1. You do not focus on monitoring your SIEM. As IT departments deal with budget constraints security is no different. Companies are more willing to spend money on technology and not always the staff to effectively monitor and maintain it. This can be seen in all areas of technology and expecting your technology to do all the analytical work is a huge mistake. A SIEM must be monitored on a regular basis to ensure incidents are identified quickly.
2. Your staff is not trained. So often IT leaders do not want to pay for the proper training of their staff. They feel they are smart and “will figure it out”. This is usually a huge mistake, SIEM tools can be very powerful and offer advanced correlation techniques that your staff needs to be trainined on. Without training your team is like the GPS from the Allstate commercial, they’re just “winging it”.
3. Your SIEM is not properly maintained and upgraded. As a consultant I have the opportunity to see many SIEM installations. It is all to common to have customers 1-2 versions behind. If you are not upgrading your SIEM you are missing out on bug fixes and new capabilities that could make the difference between detecting an attack and not.
4. Your SIEM is to slow. Many legacy SIEM’s struggle when running reports on large datasets. If you have to start running a query or report and come in the next day for results your SIEM is not effective
5. Your SIEM is old. Previous generation SIEM’s were slow, expensive and were not intuitive enough. You need a fast, affordable and intuitive SIEM.
Like this post? Subscribe to my RSS feed and get loads more!