IT networks churn out an extraordinary volume of activity, and this poses a cybersecurity challenge. Small and medium-sized enterprises (SMEs) may experience millions if not billions of network events on any given day. These originate from applications, endpoints, user actions, servers and a multitude of other IT sources. The odds of identifying a legitimate cyberthreat are not in your favor.

The purpose of Security Information and Event Management (SIEM) solutions is to aggregate networks events into a single repository so they can undergo real-time analysis. This includes alerts, which are events that have been flagged as dangerous or suspicious by cybersecurity solutions. Security analysts then perform advanced analysis of network events and alerts to improve threat detection and response. They can also fine-tune administrative configurations to snuff out some of the noise associated with modern IT networks. Enterprises can also meet compliance obligations via reports generated by a SIEM.

Understanding the Cost and Complexity Restraints

In recent years, SMEs have been drawn to SIEM’s benefits, especially given the ongoing shortfalls of point solutions as discussed in our previous blog post, Point Products Are Not Enough! The feedback is that SIEMs are expensive, complex and time-consuming to deploy. They also require continuous monitoring and constant maintenance to fine-tune network rules. The security talent to monitor and maintain a SIEM is expensive, scarce and difficult to retain given the shortage of cybersecurity talent.

“A SIEM will generate 10,000 or more alerts every day.”

On average, a SIEM will generate 10,000 or more alerts every day. Many of these will be false positives, but all of them warrant some level of investigation. This requires an around-the-clock team of security analysts who have the requisite knowledge and expertise. Furthermore, the security analyst team needs to be resourced to manage the incoming alerts, tune the SIEM, as well as hunt for threats. In other words, a SIEM is only useful if its backed up by a fully-staffed security operations center (SOC).