer
What We'll Cover:
- XDR vs. SIEM
- Investment level needed for a SIEM purchase
- SOAR platform: necessary or not?
Security Information and Event Management (SIEM) has been the solution of choice for many organizations over the years, but is it keeping up with the current demands of security teams? If you’re considering SIEM as a cybersecurity solution, listen in on this conversation with Justin Davis, Senior Systems Engineer, for what you need to know about SIEM before making additional investments.
Host
Hello and welcome to Let's Talk Soc, a podcast series brought to you by Secureworks. A leader in cybersecurity focused on empowering security and IT teams worldwide to better prevent, detect, and respond to cyber threats. I'm Professor Sally, your host, and today we are joined by Justin Davis from Secureworks to discuss all things security information and event management, SIEM and beyond areas such as XDR or extended detection and response. Welcome Justin.
Justin
Thank you for having me.
Host
My absolute pleasure and perhaps to start just a little introduction to yourself. You could just share a little bit more about your role.
Justin
Sure, yeah. So I work as a global solution lead at Secureworks. We find any gaps that we can solve. We work on solving hard problems and I like that cause it keeps things interesting. Whether it's around Taegis or SIEM, XDR, threat detection, alert management, you name it. We try to figure it out.
Host
Absolutely couldn't really be a more dynamic space. I think you hit the nail on the head there Justin. Thank you, I'd love to drill straight into SIEM. You know I set it up at the beginning around our talking point today, but the value and effects of SIEM at the end of the day. Pretty much depends on the data sources and how well they've been set up, tuned and maintained of course as well. From your perspective, what are the most important things that are needed to do configuration support and management of a SIEM solution?
Justin
Well, you're going to need people, time, and lots of documentation, but some of the key points are data lifecycle management. You have your typical maintenance and continuous improvement, and then just some revisiting of return on investment. So looking at the data lifecycle management, a lot of it is figuring out what matters. We'll talk about this a lot with SIEM, but it's typically charged by how much data you're bringing into the platform. So you're really incentivized to trim, redundant or useless, quote unquote useless logs. You really do need to keep an eye on your license and understanding the data that you're bringing in is really important. It's probably one of the most difficult things, simple in theory but difficult to actually execute because it's a continuous process. The maintenance and continuous improvement is things like troubleshooting, failed alerts or detections, keeping an eye on performance, downtime, troubleshooting, anything that leads to those. Of course, especially when you're owning the hardware, it's not a cloud solution and then of course you're also responsible for upgrading the software and refreshing hardware. Whether you need to scale or you're just reaching the end of life and then as far as return on investment goes, again. SIEMs are expensive products and while they can be powerful, you need to make sure that you're maximizing the usage and customization of the platform to make sure you're getting your money's worth.
Host
Absolutely brilliant. Really set up so well I love that focus on continual improvement as well and I always think of SIEM as well. It's that combination of technology, particularly the advancements and machine learning, but also analysts are still providing their feedback and kind of educating the system about the environment too. So that kind of draws strengths coming together. In terms of the data specifically, are you seeing organizations now having to restrict the data they ingest with SIEM? And also are you seeing issues where, for example, data has value but an organization might be struggling and they can't scale their budget to keep up with the new data sources?
Justin
Yes, absolutely. As I said, managing data flow and retention is one of the key facets of log management in SIM. But SIEMs may actually punish good cybersecurity practices with a financial penalty because licensing is typically based on data volume. So as environments and attack surfaces grow and become more complex and as a customer onboard more data and provide visibility into those areas, that penalty will also continue to grow. So if you don't have enough money to ingest or store more data, you have to aggressively trim your logs as I mentioned, or perform internal chargebacks to other IT or business teams that are probably inevitably putting data into this platform. Just to make sure that everyone who's getting a piece of the pie is also chipping in for it. At the end of the day, you may very well have to cut useful data to meet a price point and honestly I don't think that's a compromise that anyone should have to make.
Host
Oh absolutely. You literally brought that issue to life so permanently there. I think data waste versus data opportunity there. My goodness, I'd love to kind of evolve into a different area now as well. So particularly looking at SOAR, obviously we've seen this evolution, advanced SIM systems that have evolved now. So including things like user entity behavior, but also obviously orchestration, automation and response or SOAR. What do you think about the kind of imperative or necessary even to invest in a SOAR platform for those particular elements? So particularly around orchestration, automation and response.
Justin
I will say Taegis XDR, for example, offers built-in security investigation workflows, automated playbooks and response actions. But I don't think that SOAR is always necessary, especially less mature teams with highly variable processes are gonna struggle with automating their work because a lot of it isn't repeatable, there's a lot of one z two z. However, I think there are a lot of things that can be meaningful when added up. Even when they're small, forwarding alerts to a third party platform just for aggregation or kicking off further response actions that have already been integrated. One click host isolation, user password resets, IP blocks on an IDS IPS. There's a lot of these little things that, you know, it's not going to do an investigation for you with a single click start to finish and give you a nice email report of everything it did. As you add things together and as you add these connectors and develop your own playbooks, you eventually could get to a point like that. So I think again as a force multiplier SOAR is really important, but I don't necessarily think that it is required. I will say that comparing SIEM to XDR, a lot of SIEMs traditionally lack these types of workflows. Whereas XDR is generally purpose built around SOAR, not only detecting these threats, but how to respond to them and respond to them effectively and quickly.
Host
Fantastic, thank you. I think context matters really came to the fore as you were describing that and those differences. Brilliant, thank you. And another area around this, we've talked to different elements of resources and one thing I think particularly at the moment is level of investment and how you can better predict that. So do you think that's possible? How can you accurately predict what level of investment you might need? So for example, to commit to say a SIEM purchase.
Justin
It's really tricky to actually predict that you can't control how much data is generated in your environment, which makes predicting the overall volume of that data difficult. That data volume directly affects how much you pay for the SIEM and how long you can keep your data. This is data that's telling you about potential breaches within your environment and you may not find out about them for months at a time. I don't have the numbers on average dwell time for a threat, but it's on the order of months. So keeping your data around should be imperative to most people. So forecasting the cost of your ingest can be hard, but you can generally estimate the cost of implementing and operating the SIEM based on hardware, software, licensing, storage bandwidth and stuff like that. But again, that volume is tough to estimate and that's the largest growing cost with a SIEM. I would say that one of the tougher parts to estimate as well, not just from cost but just time, is the amount of labor required to operate and manage a SIEM over longer timeframes. I would say more than anything, prepare to invest in people more than the platform and that it's still going to be the case with XDR. You need analysts and you need people who understand your environment and understand the threat landscape. But with SIEMs, just because of the more moving parts and just the overall size of them, it's a larger investment overall. I will say that XDR offers more predictable pricing because it's generally just based on endpoint coverage. It's all you can eat in a lot of cases, so you don't need to worry about the data you're bringing in, you just need to make sure that you have everything you need. You know, I mentioned not making those compromises and throwing out data that could be useful. This directly plays into that point, you shouldn't need to worry about that. You should just make sure that you have all of the visibility so that you can see all these threats and follow them from start to finish.
Host
Absolutely, It's almost like a narrative change as you, as you were speaking there. So rather than the cost of SIEM or XDR, etc, it's kind of the cost of insecurity of not doing that and the data waste. The data lost opportunity as well, that could be turned around. So really interesting, thank you. I'd love to drill into a little bit more on the XDR side of things actually as we, as we come to a close of our session today. So, what cases would you see XDR as a better alternative to SIEM? And then perhaps we can look a little bit more as well as who this would be a good fit, who should be buying this?
Justin
So XDR generally includes an EDR agent, endpoint detection and response as a security control. That's often the cornerstone of these solutions, SIEM is just the aggregation and detection piece. You know, you have to feed IT data and if you think about the cost of the SIEM plus the cost of an EDR solution, it makes SIEM an even harder sell. Whereas again, XDR generally includes this as part of the cost of the platform. I would also say that XDR is faster and easier to deploy and configure. So you're generally getting a faster time to value, you have less maintenance overhead, less infrastructure and architecture complexity for the end users. So although there may be a lot going on behind the scenes, it's transparent so you don't need to worry about it, it's handled by the vendor in many cases. XDR also includes some level of source, some allow you to add great flexibility for playbooks and things like that. Some are more simple actions, it really depends on the product, but that's coming with the product. You don't have to add it on and then configure it and then I also think, devil's in the details, but XDR seems to be cheaper in the long run for most things. That's due to ongoing hardware and software costs, the labor costs of having people to run it and things like that. On that final question of yours, who is XDR a good fit for? I think the cheeky answer is that anyone who wants a quick return on investment with a product that's specifically designed around detecting and responding to today's threats. But to reiterate, I think small and medium teams are really great fit for XDR because they are getting that fast return on investment. They don't have to read home after tone of documentation to figure out exactly how they need to configure and deploy the solution. The useful automation and orchestration steps can add value without having to have a fully repeatable process for phishing or something like that. At least there's little steps they can take even if their work isn't entirely repeatable. As I said, for large teams although it's less apparent, I would still say that they should consider it because it is a consolidated detection platform with EDR. Which is a must-have security control today. I would say it's always been but today the technology's actually there to do it and again for large teams there's still some customization and SOAR capability for them to really flex with and grow. While it gives them more time to perform company-specific threat hunts and bolster other areas of the security program instead of maintaining just another tool.
Host
So important I think of the holistic benefits that brings as well from the XDR point of view. The visibility you were mentioning there but also kind of accelerating security operations more generally, that reduction of TCO and again. Just reducing the burden known as we've been talking about today. It gives you that more active intelligence and it allows you to get really granular and filter through the threat noise to what actually is the most proximate and significant threat, etc. So really great overview there, thank you so much and I know we're nearly outta time now, Justin. I just wanted to say thank you so much for sharing those examples. I love the real tangible applications we've discussed today as well. I think it really brings a subject to life and how the different considerations, across the technology, but absolutely across things like skills, uplift, culture, shared responsibility, change management, etc. It is that combination coming together that makes such a difference.
Justin
Yes, thank you very much for the opportunity.
Host
My pleasure, thank you and thank you all for listening. Let's Talk Soc is a podcast series brought to you by Secureworks. A leader in cybersecurity, helping organizations reduce their risk, maximize their existing security investments, and fill their talent gaps. With their cloud-native security analytics platform Taegis, they offer MDR and XDR solutions, for better threat prevention, detection, and response. To learn more, visit secureworks.com.