Stop the Insanity: Understanding Old-World SIEM vs. Modern SIEM

“The definition of insanity is doing the same thing over and over and expecting different results.”


While no one knows for sure who first said this (Einstein? Narcotics Anonymous?), it’s still a well-trodden adage that can be applied to the world of security operations and SIEM. Traditional SIEMs are incredibly manual, feature overwhelmingly complex user interfaces, flood analysts with information that is not actionable and makes their jobs harder and not easier.


Security operations teams can’t expect different results while continuing to use old-world SIEM’s. They need a new approach.


This is why JASK is traveling the country in 2019 on our SIEM Insanity Tour to let CISOs, security analysts, and other security stakeholders get a first-hand experience of how a modern SIEM can find links between data points from threats that exist within networks, users and applications, and autonomously create composite insights that make analysts’ evaluations occur more quickly and efficiently. Best of all, we are going to be sharing how our ML-driven SIEM can be integrated into current SOCs at a fraction of the cost, with no hardware, and very little services and maintenance expense.


Many of the problems with SOCs today are related to four major trouble areas.


First, organizations can’t hire enough competent professionals to analyze the massive amount of data any infrastructure, software, device or computer system creates. Staff levels to get to the data being created requires, at a minimum, twice as many analysts than most companies can afford. Even if a company could afford this staff, there are not enough qualified candidates to hire. This is a problem almost every security operation center deals with.


Second, analysts cannot do their job — monitor their environment — without an inundation of alerts from firewalls, user behavior tools, file changes and more. There are thousands of alerts that overwhelm analysts and most are benign. While that is a good thing, it causes burnout — as analysts are usually in a constant alert state.


Third, when analysts do investigate alerts, they don’t often have enough context or visibility to actually understand what is happening in any given situation. Many threats are unique or similar to an innumerate number of situations.


Lastly, and most troubling for many SOCs, is that most of the time, alerts are pulled at random, leaving too many potential threats uninvestigated. However, there is a tremendous amount of risk due to the nature of the number of alerts and the sampling process that is done now. A large portion of alerts are ignored, while many alerts that are investigated are benign.


The SIEM is the central tool to combat this, but even the most robust security information and event management tools cannot deal with the breadth of alerts, and the vast number of security tools don’t integrate seamlessly into SOCs.


One day’s worth of alerts can take up to one man month of work. That would take 35 analysts — who aren’t even available anyway.  Many analysts try to look at 20 percent of alerts. If you have 10,000 alerts per day — a typical example — that means 2,000 alerts in 7 days, which would still need 20 analysts — and their salaries — per day. It is both unfeasible, financially unsound, and quite risky.


The risk of this lower detection threshold means that many low-priority activities fly below the radar. Savvy hackers continue to take advantage this. Threats that could have been stopped early are missed.


A legacy SIEM filtering out a tremendous amount of data may never detect a breach or be time-consuming while doing a post-mortem. Also, data collection can take hours before you decide to respond or ignore a threat as benign.


JASK is flipping this story on it’s head with our modern SIEM. If the SIEM provides better visibility and automation, analysts can get data to be more efficient and get to outcomes more quickly. We think that allowing machine learning to define relationships, clusters and priorities not only lowers risk by allowing analysts to focus on actual threats, but also decreases the cost of investigations. Staffing will remain the same, but cost per investigation is decreased.


Many of us have been in the security space long enough to realize that there are no magic bullets. It’s crazy that it’s 2019 and we are doing the same things and expecting a different outcome. This is insanity, which is why we are embarking on our SIEM insanity tour.


The SIEM market needs a drastically different and modern approach. If you don’t believe that JASK changes the financial justification for switching from today’s traditional SIEM to a modern SIEM, we invite you to come see for yourself.


About the Author

Holly Barker is the Director of Corporate Marketing at JASK. She has over 10 years of corporate marketing, global event management, brand strategy, and channel marketing management experience at tech companies, with cyber security being a large part of the last few years of her career. She is lives in Austin with her husband, and toddler son, and will eat queso for any meal.


Share on