ThetaPoint - Plumbing

5 Reasons Why Your SIEM May Fail You

Tired of trying to fix your SIEM all by yourself?  Hire the experts.

Let’s face it, audits are not fun.  The piles of paperwork, the tedious detail and the crazy questions that seem to come out of left field around reasonable controls just add insult to injury.

If you think about it, passing an audit is as much about process as it is about making sure your house is in order. Anyone that has tried to buy or sell a home knows the stress and uncertainty that comes from a home inspection.  Maybe you see a crack in the wall and worry about a foundation issue, or perhaps the home is on septic and you are not sure about the condition of the tank and leach field.   The reality is, IT security audits are similar to a home inspection.

A SIEM is just like your plumbing; when it fails, you have a real mess on your hands.  Failed audits, security incidents or even breaches are all ramifications of a poorly maintained SIEM.  The Top 5 Reasons why your SIEM fails you are:

  1. Agent Caching – Agents can cache for a variety of reasons, but your inability to actively address this will prevent events from reaching your SIEM or worse, trigger an alert that is well past the actual event itself.  Think of this as your clogged toilet. 
  2. Dropped Events – There is nothing worse than going back to look at the logs for a certain timeframe and realizing they are not there.  Sort of like a leak that is behind your walls, nobody knows about it until the wall starts buckling and you have a real disaster on your hands.
  3. Event Queue Buildup –  How many times have we seen poorly written rules/content clog up a good system?  Unfortunately, too often.  This can clog up event queues to the point where the rules engine stops alerting and overall performance degrades to a crawl.  There isn’t enough drain cleaner on the planet to fix this issue!
  4. Chunk Resends and Dirty Data – When data is parsed poorly and large data sets are carelessly stuck into message or flex fields, the system is unable to efficiently process and store events.  When events are too large, your SIEM will not be able to handle the data size and it will choke on itself.  It’s like having a 2-inch pipe to your faucet, but a ½-inch pipe for the drain.
  5. Disk I/O – ***News Flash*** – Not all storage is created equal! SIEM and Log Management tools require optimally performing disk to achieve maximum performance.  Shared or older magnetic storage can cause major system instabilities.  This is your leach field – configure it correctly and it operates properly.

The reality is that your SIEM is the un-sexy, behind-the-scenes must-have for your enterprise security team.  This is similar to the ugly pipes behind the walls and under the ground for the septic and plumbing systems of your house.  If you don’t take care of these critical systems, you could have a real mess on your hands.

Don’t wait until you have a failed audit, security incident or breach to take care of your SIEM.  Most organizations do not have the the security/architecture expertise and/or resources to properly maintain a SIEM.  Hire an expert today to make sure there are no surprises.

About ThetaPoint, Inc.

ThetaPoint is a leading provider of strategic consulting and managed security services.  We help clients plan, build and run successful SIEM and Log Management platforms and work with the leading technology providers to properly align capabilities to clients needs.  Recognized for our unique technical experience, in addition to our ability to quickly and rapidly solve complex customer challenges, ThetaPoint partners with some of the largest and most demanding clients in the commercial and public sector.  For more information, visit or follow us on Twitter or Linked-In

No Comments

Leave a Comment