Skip Navigation
BlackBerry Blog

SIEM City, Baby

FEATURE / 10.18.17 / Pete Herzog

Imagine for a moment that you’re the most knowledgeable being in the world. Imagine you know everything that’s happening around you all the time. Imagine you also try to let everyone else know what’s going on but you just can’t seem to be able to get them to understand you. They just can’t make sense of what you’re telling them. How frustrating are you? Now imagine you were also kind of a jerk. You would be a SIEM.

A SIEM, or Security Incident and Event Management solution, is probably the hottest selling and most broadly defined security solution in everything cyber today. And the second thing probably explains the first thing.

It’s also one of the most infuriating, like a know-it-all sibling who corrects you when you say “gooder” instead of “more good.” It tells you all the things it thinks it’s figured out but not why. It screams at you a lot. And then it leaves you to figure out if it’s really true and what to do about it, if there’s even anything you can do about it.

But probably the most annoying thing about a SIEM is how it requires full participation from everything around it to have any value. Like an ice-breaker orientation leader. You remember how helpful those are.

On top of all that, it’s constantly notifying you of all the things it thinks it knows better than you, expecting you to respond. And if you don’t immediately respond to those gazillion things per millisecond it’s telling you to check, it tells you again. And again. And again. 

And I’m pretty certain newer models of SIEMs also say “I told you so” in a nasally voice after a breach.

So by now you’re asking yourself, where can I get one?! Of course you're not. It sounds horrible. If SIEM were a musical instrument it would be a flute. So why do people get them? Exactly.

Yet people often find themselves with a SIEM or a security program that has anything resembling a SIEM, and are not getting out of it what they should: security help. So this is how you change that.

Intelligence, Regular

Look, it’s one of the simplest security tools to use, so simple that even armchair security analysts can use it. It’s just that they can’t use it well. Especially if they don’t set it up right with the information it needs to work its alert magic. Why? Because it’s so simple to use that people think they know how to use it because it seems to work just fine after they plug it in. But it doesn’t. And it won’t if you don’t know security analysis or security operations. And so any benefit you think you’re getting out of it is just the placebo effect. You need a security analyst.

The security analyst is going to be able to make sense of the alerts, prioritize them, and tweak the rules it uses to determine what matters. Without that you just have thousands of alerts of equal priority and two IT techs to actually fix the stuff. What they’ll end up doing is spend a quarter of their time prioritizing, a quarter putting out fires, and a quarter of it staring at the SIEM trying to figure out why it’s even calling something a problem. (Yes there’s another quarter but nobody knows what IT techs really do with their time because they’re never around when you need them.)

Intelligence, Decaf

Just a few years ago, somebody realized these SIEMs suck and decided to address those flaws with artificial intelligence (AI). Because that’s what software engineers do when things don’t work right, they add features.

AI enters stage left.

The amazing and wondrous thing about AI is how it can take the place of a person doing a job that requires consistency and painstaking attention to detail. AI is like that girl you’ve always wanted to date but is way too smart to want to date you. Which is why it makes so much sense in a SIEM. It takes the drudgery of figuring out what rules you need, which people are acting sketchy, which packet streams are up to no good, and so much more.

It’s a beautiful thing like a Klimt but also like a Klimt you could stare at it a long time and not really figure out which way is which. IT techs couldn’t really get a straight answer from the AI as to why something was considered a problem, likely because it doesn’t feel like it needs to answer to humans, which it regards as an inferior species. But at least they no longer have to prioritize the alerts themselves, saving tens of hours a week to spend on scoffing at you for not knowing the Powershell commands to connect to the new database.

Luckily for you, there are many ways to introduce AI into your SIEM design. Some upgrade with AI plugins. Some are third-party tools that work on your SIEM output. You just need to buy it, plug it in, and the magic happens. Usually.

Intelligence, Emotional

The software engineers won’t admit it but their AI is not exactly superior to people. It’s better at some things, sure, but can it dance?! Hells no! It also can’t answer “why” very often. Which happens to be the one question that management asks before they pass you the next briefcase full of cash to buy more security stuff.

So they made sure AI could also help the security analysts figure stuff out by searching the Internet for possible answers while they’re still staring at the alerts. And it was a great idea except that in an expert system you need a lot of clearly labeled expert answers to feed the system. The Internet has a lot of cybersecurity answers but at the analyst level; not that much is expert. Also, not that much is easy to find through all the opinion noise, like this article, purposely crafted to make sure robots can never replace security analysts (insert diabolical laughter).

If you want to get the most out of your SIEM you need to have a way to answer “why.” There’s AI that helps security analysts get this answer but you still need the analyst to properly communicate the answer because “why” isn’t the same question as “WHY?!” or “Whyyyyyyyy!” or “Why fortheluvvaZeus?!” It takes a human with a pulse to know how to address each of those appropriately.

Intelligence, Creative

So for all this stuff about SIEM, really what I was getting at this whole time is how little expert security analysis is being done and how few knowledge resources are out there for doing it. And I was getting at how few security analysts are out there to be hired. And I was also getting at the fact that AI can be a great tool if you have a lot of system alerts to go through consistently and carefully. And finally, I was getting at the issue that properly answering the questions that management wants to know requires a human with empathy (so, apparently not me).

Pete Herzog

About Pete Herzog

Guest Research Contributor at BlackBerry

Pete Herzog knows how to solve very complex security problems. He's the co-founder of the non-profit research organization, the Institute for Security and Open Methodologies (ISECOM). He co-created the OSSTMM, the international standard in security testing and analysis, and Hacker High School, a free cybersecurity curriculum for teens. He's an active security researcher, investigator, and threat analyst, specializing in artificial intelligence (AI), threat analysis, security awareness, and electronic investigation.