Organizations across the globe are facing a significant dilemma in managing cybersecurity operations, particularly regarding Security Information and Event Management (SIEM) systems. Sixty-five percent of security leaders say they’ve ingested fewer logs due to increasing cost pressures. For vendors who built the traditional model of SIEMs, it appears to be an unsustainable model. This move comes as a result of the prohibitive costs of log management. On top of this, security analysts deal with a tsunami of alerts every day.
The reality is that the average SOC analyst is under intense stress in their position. After all, 70% of them say they are unhappy at work. The SOC analysts’ average tenure is under two years, which points to a doubly worrying trend in workforce retention. Yet, as the landscape changes, organizations need to continuously evaluate the effectiveness and efficiency of their security strategies.
The Cost of SIEM Systems
SIEMs have turned into resource-black holes for many organizations. A shocking 75% of total cost of ownership (TCO) for SIEM systems is spent just on maintenance, not licensing. Nearly half of SIEM users express dissatisfaction with the intelligence derived from these systems, raising questions about their overall value.
One large Fortune 500 organization is said to spend an estimated $20m per year just on SIEM ingestion. With costs outpacing funding, many nonprofits, agencies, and other organizations are making tough decisions as they decide where to direct increasingly limited resources.
“Should we ingest DNS logs or just pay the rent this month?” – Shahar Ben-Hador
Compared to older SIEM products, there is a much larger shift to low-cost cloud archive storage for storing logs. By taking this approach, organizations can reduce their total storage costs by as much as 80%. We know that budget constraints are always top of mind for security leaders. This option provides a cost-effective and efficient solution to storing vital log data without breaking the bank.
Overwhelmed Analysts and Alert Fatigue
The deluge of alerts created by SIEM solutions only adds to what many under-resourced analysts will tell you has become “swivel-chair security.” Even still, analysts are overwhelmed with thousands of alerts per day, creating an impossible signal-to-noise ratio. About a quarter of their time is spent time-fighting by chasing these false positives, increasing their stress tenfold.
According to some recent numbers, 85% of these same analysts report that their work in the SOC is extremely or very painful. With such crushing workloads, no wonder 70% say they are very stressed out and unhappy. SOC teams have been dealt a rough hand with the rapidly changing techniques from attackers. This causes security teams to be perpetually behind the ball, as rule libraries may take weeks or months to refresh.
To address these challenges, the next generation of triage systems has developed with cutting-edge technology to meet them. These sophisticated systems are able to reduce false alerts by an astounding 61%. They are able to accomplish all of this while maintaining a false negative rate of only 1.36%. This paradigm shift positions companies to focus their efforts on actual threats. They can, in other words, stop from being buried under a deluge of similar alerts.
Streamlining Incident Response
Integrated response workflows have fundamentally changed the incident management landscape—streamlining and improving organizations’ ability to resolve incidents in minutes versus hours. With each incident is a rich and robust investigation report. This breakdown offers complete background and AI logic, giving analysts a deeper understanding of what happened and why.
These workflows contain one-click remediation plans, drastically speeding the process of remediating security incidents. These innovations are a radical departure from the legacy SIEM approach that still relies heavily on manual effort.
Our organizations are still getting used to earlier technological advances and new strategic approaches. To better protect their organizations while making their security teams’ lives easier, they need to be deploying integrated solutions. By prioritizing intelligent triage and automated incident response, organizations can foster a more effective security posture and improve overall analyst satisfaction.