Recap
We’ve described in previous blogs the complexity of successfully operating a Splunk environment. We likened managing Splunk to having a houseplant, which thrives with proper care but withers if neglected. This becomes even more important when using one of the premium products, such as Enterprise Security (ES). ES can provide tremendous opportunity to add value to a business enabling a full SIEM solution, but comes with additional complexity. Frequently, customers struggle to get the value out of the product and ultimately perceive it to be too costly to keep.
But why do customers struggle with the ES? Fundamentally, there are two key aspects to this – the first is having the expertise within the product to use it. But the second, and perhaps more key is having a clear vision on how to use the product within your business. In this short blog series we’ll outline a best practice approach to building out a SIEM with ES. If you struggle with ES, you’re not alone and in this first blog we outline some of the common challenges we see and will address.
Too Much Data
Still we see customers being product lead too much, falling fowl of simply putting too much data into their platform without a clear view on what they want to achieve with their SIEM. This becomes particularly problematic with ES, with customers struggling to first even set up the system and then, the real kick in the teeth –manage the overly complex system they’ve built. At the outset of building a SIEM, customers spend significant time and effort integrating with a wide range of data sources. Each of these sources can have different formats, protocols, and methods of logging data, making the setup complex and time-consuming. Once the customer finally has this set up, they become overwhelmed by the system – the tool is designed to collect and process massive amounts of security data and this can quickly become overwhelming. Managing false positives then becomes an issue as the SIEM generates a lot of alerts, many of which may not be indicative of actual threats. Against this overwhelming data issue, customers are also grappling with customising correlation rules, alerts, and dashboards, as well as face the now growing problem of data storage and retention.
Skill, Time & Effort
The challenge of operating the toolset is compounded by the growing cost of the platform, without transparency as to why and lack of skills in the marketplace to easily find the team to manage it. After significant time and effort building and trying to manage the system, the senior team are still unable to adequately state their coverage against either a best practice framework or their specific regulatory requirements. The ops team are still not using the tool properly as part of process. Worse, customers may be paying for a SIEM solution, with a 3rd party SOC who are barely looking at the toolset. It is often at this point, some months into a licence period, that customers start to doubt whether the tool can work for them. However, many of the above issues can be solved by first considering the function of SIEM in general and how it must operate within the context of a particular business, before thinking about the specific features of the toolset.
Next Time
In this series of blogs we’ll build on some of our previous content and start to unpick how to approach using Enterprise Security to gain the most value from it. We’ll look at the fundamentals of being data driven to make sure there is a clear vision of what a SIEM needs to provide for your business. We’ll look at how to build a fully formed operating model for SIEM and of of course dive into some of the features of the platform, and how, against a well-formed SIEM strategy, they can be leveraged fully to build a robust, fit for purpose threat detection platform.
See how we can build your digital capability,
call us on +44(0)845 226 3351 or send us an email…