DarkWebSecurity Monitoring . SIEM . Failures!
DarkWeb, watchOUT

Security Monitoring . SIEM . Failures!

From the early days of log data collection for auditing purposes, to present days of complex SIEM product, it has been a journey to reckon with. Evolution of analytic and big data and its implication on security monitoring, promises that future journey of log and associated data will continue being exciting and challenging.

But, all this evolution of technology to use log and some other related data to monitor enterprise security, has helped little, very little, in instilling the confidence in users / CISOs, that they have their monitoring and security posture covered. A close quarter conversation with any CISO or security experts will quickly reveal that their confidence in capabilities of security monitoring products and tools is low. Very low. Most of them will reflect following as major issues with adoption and operations of SIEM products.

  • Initial adoption is time taking and needs quite a bit of coordination from various stakeholders within IT organization
  • Time to value realization is very high. It can take up to an year or two before you can think of effective monitoring
  • Correlation of events and corresponding comprehensive coverage of attack and compromise vectors is difficult to achieve
  • SIEM installations need maintenance. Very high maintenance. And, sometime benefits of such a tool are offset by ops cost
  • Out of the box reports from SIEM products and tools are mostly useless. It takes
    quite a bit of work to generate meaningful one

A closer look at the world of SIEM and other monitoring tools and technologies reveals following areas or reasons, which cause failures or dissatisfaction. Some of these are related to the way SIEM tools have shaped up. Some are related to mistakes made at the time of deployment of these products and some are related to operational realities/complexities of the IT infra and applications from where log data is collected and processed and stored.

In quite a many organization lack of a clear policy related to logging, result into log data bloating at various sources. It is not unusual to find debug level of logging being enabled at various applications, hosts and devices for no specific reasons. Debug levels are turned on, because, IT organization does not want to spend time on analyzing and deciding, what should be logged at various part of its IT infra and its elements.

Other than posing maintenance issues, in terms of local archival of log data and storage management, this kind of open ended logging at various points of IT setup leads to more complications and challenges, when an SIEM product or any monitoring tool based on log collection is deployed.

Collecting Too Much of Log Data…

From so many Log Sources!

Following are some of the issues when log collection is performed in such an environment.

  • SIEM tool collection agents are expected to conduct all filtering of noise from the log source, which leads to more configuration and tuning
  • Since selective log data is being collected from a large volume of generated logs, filtering process consumes additional computational resources
  • In worst cases, or rather most cases, SIEM tool deployments do not burden themselves with fine tuning of collection, which leads to larger volumes being collected
  • Larger log volumes collected from many sources in an IT setup creates operational challenges at the central aggregation and storage component of SIEM product
  • And, large log/event volume collected and stored at the central aggregation and storage server also leads to slower searches, compromised reporting and in some cases low quality correlation of security events

What is needed, is, organizations need to come up with proper logging policies for all portions/aspects of their IT assets. The collection of logs within your IT setup needs to be with a purpose. It cannot be and should not be for mere accumulation of noisy data, which will end up lying in an archived store, which no one will ever look at and no one for sure use.

And, then further, a comprehensive filtering of what is being collected by your SIEM tools also needs to be done. Burdening your SIEM infra and components with unnecessary collection of large log volumes is a sure shot way of sending your security monitoring to a path of failure. The exercise to come up with right filtering in SIEM installation will take some time and effort. It should not be rushed, if you want to avoid complexities and pains, when SIEM is operational.

SIEM .. Its not supposed to be a Rule Engine…
Damn it… Parse & Map it completely…
Give me a proper solution!

Log data collection and monitoring of security based on what is found in logs is largely based on premise of conversion of data and events in various logs to a standard and common format, called CEF in SIEM parlance. This conversion is done by SIEM tools for each selective entry in the logs. Such a conversion of collected logs from so many log sources in an IT setup needs strong and comprehensive parsing and mapping abilities in their SIEM products and tools.

Given the sprawl of log sources and type of those sources, many SIEM vendors have resorted to providing a custom parsing development capability within their tools. A customer is expected to detect where parsing or mapping is not taking place properly in their collected logs, and then, write a custom parser for certain logs to ensure correct mapping of events is done. This is easier said than done. In the face of many versions, many types of logs, it becomes herculean task for for customers to ensure that all of their logs are getting mapped correctly within their SIEM setup. And, then it remains an operational nightmare. Any time an update or upgrade takes place, customers need to look at the correctness of their mapping and take actions if something is missing.

Here, I find major issues with SIEM product vendors and their technologies. Following are some of the things, which need to be taken care of by them.

  • Your tech is supposed to do the parsing, don’t make your customer do it
  • Don’t pass on the burden of dealing with version-hell to your customers, you are expected to get your tool ready to support correct parsing across different versions
  • And, most of all, SIEM is not a rule engine, it is a solution. Parsing is at the center stage of this solution. Get a grip on your parsing technology and its eco-system!

In majority of the SIEM products, correlation of security events is a key capability. This capability is what makes this technology effective in providing deeper view of security important or security critical happenings within an IT setup.

Attack Vectors and Compromise Scenarios…
Ah…Those Complex Correlations!
Lack of Comprehensiveness!

Unfortunately, most of this correlation has been left to users aka customers defining their own rules for various correlation. The rule engine syndrome of SIEM tools has led to a situation, where out of box coverage of attack vectors and compromise scenarios is minimal in most of the products and tools available in market today.

A templatized approach to various security scenarios and corresponding correlations for a given type of IT setup, is what is needed and expected from SIEM products and technologies. Other than arcane and exotic IT setups, which may contain log sources and their combinations which are difficult to imagine, it should be fairly possible for SIEM vendors to provide comprehensive coverage of the correlation. Out of box… ready to be used… and effective right out of deployment!

Analysis of a ‘Found’ Security Occurrences…

Deeper Security Experts Needed!

Continues to be a challenge!

Even if an organization has a proper deployment of SIEM solution, and even if, it has managed to create meaningful correlation rules, on very many occasions an occurrence of a specific security event or scenarios still needs a high quality intervention and conclusion by a security expert.

In the face of a scenario identification and occurrence, ‘What to do’ and ‘What action to take’ continues to be a challenge for most of the organizations. For a proper coverage here, an organization is expected to employ security experts which goes beyond the routine knowledge of security products and general security understanding. Hiring such expertise is not an easy thing to do in today’s environment when security experts come at a steep premium.

Two things can help here…
  • SIEM products and technologies vendors to include intelligence and knowledge about ‘actions’ which need to be taken on occurrence of these scenarios
  • Organizations adopting SIEM solutions can take professional help or else employ SOC services from a third party security services player, who have a congregation of security experts readily available

The extent and rate of failed SIEM deployments is so high that it almost places a question to the whole world of security monitoring across the globe in enterprises. Some of the above mentioned issues need to be tackled quick enough for confidence to be restores in security monitoring, and, specifically in SIEM products and technologies.

Leave a comment:

Your email address will not be published. Required fields are marked *

Top
oh hello you
Award-winning
creative agency.
Delivering high-quality projects for international clients. Ask us about digital, branding and storytelling.

CONTACT ADDRESS
36 East 20th Street, 6th Floor

GENERAL INQUIRIES
borgholm@qodeinteractive.com

SOCIAL MEDIA

Privacy Policy

This Privacy Policy applies to the www.castellumlabs.com

Castellum Labs recognises the importance of maintaining your privacy. We value your privacy and appreciate your trust in us. This Policy describes how we treat user information we collect on http://www.castellumlabs.com and other offline sources. This Privacy Policy applies to current and former visitors to our website. By visiting and/or using our website, you agree to this Privacy Policy. Castellum Labs is a business unit of Raaga Technologies Private Limited and focuses on information technology and cyber security services and products.

Castellumlabs.com is brand and is a property of Raaga Technologies Private Limited, an Indian Company registered under the Companies Act, 2013 having its registered office at Workyard, 337, Phase 2, Industrial Area, Phase 1, Chandigarh, India - 160002.

Information we collect

Contact information. We might collect your name, email, mobile number, phone number, employer company, your designation, street, city, state, pin-code, country and IP address.

Payment and billing information. We do not conduct any online transaction and do not ask our website users for any kind of financial or payment information on our website.

Information you post. We collect information you post in a public space on our website or on a third-party social media site or asset or page or account or wall belonging to Castellum Labs.

Demographic information. We may collect demographic information about you or any other information provided by your during the use of our website with your consent and your approval. We might collect this as a part of a survey also.

We collect information in different ways.

We collect information directly from you. We collect information directly from you when you fill a query form or else when you drop a message to our number of else when you call our phone numbers. We also collect information if you post a comment on our websites or ask us a question through phone or email.

We collect information from you passively. We may use tracking tools like Google Analytics, Google Webmaster, browser cookies and web beacons for collecting information about your usage of our website and any associate web sites of ours.

We get information about you from third parties. For example, if you use an integrated social media feature on our websites. The third-party social media site will give us certain information about you. This could include your name and email address.

Use of your personal information

We use information to contact you: We might use the information you provide to contact you for confirmation of the answers for your queries posted on our website.

We use information to respond to your requests or questions. We might use your information to confirm your registration for a webinar or an event or a course published by us.

We use information to improve our products and services. We might use your information to customize your experience with us. This could include displaying content based upon your preferences.

We use information to look at site trends and customer interests. We may use your information to make our website and products better. We may combine information we get from you with information about you we get from third parties.

We use information for security purposes. We may use information to protect our company, our customers, our websites or our other digital assets on internet.

We use information for marketing purposes. We might send you information about special promotions or offers. We might also tell you about new services, features, products, reports or other offerings. These might be our own offers or products, or third-party offers or products we think you might find interesting. Or, for example, if you submit a query, we might enroll you for our newsletter with your consent.

We use information to send you transactional communications. We might send you emails or SMS about your account, registration or a query submitted by you.

We use information as otherwise permitted by law.

Sharing of information with third-parties

We might share information with third parties who perform services on our behalf. We share information with vendors who help us manage our online registration process or query processors or transactional message processors. Some vendors may be located outside of India.

We will share information with our business partners. This includes a third party who provide or sponsor an event, or who operates a venue where we hold events. Our partners use the information we give them as described in their privacy policies.

We may share information if we think we have to in order to comply with the law or to protect ourselves. We will share information to respond to a court order or subpoena. We may also share it if a government agency or investigatory body requests. Or, we might also share information when we are investigating potential fraud.

We may share information with any successor to all or part of our business. For example, if part of our business is sold we may give our customer list as part of that transaction.

We may share your information for reasons not described in this policy. We will tell you before we do this.

Email Opt-Out

You can opt out of receiving our marketing emails. To stop receiving our promotional emails, please email unsubscriber@castellumlabs.com. It may take about ten days to process your request. Even if you opt out of getting marketing messages, we will still be sending you transactional messages through email and SMS about your queries.

Third party sites

If you click on one of the links to third party websites, you may be taken to websites we do not control. This policy does not apply to the privacy practices of those websites. Read the privacy policy of other websites carefully. We are not responsible for these third-party sites.

Grievance Officer

In accordance with Information Technology Act 2000 and rules made there under, the name and contact details of the Grievance Officer are provided below:

Mrs. Rinky (Sukriti) Shukla

Workyard, 337, Phase 2,
Industrial Area, Phase 1,
Chandigarh, India - 160002

Phone: +91 - 86399 53505
Email: sukriti.shukla@castellumlabs.com

If you have any questions about this Policy or other privacy concerns, you can also email us at privacy@castellumlabs.com

Updates to this policy

This Privacy Policy was last updated on 20.12.2025. From time to time we may change our privacy practices. We will notify you of any material changes to this policy as required by law. We will also post an updated copy on our website. Please check our site periodically for updates.

Jurisdiction

If you choose to visit the website, your visit and any dispute over privacy is subject to this Policy and the website's terms of use. In addition to the foregoing, any disputes arising under this Policy shall be governed by the laws of India.

Annual Summary Report

Please provide your details to access the report.