- Security information and event management (SIEM) is an important aspect of HIT infrastructure security, but a recent study conducted by the Ponemon Institute found that over half of respondents were unsatisfied with the actionable intelligence their SIEM solution provided.
The study polled over 550 large enterprise organizations across all industries, including healthcare. Seventy-six percent of the respondents value their SIEM solution as a highly important strategic infrastructure tool.
SIEM is essentially a window into the security solutions an organization has implemented. SIEM solutions collect, analyze, and present information to monitoring IT staff, who then detect if there is a weakness or threat to the healthcare IT network.
In addition to monitoring infrastructure security for each individual solution implementation including network, storage, and applications, SIEM aggregates all security data together to be evaluated from a single point of view.
SIEM solutions aggregate data from the networks, servers, databases, and applications, which allows monitors to easily see common trends and point out abnormalities and potential security breaches. They link similar events together to determine if a threat is coming from more than one place.
SIEM solutions are notoriously complex and often require a dedicated member of IT staff to manage and monitor it. Ponemon research suggests that the lack of available monitoring staff is a factor on why over half of organizations feel they are not getting what is needed out of their SIEM solution.
“The root of their dissatisfaction seems to be related to the complexity of the SIEM itself,” Ponemon Institute Chairman and Founder Larry Ponemon explained in a statement. “In fact, 75 percent of respondents said there is significant, or very significant, effort involved in configuring their SIEM for their organization. Obviously, this complexity can make it very difficult to extract the value they want and need.”
The research discovered that only 25 percent of the total cost of ownership of a SIEM solution is related to the initial purchase, making it one of the more expensive solutions healthcare organizations could invest in. The remaining 75 percent of the cost is typically used for installation, maintenance, and staffing.
Deploying an SIEM solution requires a dedicated IT staff member to monitor and manage it exclusively. Depending on the size of an organization, more than one staff member may be needed. Monitoring an SIEM solution is a complex and consuming process that requires expertise and specialization.
However, 78 percent of organizations employ one or less full-time IT administrator to manage and monitor their SIEM solution. While many organizations choose to outsource SIEM maintenance to external contractors, researchers concluded that the demand for highly trained security analysts greatly exceeds the supply.
Study respondents were generally dissatisfied with the amount of low level data produced, which makes it difficult to differentiate between non-threats and significant threats.
Before deploying an SIEM solution, a profile must be created as a constant under normal circumstances where no abnormal events are taking place. This may require in-depth security scans of each infrastructure component.
This constant creates a point of comparison so the SIEM solution knows which events need to be aggregated and which events are abnormal.
Logs are created for searching through event history to make comparisons with past abnormalities. Monitors receive notifications when serious issues are detected.
However, low-level or non-threatening data is logged along with threatening data, which can make it difficult for the security analyst to see immediately. Seventy percent of respondents want their SIEM solutions to generate fewer alerts that are more accurate and serious.
Organizations also want more context, visibility, and automation from SIEM solutions. Sixty-one percent of respondents want to better understand individual user needs and devices associated with certain security events to gain better insight into validated user needs.
The survey also found that 71 percent of those surveyed expressed a need for automation on certain SIEM tasks. This is due to the general lack of SIEM management staff and will give IT administrators more time to focus on specific tasks.